TLS Fingerprinting
TLS provides transport security to all manner of connections from legitimate
financial transactions to private conversations and malware calling home. The
inability to analyse encrypted traffic protects its users, whether they are
legitimate or malicious.
TLS Fingerprinting is a technique for quickly and passively fingerprinting TLS
clients which can be used to simply gather intelligence or to adapting our
responses for the purposes of both attack and defence. Attackers can make
automated decisions concerning when to man in the middle a connection and when
to let the clients pass through silently, remaining stealthy. Defenders can
gain insight into what is making encrypted connections within their networks
without access to either endpoints or cryptographic keying material.
I provided some initial research into this when
SuperFish was
shipped on laptops by Lenovo. Using this technique it was
simple
for system administrators to discover affected hosts with their
infrastructure, even in a BYOD environment where access to devices is not
possible.
I have since grown this technique to include tools for automatically creating
signatures, monitoring networks realtime, and performing analysis. These tools
are available under a GPL licence on
my
tls-fingerprinting repository on GitHub, and have written a
TLS FingerPrinting
"paper" on my blog for anyone who would like to understand the
technique further.
If you would rather listen to a presentation, I have also spoken on the
subject: