To effectively protect information, it is necessary to understand what is happening with traffic within the network. However, this is not the easiest task, as it is further complicated by the widespread use of the Transport Layer Security (TLS) protocol, which interferes with traditional methods of monitoring network security. But then TLS fingerprinting comes to the rescue - a method that will help you understand the traffic without depriving you of any advantages of the TLS protocol. For each client, the “fingerprint " remains static from session to session.
To begin with, it is worth explaining what TLS is. It is a widely used protocol that ensures the confidentiality and security of data for communication over the Internet. The main task of TLS is to encrypt the communication between the web application and the server. The protocol can also be used to encrypt other types of messages, for example, such as email, messaging, and Voice over IP (VoIP).
But what is TLS fingerprinting for? Since the "fingerprint" for ordinary clients always remains the same, the method helps to effectively detect a wide range of unwanted traffic, while not paying attention to connections with already familiar fingerprints.
This method is based on the patterns found in the settings, which are declared in the “HelloClient” message sent by the client as the very first message in the TLS confirmation process. This message is not encrypted, which allows NSM tools to view it. Each SSL / TLS client uses a specific version of a specific SSL/TLS library. Some of them are OpenSSL, GnuTLS, Windows, Java SSE, NSS, wolfSSL, etc.
The "HelloClient" message contains three main sections that will help identify the client’s browser:
If we take all three together, there is a high probability of minimizing any conflicts and identifying a specific client in a specific operating system.
The most obvious use of TLS fingerprints is passive detection. It allows you to detect a wide range of potentially unwanted traffic without requiring access to any of the endpoints. The ability to detect malware or software such as SuperFish and PrivDog running on desktop computers without a special search can be very useful. Using this method, you can also detect other potentially unwanted software. For example, the Java update program and TLS connections performed by applications written in Java have a certain fingerprint.
Detecting software that may not be malicious, but is out of context, may also be worth considering, fortunately, it is easy to detect. For example, many interfaces should be available only to a specific client or a set of clients. If the webserver is expecting to interact with a person through a browser, wget fingerprint detection may be important; on the other hand, the Exchange server may only be accessible by Outlook, so connecting from a Python script will be important.
With an ever-increasing variety of connections, we will continue to rely on the TLS protocol to ensure security and privacy through cryptographic means. Using TLS fingerprints, we can quickly and passively determine which client is being used, and apply strategies both from the attacker's point of view and from the defender's point of view. These strategies allow us to defend more effectively.