Memories of Not the Nine O'Clock News.
You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy
Transport Layer Security underpins much of the modern internet. It is the foundation of secure connections to HTTPS websites, for one thing. However, it can harbor a sting in its tail for those concerned about staying anonymous online. Privacy advocates have long warned about the risks posed by various forms of web tracking. …
COMMENTS
-
-
-
Friday 19th October 2018 09:48 GMT Charlie Clark
Re: OMG
As it ran on BBC 2 and was after the yet-to-be-to-introduced watershed it wasn't that much of a problem. Also, the BBC didn't have any censors just directors and they were famously easy to hoodwink: The Goon Show contains lots of military terms that would turn your ears blue! Basically, things were likely to get through if there weren't too explicit but you had to step lightly around blasphemy after Mary Whitehouse stopped the law being repealed in order to go after The Life of Brian. The American Express sketch with Pamela Stephenson was, to my mind, far more blatant and shocking than a pun on cunnilingus.
-
-
-
-
Friday 19th October 2018 17:17 GMT chasil
Webview
Android is the most popular computing platform, and it offers "Webview," which had previously been based on Apple Webkit/KDE Konqueror KHTML, but was forked and diverted by Google beginning with Android Lollipop.
Any application can call Webview to render remote or local HTML. There are dozens of browsers that do this in differing ways, and likely hundreds or thousands of apps that do this for specific uses that are not part of their core function.
Windows also does something similar with the historical "Trident" rendering engine, but is now done with EdgeHTML on Windows 10.
-
-
Friday 19th October 2018 10:02 GMT alain williams
Is there a Firefox setting for this ?
I tried looking in about:config and searched for TLS, but nothing seems relevant.
A 10 minute timeout seems more than generous, the real value is in saving lots of TLS packet round trips when many connections are made in rendering one page (lots of images, etc). One extra round trip every few minutes will likely not be noticed.
The need for this will be reduced with HTTP2 since one HTTP2 TCP connection can be used to download several files at the same time by in different streams (AKA multiplex).
-
Friday 19th October 2018 13:18 GMT Spazturtle
Re: Is there a Firefox setting for this ?
"I tried looking in about:config and searched for TLS, but nothing seems relevant."
You need to create the preference yourself, create a new boolean called "security.ssl.disable_session_identifiers" and set it to true.
The exact same security issue that the researchers in this article 'discovered' was actually discovered by Tor 5 years ago.
-
Sunday 21st October 2018 17:47 GMT Dan 55
Re: Is there a Firefox setting for this ?
You can check what your browser will support here.
Some other useful settings for about:config:
security.ssl3.rsa_aes_128_sha;false
security.ssl3.rsa_aes_256_sha;false
security.ssl3.rsa_des_ede3_sha;false
security.tls.version.max;4 # TLS 1.3
security.tls.version.min;3 # TLS 1.2
-
Tuesday 23rd October 2018 18:58 GMT Michael Wojcik
Re: Is there a Firefox setting for this ?
The exact same security issue that the researchers in this article 'discovered' was actually discovered by Tor 5 years ago.
It is odd that the paper claims "To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking". I was just reading Ristic's Bulletproof SSL the other day, and he mentions the privacy implications of TLS session tickets two or three times. It should be pretty obvious to anyone who studies IT privacy issues.
The paper seems to have some solid, if unsurprising, work, but the claims in the abstract are a little broad.
-
-
-
Friday 19th October 2018 22:48 GMT a_yank_lurker
@Wolfclaw - To me security is relative and never perfect as there has to be some compromises in any useful system. The key is be careful enough to be significantly harder to attack than most. Being difficult to attack and not being major target means you are not worth the effort. That is where I want to be. It also means situational awareness, like not doing online banking on a phone or other very portable device. Using wired connections for online shopping and banking. It is harder to attack a wired connection than a wireless one, not impossible, just a lot harder.
-
-
-
-
-
Sunday 21st October 2018 17:08 GMT Dan 55
Re: This is why I set Firefox to clear cache, etc... on close
Making sure that active logins is ticked when you clear recent history (desktop)/private data (mobile) will do it, if you then go to a site which pops up a certificate alert (self-signed, expired, or whatever) then you'll have to re-confirm.
-
-
-
-
Wednesday 24th October 2018 09:41 GMT pavel.petrman
Re: Wait, wut?
Yes, why not get a free Kudos where you can. The rationale, as I see it, is tat Microsoft is very weak at its "invisibile"* Internet presence, so they can't harm themselves by offering a bit of an advantage to users of their browser.
*By invisible Internet presence I mean all the Google Analytics/Fonts/APIs, Facebook like buttons etc, which are virtually or logically invisible to ordinary users, but do the bulk of user/browser tracking.
-
-
-
Saturday 20th October 2018 07:09 GMT HelpfulJohn
"
I still have never understood why browsers were designed to identify themselves [ or their individual users ] in the first place.
