Prevent tracking via TLS session

Suggestions and feature requests for the Pale Moon browser
Locked
User avatar
Paleist
Hobby Astronomer
Hobby Astronomer
Posts: 21
Joined: 2017-08-23, 09:44

Prevent tracking via TLS session

Post by Paleist » 2018-10-20, 15:16

You can track users with the TLS session ID, session ticket or pre-shared key, when the tracker (like google) is loaded on a several sites you connect to with TLS. This is done with session resumption. It seems google as well as Facebook are already using this.
See https://arxiv.org/pdf/1810.07304.pdf

It's easy to disable said resumption by creating

Code: Select all

security.ssl.disable_session_identifiers
and set it to true.

I suggest making this standard in Pale Moon. The worst that can happen is a site supporting resumption loads slightly slower.

User avatar
fatboy
Lunatic
Lunatic
Posts: 307
Joined: 2017-12-19, 08:03

Re: Prevent tracking via TLS session

Post by fatboy » 2018-10-20, 19:32

How does one create this entry in about:config?
Systemd Free - MX Linux & Artix Linux

User avatar
gepus
Astronaut
Astronaut
Posts: 569
Joined: 2017-12-14, 12:59

Re: Prevent tracking via TLS session

Post by gepus » 2018-10-20, 21:57

Right-click and create a New Boolean:
name: security.ssl.disable_session_identifiers
value: true

Sampei Nihira
Banned user
Banned user
Posts: 96
Joined: 2018-04-03, 16:17

Re: Prevent tracking via TLS session

Post by Sampei Nihira » 2018-10-21, 10:30


User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29675
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Prevent tracking via TLS session

Post by Moonchild » 2018-10-21, 11:15

FTR: re-establishing new sessions every time is not efficient use of the TLS protocol. Sessions, session tickets and session resumption have been created as part of the standard for good reason.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

laozi

Re: Prevent tracking via TLS session

Post by laozi » 2018-10-21, 12:09

in the end , is the solution proposed by @Paleist :
-effective ?
-useful ?
-recommended ?
-create this addition in about:config, does not hurt ?
thank you for your lighting

User avatar
Paleist
Hobby Astronomer
Hobby Astronomer
Posts: 21
Joined: 2017-08-23, 09:44

Re: Prevent tracking via TLS session

Post by Paleist » 2018-10-21, 12:26

I know it was made part of the standard for a reason, but the problem is that it can and does get abused for tracking.

Getting rid of TLS sessions identifiers as solution blocks this tracking method in a quite simple but very effective way at the cost of a marginal loss of speed. I use that entry and barely noticed any difference.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29675
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Prevent tracking via TLS session

Post by Moonchild » 2018-10-21, 13:42

Good for you!

Whether it should be made default is a whole different question, though. People on slow wireless connections will most definitely notice this more than just marginally. Should we impact all those users because a small percentage of our users is so worried about this (one of many) ways you can potentially be tracked more accurately in public spaces, that they want this? Probably not!
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
gepus
Astronaut
Astronaut
Posts: 569
Joined: 2017-12-14, 12:59

Re: Prevent tracking via TLS session

Post by gepus » 2018-10-21, 14:02

Paleist wrote: ... at the cost of a marginal loss of speed. I use that entry and barely noticed any difference.
How much does it take on a fast connection to download 1-5kb of certificates?
Add to the above the time a TLS handshake needs. That's it. :)
I was using that hidden pref with Firefox long time before making the switch to Pale Moon and never noticed the delay.

However: Useful or not - IMHO it's not the job of Moonchild to "cripple standards" by setting this pref to true.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29675
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Prevent tracking via TLS session

Post by Moonchild » 2018-10-21, 17:02

gepus wrote:How much does it take on a fast connection to download 1-5kb of certificates?
Add to the above the time a TLS handshake needs. That's it. :)
That's it.... every time you request something over https that is no longer a keppalive. Every. Single. Time. ;)
Sure, on a fast connection you may not notice much of it (although even there you might) but you're talking latency more than throughput there.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

laozi

Re: Prevent tracking via TLS session

Post by laozi » 2018-10-21, 18:57

on my computer which is a few years old (9 years old, Intel Core duo E7400 2,8 Ghz, 4 Go Ram, win7 32b), I applied the modification recommended by @Paleist* (added in about:config)
balance sheet: no slowdown noted
so a little more security is always good to take ;)
* thanks to him
Last edited by laozi on 2018-10-21, 18:58, edited 1 time in total.

