[zhuzhuor]

Do you know why is TLS doing that?

But even without the 4 bytes, 64-bit nonce seems enough for me, as long as it's not chosen at random.

For comparison, if the nonce is chosen randomly, the security level is only 2^32 (supposing the 4 bytes based on the key materials remain unchanged).

[agl]

I believe it was done so that AES-GCM could be implemented in a FIPS module and would not need to depend on the uniqueness of provided nonces. Either that or some standard said that nonces must be unique. (I wasn't around for the discussion.)

I agree that a counter is perfectly safe.