[clear-site-data] User Tracking via TLS Session Resumption from Caleb Queern on 2018-10-25 (public-webappsec@w3.org from October 2018)

From: Caleb Queern <cqueern@gmail.com>
Date: Thu, 25 Oct 2018 09:57:52 -0500
To: public-webappsec@w3.org
Message-ID: <CAEnXMMrDpCLOLmHiU86VTGrAcaMdxzVA4T5RfJ22eC7vLfWAGg@mail.gmail.com>

Hello WebAppSec Team,

I am sure folks have seen the discussion around the paper "Tracking Users
across the Web via TLS Session Resumption" by researchers at the University
of Hamburg:

https://svs.informatik.uni-hamburg.de/publications/2018/2018-12-06-Sy-ACSAC-Tracking_Users_across_the_Web_via_TLS_Session_Resumption.pdf

...where they describe ways users might be tracked by a TLS session ID or
ticket (TLS 1.2) or by pre-shared keys (TLS 1.3).

Just want to confirm my understanding... if one were worried about the risk
of user tracking via TLS session resumption as described in the Hamburg
paper, that risk would be mitigated in browsers that support the
Clear-Site-Data header by sending the header:

Clear-Site-Data: "cache"

...correct?

-- 
Caleb Queern

Received on Thursday, 25 October 2018 14:58:26 UTC