6
  1. Do browsers save TLS 1.3 session tickets on the disk to resume a TLS session after the browser process has been killed and restarted?
  2. Are there any glaring security risks of caching TLS 1.3 session tickets on the client side? I believe the session tickets are encrypted with a private key only known to the server.
  3. If someone gets hold of session tickets cached on disk, can they impersonate you while connecting to a server?

From some reading over the internet, my understanding is that session tickets are only cached in memory and deleted after the browser process is killed; but a lot of these posts were pre-TLS 1.3, so I am looking for an updated answer.

Improve this question
10
  • I highly, highly doubt Tor does- or at least not by default. As for the others- I’d guess yes for default but not entirely sure…
    – security_paranoid
    Commented Jun 20 at 10:46
  • HTTP session IDs are stored in cookies which are definitely stored on the disk, in the browser's user data folder. But are TLS session tickets stored on disk too? Or do they only live in memory and deleted once the browser process is killed, meaning that the next connection to a server xyz.com will have to be a full handshake when the browser is restarted
    – vibhav950
    Commented Jun 20 at 11:01
  • If an attacker were to somehow snag the TLS session ticket from the client, he would still need the ephemeral key material created by the client and the server during the original TLS handshake, in order to resume the TLS session. Even then, he would still not have the HTTP session ID, which is typically used to identify the client to the server at the application level.
    – mti2935
    Commented Jun 20 at 11:19
  • @mti2935, It would be pointless for the browser to save the TLS ticket on disk, without saving the associated shared secret as well.
    – ysdx
    Commented Jun 20 at 11:34
  • @mti2935, "he would still not have the HTTP session ID" No we would not. The attacker might be able to to MITM attacks such as: 1) passive decryption (for TLS 1.2), including after thefact decryption (lack of forward secrecy in this case) ; 2) active MITM.
    – ysdx
    Commented Jun 20 at 11:36

1 Answer 1

Reset to default
3

How and where the client stores the TLS session ticket is not critical, as TLS session tickets are generally not secrets. As explained in section 3.1 of RFC 5077:

When the client wishes to resume the session, it includes the ticket in the SessionTicket extension within the ClientHello message.

With the ClientHello message often sent in the clear, any information sent in the ClientHello message (including the session ticket) would be trivial for an eavesdropper on the network to pick-off, without the attacker even having to compromise the client device.

However, the session ticket alone is of little use to the attacker, without the ephemeral key material created by the client and the server during the original TLS handshake; as this key material would be needed in order to resume the session associated with the ticket.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .