Session resumption is no worse than connection reuse
martinthomson opened this issue · comments
Section 9.2. (Privacy Issues With Session Resumption) goes on at great lengths about the risks of linkability through session resumption tokens. This is fine, but the same risks exist by virtue of connection reuse, something the specification firmly recommends. The draft should acknowledge this, maybe changing this section to be entitled "Linkability through Connection Reuse and Session Resumption".
I am not sure that I agree. Session reuse does not allow much more tracking than simply monitoring which transaction comes from a given IP address. The text in section 9.2 says:
The recommendations in Section 6.5.3 are designed to mitigate these
risks. Using session tickets only once mitigates the risk of
tracking by third parties. Refusing to resume a session if addresses
change mitigates the risk of tracking by the server.
If the client does not change addresses, long duration sessions and session resume have pretty much the same properties. But then, there is no text in 6.5.3 about not doing resumption if the client address has changed -- and certainly not reusing a NEW_TOKEN if the client address has changed, because that's typically useless. Maybe add something?