Maybe, but currently some site today can set a cookie in your browser and track you anyway -- a lot simpler than fiddling with the TLS stack.
I assume that if you browse in "Private Browsing" or "Incognito" mode, then the TLS Session Resumption data is wiped once you exit that mode (similar to how cookies and local storage is wiped).
The site you visit yes. But I am referring to a MITM. A cookie would be hidden by the secure tunnel. But the TLS resemption parameters might be visible as it happens before the tunnel is established. I am not familiar enough with the protocole to know if it is the case.
The resumption parameters might be used to uniquely identify a person... that's an interesting point.
But is that a big enough flaw to justify throwing out the baby of TLS with the bathwater of tiny details like that? I'm sure there are people who are much smarter than both of us who can fix that without giving up on TLS altogether.
Ah, I see. Yes, from a cursory glance at RFC 5077, it seems that the SessionTicket is sent as part of ClientHello, which is not encrypted (page 6).
This is still no worse than plain unencrypted HTTP at worst, and server admins or clients could well choose not to support this if they do not wish to.
I assume that if you browse in "Private Browsing" or "Incognito" mode, then the TLS Session Resumption data is wiped once you exit that mode (similar to how cookies and local storage is wiped).