W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2018

[clear-site-data] User Tracking via TLS Session Resumption

From: Caleb Queern <cqueern@gmail.com>
Date: Thu, 25 Oct 2018 09:57:52 -0500
Message-ID: <CAEnXMMrDpCLOLmHiU86VTGrAcaMdxzVA4T5RfJ22eC7vLfWAGg@mail.gmail.com>
To: public-webappsec@w3.org
Hello WebAppSec Team,

I am sure folks have seen the discussion around the paper "Tracking Users
across the Web via TLS Session Resumption" by researchers at the University
of Hamburg:

https://svs.informatik.uni-hamburg.de/publications/2018/2018-12-06-Sy-ACSAC-Tracking_Users_across_the_Web_via_TLS_Session_Resumption.pdf

...where they describe ways users might be tracked by a TLS session ID or
ticket (TLS 1.2) or by pre-shared keys (TLS 1.3).

Just want to confirm my understanding... if one were worried about the risk
of user tracking via TLS session resumption as described in the Hamburg
paper, that risk would be mitigated in browsers that support the
Clear-Site-Data header by sending the header:

Clear-Site-Data: "cache"

...correct?

-- 
Caleb Queern
Received on Thursday, 25 October 2018 14:58:26 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 25 October 2018 14:58:27 UTC