When you buy petrol, the pump doesn't identify your car."
The pump doesn't need to know which car is been filled as all tanks and all petrol are identical on the human scale, more or less. All it need know is whether a full point has been reached and that is easy to test for. If you half-fill, go to a different garage, complete the filling-up the second pump uses an identical sensory technique to stop pouring in petrol. Neither pump knows nor cares where the petrol in your tank came from nor even if it is petrol. All they do is sense completeness and pour until they do.
Computer files, for example a web-page showing your bank account's latest actions, are not like that. Each is different and each is being supplied to a different computer.at your end. You don't want half of your bank's web page to end up on my machine and half on yours or half of the page shown to be part of a file download in Hungarian so every transaction between Out-There and your phone or PC needs to be tracked until it is completed.
If you have a method of making sure your track a connection for as long as it takes to download a page or to complete a session looking at YouTube videos then that can be used to track you forever.
All it takes is a clever programmer and the will.
For the Web, or even email, Usenet or FTP sessions to be in anyway useful, computers have to tell each other who they are while they talk to each other. If they don't, they can't.
Does that help?
-
Sunday 21st October 2018 06:24 GMT bazza
Pretty sure that ANPR is in use in at least some petrol stations to alert the operators if a known non-payer has just pulled up to a pump. They can then insist that they pay for the petrol up front, before they activate the pummp.
What would be even nicer is if they'd use it for payment. If your reg was associated with an account, simply pump and drive off! They don't want that though, they want you to have to go into the shop, tempt you with added extras.
-
Tuesday 23rd October 2018 18:54 GMT Michael Wojcik
I still have never understood why browsers were designed to identify themselves [ or their individual users ] in the first place.
Efficiency.
When you visit a website which has sensitive information, would you like to authenticate yourself for every request? Note that HTTP conversations may terminate at any time (prior to HTTP/1.1, there wasn't even a standard mechanism for them to last longer than one request-response exchange), and a series of requests from a single browser may be handled by multiple servers with no shared ephemeral state.
Similarly, TLS session resumption exists to avoid the overhead of TLS negotiation on each connection request. You can get by without it - many TLS clients and servers (though usually not general-purpose web browsers and servers) do so - but it significantly affects performance, which users don't like, and resource consumption on the server, which server owners don't like.
Now, you may argue that a great many sites use client-identification mechanisms for no good reason. I'm sympathetic to that argument myself. But that ship has sailed.
-
-
Saturday 20th October 2018 05:19 GMT Anonymous Coward
Privacy
What if the details that we are most worried about identifying us aren’t needed to identify us at all?
What if my browsing habits, my Netflix preferences and my online supermarket shopping is enough to identify me as sad, fat, balding middle aged man and the street I live on? They might not know my actual name (I’d have to use Social media for that...) but whether I’m a name or a number doesn’t matter much to “them”...
-
Sunday 21st October 2018 04:32 GMT Ole Juul
Re: Privacy
"What if the details that we are most worried about identifying us aren’t needed to identify us at all?"
I believe that is generally the case. You can identify me by my birth name, my Social Security Number, or my browsing footprint. From a privacy point of view, it really doesn't matter what you call me.
-
Sunday 21st October 2018 11:30 GMT Anonymous Coward
Re: Privacy
So if it's not a problem for you then it cannot be a problem for anyone else, right? Try to think of china's great firewall as a mass attack on individuals' free speech, because that's what it is. Think of how women in Iraq and Yemen are often not allowed to go to school let alone have their own property, they'd like the freedom promised by internet evangelists but cannot count on anonymity. People like us techies who have the ability to help a little bit must do so because to not do would make us complicit.
I'm going to mark your post down for being so selfish.
-
Monday 22nd October 2018 02:09 GMT Anonymous Coward
Re: Privacy
“So if it's not a problem for you then it cannot be a problem for anyone else, right?
...
I'm going to mark your post down for being so selfish.”
I realise I’m being selfish, but I’ll try again...surely you can’t miss the point twice?
What if the methods we currently use to provide privacy are ineffective and our usage habits can identify us without the need to know details?
I.e the sites you visit, the quantity of traffic from each site and length of time spent on each one is sufficient to determine you need closer surveillance. Not spending the requisite 8 hours a day watching cat videos? Looks suspicious....
-
-
-
Saturday 20th October 2018 21:16 GMT david 12
Follow the money.
Your browser needs to authenticate for private-key encryption to work. Private-key-encryption needs to work to lock out advertisement-replacement. Private key negotiation is an (expensive) compute-intensive operation for major advertisers like google. User-identification and classification is a major revenew driver for advertising companies like google. Major advertising companies like google drive browser development (chrome) and web standards (tls and https).
I've held out with http as long as I could: most of the http web has gone dark.
-
-
This post has been deleted by its author
-