The rotation of the TLS context can act as a fingerprint for bridges
Censors can monitor the traffic of a suspected bridge every MAX_SSL_KEY_LIFETIME_INTERNAL and see if the TLS certificate has changed.
Normal SSL services don't change certificates every 2 hours.
Maybe we should consider increasing MAX_SSL_KEY_LIFETIME_INTERNAL. Maybe we should consider implementing and documenting it as part of prop179 (#3972 (moved)).