[tptacek]

I don't know, but the cost that session tickets are saving are almost entirely an externality to clients, and the privacy benefit of not honoring tickets isn't, so there would seem to be some value to a Chrome extension that busted that cache.

[zaroth]

Yeah but it's not the client sending the resumption ticket but sending the capability in the ClientHello which exposes the session key under a possibly fixed key. So you can't fix this by busting the client cache I think. You need the capability flag off.

Even so could an active adversary turn on the capability in the ClientHello and still get a chance to see the STEK encrypted session key even against legacy (or intentionally ticket-disabled) clients? This I don't know - would a client just drop the ticket message and proceed or would it abort? But at least it would have to be an active attacker.

[tptacek]

Yep, this got pointed out to me several times on Slack. Session tickets suck.