Prevent tracking via TLS session

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Paleist

Prevent tracking via TLS session

Unread post by Paleist » 2018-10-20, 15:16

You can track users with the TLS session ID, session ticket or pre-shared key, when the tracker (like google) is loaded on a several sites you connect to with TLS. This is done with session resumption. It seems google as well as Facebook are already using this.
See https://arxiv.org/pdf/1810.07304.pdf

It's easy to disable said resumption by creating

Code: Select all

security.ssl.disable_session_identifiers
and set it to true.

I suggest making this standard in Pale Moon. The worst that can happen is a site supporting resumption loads slightly slower.

User avatar
fatboy
Astronaut
Astronaut
Posts: 556
Joined: 2017-12-19, 08:03
Location: Canada

Re: Prevent tracking via TLS session

Unread post by fatboy » 2018-10-20, 19:32

How does one create this entry in about:config?
Systemd Free - MX Linux, Antix Linux & Artix Linux

User avatar
gepus
Keeps coming back
Keeps coming back
Posts: 938
Joined: 2017-12-14, 12:59

Re: Prevent tracking via TLS session

Unread post by gepus » 2018-10-20, 21:57

Right-click and create a New Boolean:
name: security.ssl.disable_session_identifiers
value: true

Sampei Nihira

Re: Prevent tracking via TLS session

Unread post by Sampei Nihira » 2018-10-21, 10:30


User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Prevent tracking via TLS session

Unread post by Moonchild » 2018-10-21, 11:15

FTR: re-establishing new sessions every time is not efficient use of the TLS protocol. Sessions, session tickets and session resumption have been created as part of the standard for good reason.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

laozi

Re: Prevent tracking via TLS session

Unread post by laozi » 2018-10-21, 12:09

in the end , is the solution proposed by @Paleist :
-effective ?
-useful ?
-recommended ?
-create this addition in about:config, does not hurt ?
thank you for your lighting

Paleist

Re: Prevent tracking via TLS session

Unread post by Paleist » 2018-10-21, 12:26

I know it was made part of the standard for a reason, but the problem is that it can and does get abused for tracking.

Getting rid of TLS sessions identifiers as solution blocks this tracking method in a quite simple but very effective way at the cost of a marginal loss of speed. I use that entry and barely noticed any difference.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Prevent tracking via TLS session

Unread post by Moonchild » 2018-10-21, 13:42

Good for you!

Whether it should be made default is a whole different question, though. People on slow wireless connections will most definitely notice this more than just marginally. Should we impact all those users because a small percentage of our users is so worried about this (one of many) ways you can potentially be tracked more accurately in public spaces, that they want this? Probably not!
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
gepus
Keeps coming back
Keeps coming back
Posts: 938
Joined: 2017-12-14, 12:59

Re: Prevent tracking via TLS session

Unread post by gepus » 2018-10-21, 14:02

Paleist wrote: ... at the cost of a marginal loss of speed. I use that entry and barely noticed any difference.
How much does it take on a fast connection to download 1-5kb of certificates?
Add to the above the time a TLS handshake needs. That's it. :)
I was using that hidden pref with Firefox long time before making the switch to Pale Moon and never noticed the delay.

However: Useful or not - IMHO it's not the job of Moonchild to "cripple standards" by setting this pref to true.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Prevent tracking via TLS session

Unread post by Moonchild » 2018-10-21, 17:02

gepus wrote:How much does it take on a fast connection to download 1-5kb of certificates?
Add to the above the time a TLS handshake needs. That's it. :)
That's it.... every time you request something over https that is no longer a keppalive. Every. Single. Time. ;)
Sure, on a fast connection you may not notice much of it (although even there you might) but you're talking latency more than throughput there.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

laozi

Re: Prevent tracking via TLS session

Unread post by laozi » 2018-10-21, 18:57

on my computer which is a few years old (9 years old, Intel Core duo E7400 2,8 Ghz, 4 Go Ram, win7 32b), I applied the modification recommended by @Paleist* (added in about:config)
balance sheet: no slowdown noted
so a little more security is always good to take ;)
* thanks to him
Last edited by laozi on 2018-10-21, 18:58, edited 1 time in total.

yami_

Re: Prevent tracking via TLS session

Unread post by yami_ » 2018-10-21, 19:33

Privacy is not security.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Prevent tracking via TLS session

Unread post by Moonchild » 2018-10-22, 05:16

yami_ wrote:Privacy is not security.
In fact you're likely trading one for the other, here. I can see rapid-fire handshakes being abusable by a MitM
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite


Paleist

Re: Prevent tracking via TLS session

Unread post by Paleist » 2018-11-17, 09:41

Oh, I see. So it wasn't a bug, it was intentionally inserted as a backdoor. Well, that certainly makes it a lot worse.

I went through the article and found these entries:

Code: Select all

security.ssl.disable_session_identifiers (hidden feature)
security.ssl.enable_false_start
security.tls.enable_0rtt_data
privacy.firstparty.isolate
First is the one I already mentioned that gets rid of the various session identifiers. No change here.
False start is enabled in Pale Moon so I disabled it.
0rtt_data is disabled by default in Pale Moon, no change here.

Now

Code: Select all

privacy.firstparty.isolate
doesn't exist. Can I add it just like with the session identifiers or does Pale Moon not support that? It seems to be the least important and can break websites, but I'd like to check what happens anyway.

And, now that we know it not a bug but a feature (everyone just loves backdoors in encryption), I once again suggest to make not only mine but the first three settings standard in Pale Moon. Well, the third one already is, so that's a good start.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Prevent tracking via TLS session

Unread post by Moonchild » 2018-11-17, 10:39

Please see my explanation of the options in the OTHER thread where this is discussed.
And no, it's not a backdoor, it is in fact a feature, no matter what the scaremongers say.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
gepus
Keeps coming back
Keeps coming back
Posts: 938
Joined: 2017-12-14, 12:59

Re: Prevent tracking via TLS session

Unread post by gepus » 2018-11-17, 12:21

Paleist wrote: Now

Code: Select all

privacy.firstparty.isolate
doesn't exist. Can I add it just like with the session identifiers or does Pale Moon not support that?
See here JustOff's comment.

Sampei Nihira

Re: Prevent tracking via TLS session

Unread post by Sampei Nihira » 2018-11-17, 15:08

It is OK when the value corresponding to the arrow is "NO":

Image

https://www.ssllabs.com/ssltest/viewMyClient.html

Note that I have also eliminated the insecure ciphers suites.
Last edited by Sampei Nihira on 2018-11-17, 15:10, edited 2 times in total.

Paleist

Re: Prevent tracking via TLS session

Unread post by Paleist » 2018-11-17, 15:43

Sampei Nihira wrote:It is OK when the value corresponding to the arrow is "NO":

Image

https://www.ssllabs.com/ssltest/viewMyClient.html

Note that I have also eliminated the insecure ciphers suites.
That's exactly how it looks for me. :thumbup:

Paleist

Re: Prevent tracking via TLS session

Unread post by Paleist » 2018-11-17, 15:46

gepus wrote:
Paleist wrote: Now

Code: Select all

privacy.firstparty.isolate
doesn't exist. Can I add it just like with the session identifiers or does Pale Moon not support that?
See here JustOff's comment.
Yup, I saw, so it doesn't work. Well, the other three are the really important ones.

Locked