The Transport Layer Security (TLS) master secret is not cryptographically bound to important session parameters such as the server certificate. Consequently@ it is possible for an active attacker to set up two sessions@ one with a client and another with a server@ such that the master secrets on the two sessions are the same. Thereafter@ any mechanism that relies on the master secret for authentication@ including session resumption@ becomes vulnerable to a man-in-the-middle attack@ where the attacker can simply forward messages back and forth between the client and server. This specification defines a TLS extension that contextually binds the master secret to a log of the full handshake that computes it@ thus preventing such attacks.