TLS Fingerprinting

TLS provides transport security to all manner of connections from legitimate financial transactions to private conversations and malware calling home. The inability to analyse encrypted traffic protects its users, whether they are legitimate or malicious.

TLS Fingerprinting is a technique for quickly and passively fingerprinting TLS clients which can be used to simply gather intelligence or to adapting our responses for the purposes of both attack and defence. Attackers can make automated decisions concerning when to man in the middle a connection and when to let the clients pass through silently, remaining stealthy. Defenders can gain insight into what is making encrypted connections within their networks without access to either endpoints or cryptographic keying material.

I provided some initial research into this when SuperFish was shipped on laptops by Lenovo. Using this technique it was simple for system administrators to discover affected hosts with their infrastructure, even in a BYOD environment where access to devices is not possible.

I have since grown this technique to include tools for automatically creating signatures, monitoring networks realtime, and performing analysis. These tools are available under a GPL licence on my tls-fingerprinting repository on GitHub, and have written a TLS FingerPrinting "paper" on my blog for anyone who would like to understand the technique further.

If you would rather listen to a presentation, I have also spoken on the subject: