TLS 1.3 has a heavily touted feature called 0-RTT that has been paraded by CloudFlare as a huge speed benefit to users because it allows sessions to be resumed quickly from previous visits. This immediately raised an eyebrow for me because this means that full negotiation is not taking place.
After more research, I’ve discovered that 0-RTT does skip renegotiation steps that involve generating new keys.
This means that every time 0-RTT is used, the server knows that you’ve been to the site before, and it knows all associated IPs and sign-in credentials attached to that particular key.
In the article there are proposed Firefox settings workarounds
security.ssl.disable_session_identifiers (hidden feature) security.ssl.enable_false_start security.tls.enable_0rtt_data privacy.firstparty.isolate
But there is no workaround yet to be found for Chrome, and I personally doubt one will be made available given Google's primary business model.
Yet another societal step towards the eventual goal of a complete global surveilance state.