Knowledge baseTermstls-fingerprinting

TLS fingerprinting

To effectively protect information, it is necessary to understand what is happening with traffic within the network. However, this is not the easiest task, as it is further complicated by the widespread use of the Transport Layer Security (TLS) protocol, which interferes with traditional methods of monitoring network security. But then TLS fingerprinting comes to the rescue - a method that will help you understand the traffic without depriving you of any advantages of the TLS protocol. For each client, the “fingerprint " remains static from session to session.

Contents:

What is TLS (Transport Layer Security)?

To begin with, it is worth explaining what TLS is. It is a widely used protocol that ensures the confidentiality and security of data for communication over the Internet. The main task of TLS is to encrypt the communication between the web application and the server. The protocol can also be used to encrypt other types of messages, for example, such as email, messaging, and Voice over IP (VoIP).

But what is TLS fingerprinting for? Since the "fingerprint" for ordinary clients always remains the same, the method helps to effectively detect a wide range of unwanted traffic, while not paying attention to connections with already familiar fingerprints.

What is TLS fingerprinting?

This method is based on the patterns found in the settings, which are declared in the “HelloClient” message sent by the client as the very first message in the TLS confirmation process. This message is not encrypted, which allows NSM tools to view it. Each SSL / TLS client uses a specific version of a specific SSL/TLS library. Some of them are OpenSSL, GnuTLS, Windows, Java SSE, NSS, wolfSSL, etc.

The "HelloClient" message contains three main sections that will help identify the client’s browser:

  • Ciphersuite: The cipher suite is a combination of "Key Exchange+Encryption". The list of ciphers and settings usually change depending on the library version. Some clients specifically prefer certain cipher suites. For example, Chrome prefers to use ChaCha20-Poly1305. Most other applications, particularly malicious ones, often use standard cipher suites provided by the library.
  • Extensions: Which TLS extensions are supported and in what order they are displayed in the message. It depends on the type and version of the SSL library. Some advanced clients, such as Chrome, use extensions dynamically, for example, to check for SPDY support.
  • Elliptical curves: IANA has registered about 25 types of elliptical curves. This number and settings will also vary depending on the client.

If we take all three together, there is a high probability of minimizing any conflicts and identifying a specific client in a specific operating system.

Passive detection

The most obvious use of TLS fingerprints is passive detection. It allows you to detect a wide range of potentially unwanted traffic without requiring access to any of the endpoints. The ability to detect malware or software such as SuperFish and PrivDog running on desktop computers without a special search can be very useful. Using this method, you can also detect other potentially unwanted software. For example, the Java update program and TLS connections performed by applications written in Java have a certain fingerprint.

Detecting software that may not be malicious, but is out of context, may also be worth considering, fortunately, it is easy to detect. For example, many interfaces should be available only to a specific client or a set of clients. If the webserver is expecting to interact with a person through a browser, wget fingerprint detection may be important; on the other hand, the Exchange server may only be accessible by Outlook, so connecting from a Python script will be important.

Conclusion

With an ever-increasing variety of connections, we will continue to rely on the TLS protocol to ensure security and privacy through cryptographic means. Using TLS fingerprints, we can quickly and passively determine which client is being used, and apply strategies both from the attacker's point of view and from the defender's point of view. These strategies allow us to defend more effectively.