yami_
Astronaut
Astronaut
Posts: 506
Joined: 2018-04-26, 11:05

Re: Prevent tracking via TLS session

Post by yami_ » 2018-10-21, 19:33

Privacy is not security.
cat came back from Berkeley waving flags -- rob pike

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29675
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Prevent tracking via TLS session

Post by Moonchild » 2018-10-22, 05:16

yami_ wrote:Privacy is not security.
In fact you're likely trading one for the other, here. I can see rapid-fire handshakes being abusable by a MitM
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image


User avatar
Paleist
Hobby Astronomer
Hobby Astronomer
Posts: 21
Joined: 2017-08-23, 09:44

Re: Prevent tracking via TLS session

Post by Paleist » 2018-11-17, 09:41

Oh, I see. So it wasn't a bug, it was intentionally inserted as a backdoor. Well, that certainly makes it a lot worse.

I went through the article and found these entries:

Code: Select all

security.ssl.disable_session_identifiers (hidden feature)
security.ssl.enable_false_start
security.tls.enable_0rtt_data
privacy.firstparty.isolate
First is the one I already mentioned that gets rid of the various session identifiers. No change here.
False start is enabled in Pale Moon so I disabled it.
0rtt_data is disabled by default in Pale Moon, no change here.

Now

Code: Select all

privacy.firstparty.isolate
doesn't exist. Can I add it just like with the session identifiers or does Pale Moon not support that? It seems to be the least important and can break websites, but I'd like to check what happens anyway.

And, now that we know it not a bug but a feature (everyone just loves backdoors in encryption), I once again suggest to make not only mine but the first three settings standard in Pale Moon. Well, the third one already is, so that's a good start.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29675
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Prevent tracking via TLS session

Post by Moonchild » 2018-11-17, 10:39

Please see my explanation of the options in the OTHER thread where this is discussed.
And no, it's not a backdoor, it is in fact a feature, no matter what the scaremongers say.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
gepus
Astronaut
Astronaut
Posts: 569
Joined: 2017-12-14, 12:59

Re: Prevent tracking via TLS session

Post by gepus » 2018-11-17, 12:21

Paleist wrote: Now

Code: Select all

privacy.firstparty.isolate
doesn't exist. Can I add it just like with the session identifiers or does Pale Moon not support that?
See here JustOff's comment.

Sampei Nihira
Banned user
Banned user
Posts: 96
Joined: 2018-04-03, 16:17

Re: Prevent tracking via TLS session

Post by Sampei Nihira » 2018-11-17, 15:08

It is OK when the value corresponding to the arrow is "NO":

Image

https://www.ssllabs.com/ssltest/viewMyClient.html

Note that I have also eliminated the insecure ciphers suites.
Last edited by Sampei Nihira on 2018-11-17, 15:10, edited 2 times in total.

User avatar
Paleist
Hobby Astronomer
Hobby Astronomer
Posts: 21
Joined: 2017-08-23, 09:44

Re: Prevent tracking via TLS session

Post by Paleist » 2018-11-17, 15:43

Sampei Nihira wrote:It is OK when the value corresponding to the arrow is "NO":

Image

https://www.ssllabs.com/ssltest/viewMyClient.html

Note that I have also eliminated the insecure ciphers suites.
That's exactly how it looks for me. :thumbup:

User avatar
Paleist
Hobby Astronomer
Hobby Astronomer
Posts: 21
Joined: 2017-08-23, 09:44

Re: Prevent tracking via TLS session

Post by Paleist » 2018-11-17, 15:46

gepus wrote:
Paleist wrote: Now

Code: Select all

privacy.firstparty.isolate
doesn't exist. Can I add it just like with the session identifiers or does Pale Moon not support that?
See here JustOff's comment.
Yup, I saw, so it doesn't work. Well, the other three are the really important ones.

Locked