From: uazo Date: Thu, 24 Mar 2022 10:08:00 +0000 Subject: Disable TLS resumption Disable resumption feature for all HTTPS and QUIC connections; the feature could be used to track users even without cookies. Sessions are not currently saved to disk in Chromium (although there is support for it) but are long enough to constitute a privacy risk (2h for TLS 1.2 and 7 days for TLS 1.3) if user does not frequently close the browser. Since session information is not kept in the HTTP cache it is not cleared when deleting navigation data (although it is possible to clear it by selecting "passwords"). Two new user configurable flags are introduced: * kDisableTLSResumption, active by default * kLogTLSResumption, that would allow to find in logcat reused sessions in lines matching "SSL Log:" See also: * https://arxiv.org/abs/1810.07304 Original License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html --- chrome/browser/about_flags.cc | 6 +++ chrome/browser/flag_descriptions.cc | 8 ++++ chrome/browser/flag_descriptions.h | 6 +++ net/base/features.cc | 8 ++++ net/base/features.h | 6 +++ net/http/http_network_session.cc | 1 + net/quic/quic_stream_factory.cc | 35 ++++++++++++++++- net/socket/ssl_client_socket_impl.cc | 59 ++++++++++++++++++++++++++++ net/socket/ssl_client_socket_impl.h | 2 + 9 files changed, 130 insertions(+), 1 deletion(-) diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc --- a/chrome/browser/about_flags.cc +++ b/chrome/browser/about_flags.cc @@ -5635,6 +5635,12 @@ const FeatureEntry kFeatureEntries[] = { {"enable-tls13-kyber", flag_descriptions::kEnableTLS13KyberName, flag_descriptions::kEnableTLS13KyberDescription, kOsAll, FEATURE_VALUE_TYPE(net::features::kPostQuantumKyber)}, + {"disable-tls-resumption", flag_descriptions::kDisableTLSResumptionName, + flag_descriptions::kDisableTLSResumptionDescription, kOsAll, + FEATURE_VALUE_TYPE(net::features::kDisableTLSResumption)}, + {"log-tls-resumption", flag_descriptions::kLogTLSResumptionName, + flag_descriptions::kLogTLSResumptionDescription, kOsAll, + FEATURE_VALUE_TYPE(net::features::kLogTLSResumption)}, #if BUILDFLAG(IS_ANDROID) {"feed-back-to-top", flag_descriptions::kFeedBackToTopName, flag_descriptions::kFeedBackToTopDescription, kOsAndroid, diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc --- a/chrome/browser/flag_descriptions.cc +++ b/chrome/browser/flag_descriptions.cc @@ -1116,6 +1116,14 @@ const char kAccessibilityAcceleratorNotificationsTimeoutDescription[] = "shortcut (docked magnifier, screen magnifier and high contrast) to time " "out instead of remaining pinned."; +const char kDisableTLSResumptionName[] = "Disable TLS Session Resumption"; +const char kDisableTLSResumptionDescription[] = + "Disable TLS session resumption."; + +const char kLogTLSResumptionName[] = "Log TLS Session Resumption"; +const char kLogTLSResumptionDescription[] = + "Log TLS session resumption"; + const char kAccessibilityServiceName[] = "Experimental Accessibility Service"; const char kAccessibilityServiceDescription[] = "This option enables the experimental Accessibility Service and runs some " diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h --- a/chrome/browser/flag_descriptions.h +++ b/chrome/browser/flag_descriptions.h @@ -644,6 +644,12 @@ extern const char kDevicePostureDescription[]; extern const char kEnableTLS13EarlyDataName[]; extern const char kEnableTLS13EarlyDataDescription[]; +extern const char kDisableTLSResumptionName[]; +extern const char kDisableTLSResumptionDescription[]; + +extern const char kLogTLSResumptionName[]; +extern const char kLogTLSResumptionDescription[]; + extern const char kEnableTLS13KyberName[]; extern const char kEnableTLS13KyberDescription[]; diff --git a/net/base/features.cc b/net/base/features.cc --- a/net/base/features.cc +++ b/net/base/features.cc @@ -67,6 +67,14 @@ const base::FeatureParam kUseDnsHttpsSvcbSecureExtraTimeMin{ &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbSecureExtraTimeMin", base::Milliseconds(5)}; +BASE_FEATURE(kDisableTLSResumption, + "DisableTLSResumption", + base::FEATURE_ENABLED_BY_DEFAULT); + +BASE_FEATURE(kLogTLSResumption, + "LogTLSResumption", + base::FEATURE_DISABLED_BY_DEFAULT); + BASE_FEATURE(kUseDnsHttpsSvcbAlpn, "UseDnsHttpsSvcbAlpn", base::FEATURE_ENABLED_BY_DEFAULT); diff --git a/net/base/features.h b/net/base/features.h --- a/net/base/features.h +++ b/net/base/features.h @@ -107,6 +107,12 @@ NET_EXPORT BASE_DECLARE_FEATURE(kSHA1ServerSignature); // Enables TLS 1.3 early data. NET_EXPORT BASE_DECLARE_FEATURE(kEnableTLS13EarlyData); +// Disables TLS resumption. +NET_EXPORT BASE_DECLARE_FEATURE(kDisableTLSResumption); + +// Log TLS resumption. +NET_EXPORT BASE_DECLARE_FEATURE(kLogTLSResumption); + // Enables the TLS Encrypted ClientHello feature. // https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-13 NET_EXPORT BASE_DECLARE_FEATURE(kEncryptedClientHello); diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc --- a/net/http/http_network_session.cc +++ b/net/http/http_network_session.cc @@ -208,6 +208,7 @@ HttpNetworkSession::HttpNetworkSession(const HttpNetworkSessionParams& params, next_protos_.push_back(kProtoHTTP11); + DCHECK(context.quic_context->params()->max_server_configs_stored_in_properties == 0); http_server_properties_->SetMaxServerConfigsStoredInProperties( context.quic_context->params()->max_server_configs_stored_in_properties); http_server_properties_->SetBrokenAlternativeServicesDelayParams( diff --git a/net/quic/quic_stream_factory.cc b/net/quic/quic_stream_factory.cc --- a/net/quic/quic_stream_factory.cc +++ b/net/quic/quic_stream_factory.cc @@ -70,6 +70,7 @@ #include "net/third_party/quiche/src/quiche/quic/core/quic_utils.h" #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_flags.h" #include "third_party/boringssl/src/include/openssl/aead.h" +#include "third_party/boringssl/src/include/openssl/ssl.h" #include "url/gurl.h" #include "url/scheme_host_port.h" #include "url/url_constants.h" @@ -195,6 +196,38 @@ std::set HostsFromOrigins(std::set origins) { } // namespace +class BromiteSessionCache : public quic::QuicClientSessionCache { + public: + BromiteSessionCache() = default; + ~BromiteSessionCache() override = default; + + void Insert(const quic::QuicServerId& server_id, + bssl::UniquePtr session, + const quic::TransportParameters& params, + const quic::ApplicationState* application_state) override { + if (base::FeatureList::IsEnabled(net::features::kDisableTLSResumption)) + SSL_SESSION_set_timeout(session.get(), 0); + if (base::FeatureList::IsEnabled(net::features::kLogTLSResumption)) { + LOG(INFO) << "SSL Log: new quic session created " + << server_id.host(); + } + quic::QuicClientSessionCache::Insert(server_id, + std::move(session), params, application_state); + } + + std::unique_ptr Lookup( + const quic::QuicServerId& server_id, quic::QuicWallTime now, + const SSL_CTX* ctx) override { + auto value = quic::QuicClientSessionCache::Lookup(server_id, now, ctx); + if (value != nullptr && + base::FeatureList::IsEnabled(net::features::kLogTLSResumption)) { + LOG(INFO) << "SSL Log: QUIC session resumed " + << server_id.host(); + } + return value; + } +}; + // Refcounted class that owns quic::QuicCryptoClientConfig and tracks how many // consumers are using it currently. When the last reference is freed, the // QuicCryptoClientConfigHandle informs the owning QuicStreamFactory, moves it @@ -2353,7 +2386,7 @@ QuicStreamFactory::CreateCryptoConfigHandle( sct_auditing_delegate_, HostsFromOrigins(params_.origins_to_force_quic_on), actual_network_anonymization_key), - std::make_unique(), this); + std::make_unique(), this); quic::QuicCryptoClientConfig* crypto_config = crypto_config_owner->config(); crypto_config->AddCanonicalSuffix(".c.youtube.com"); diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc --- a/net/socket/ssl_client_socket_impl.cc +++ b/net/socket/ssl_client_socket_impl.cc @@ -387,7 +387,33 @@ SSLClientSocketImpl::SSLClientSocketImpl( CHECK(context_); } +void SSLClientSocketImpl::Log_ssl_session_data(const std::string& tag, SSL_SESSION* session) { + if (session == NULL) { + LOG(INFO) << "SSL Log: " + << tag + << " host: " << host_and_port_.ToString() + << " NIK: " << ssl_config_.network_anonymization_key.ToDebugString(); + return; + } + + unsigned len; + auto* session_id = SSL_SESSION_get_id(session, &len); + + const uint8_t *ticket; + size_t ticklen; + SSL_SESSION_get0_ticket(session, &ticket, &ticklen); + + LOG(INFO) << "SSL Log: " + << tag + << " host: " << host_and_port_.ToString() + << " NIK: " << ssl_config_.network_anonymization_key.ToDebugString() + << " sessionid: " << base::HexEncode(session_id, len) + << (ticklen > 0 ? " ticket:" + base::HexEncode(ticket, ticklen) : ""); +} + SSLClientSocketImpl::~SSLClientSocketImpl() { + if (base::FeatureList::IsEnabled(net::features::kLogTLSResumption)) + Log_ssl_session_data("Disconnect", NULL); Disconnect(); } @@ -776,6 +802,8 @@ int SSLClientSocketImpl::Init() { } if (session) SSL_set_session(ssl_.get(), session.get()); + if (session && base::FeatureList::IsEnabled(net::features::kLogTLSResumption)) + Log_ssl_session_data("Old session resumed", session.get()); } const int kBufferSize = kDefaultOpenSSLBufferSize.Get(); @@ -1067,6 +1095,35 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) { : SSLHandshakeDetails::kTLS13Full; } } + if (base::FeatureList::IsEnabled(net::features::kLogTLSResumption)) { + switch(details) + { + case SSLHandshakeDetails::kTLS13Early: + Log_ssl_session_data("SSL Log: session reused: kTLS13Early mode", NULL); + break; + case SSLHandshakeDetails::kTLS13ResumeWithHelloRetryRequest: + Log_ssl_session_data("SSL Log: session reused: kTLS13ResumeWithHelloRetryRequest mode", NULL); + break; + case SSLHandshakeDetails::kTLS13Resume: + Log_ssl_session_data("SSL Log: session reused: kTLS13Resume mode", NULL); + break; + case SSLHandshakeDetails::kTLS12Resume: + Log_ssl_session_data("SSL Log: session reused: kTLS12Resume mode", NULL); + break; + case SSLHandshakeDetails::kTLS12Full: + Log_ssl_session_data("SSL Log: session reused: kTLS12Full mode", NULL); + break; + case SSLHandshakeDetails::kTLS12FalseStart: + Log_ssl_session_data("SSL Log: session reused: kTLS12FalseStart mode", NULL); + break; + case SSLHandshakeDetails::kTLS13Full: + Log_ssl_session_data("SSL Log: session reused: kTLS13Full mode", NULL); + break; + case SSLHandshakeDetails::kTLS13FullWithHelloRetryRequest: + Log_ssl_session_data("SSL Log: session reused: kTLS13FullWithHelloRetryRequest mode", NULL); + break; + } + } UMA_HISTOGRAM_ENUMERATION("Net.SSLHandshakeDetails", details); // Measure TLS connections that implement the renegotiation_info extension. @@ -1741,6 +1798,8 @@ bool SSLClientSocketImpl::IsRenegotiationAllowed() const { } bool SSLClientSocketImpl::IsCachingEnabled() const { + if (base::FeatureList::IsEnabled(net::features::kDisableTLSResumption)) + return false; return context_->ssl_client_session_cache() != nullptr; } diff --git a/net/socket/ssl_client_socket_impl.h b/net/socket/ssl_client_socket_impl.h --- a/net/socket/ssl_client_socket_impl.h +++ b/net/socket/ssl_client_socket_impl.h @@ -126,6 +126,8 @@ class SSLClientSocketImpl : public SSLClientSocket, friend class SSLClientSocket; friend class SSLContext; + void Log_ssl_session_data(const std::string& tag, SSL_SESSION* session); + int Init(); void DoReadCallback(int result); void DoWriteCallback(int result); -- 2.25.1