Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting

Husák, Martin; Čermák, Milan; Jirsík, Tomáš; Čeleda, Pavel

doi:10.1109/ares.2015.35

Cited by 25 publications

(18 citation statements)

References 12 publications

(10 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Later, in 2012, Majkowski implemented SSL fingerprinting in p0f [36]. In 2015, Husá et al used client fingerprinting to broadly describe the types of HTTPS traffic on their institutional network [28], and in 2016, Brotherston showed how desktop applications could be identified by their Client Hello messages [9]. Concurrent to our work, Cisco showed that malware uses different TLS parameters than browsers [3].…”

Section: I I I R E L At E D W O R Ksupporting

confidence: 53%

The Security Impact of HTTPS Interception

Durumeric

Springall

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

113

View full text Add to dashboard Cite

As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception. First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and clientside security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: I I I R E L At E D W O R Ksupporting

confidence: 53%

The Security Impact of HTTPS Interception

Durumeric

Springall

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

113

View full text Add to dashboard Cite

show abstract

“…Majkowski implemented fingerprinting for p0f [61]. Most closely related to our work, HusÃąk et al [55] did a study in which they linked HTTP user-agent to TLS cipher suite lists. They obtained 12,832 user-agent/cipher-suite links.…”

Section: Related Workmentioning

confidence: 99%

Coming of Age

Kotzias

Razaghpanah

Amann³

et al. 2018

Proceedings of the Internet Measurement Conference 2018

View full text Add to dashboard Cite

The Transport Layer Security (TLS) protocol is the de-facto standard for encrypted communication on the Internet. However, it has been plagued by a number of different attacks and security issues over the last years. Addressing these attacks requires changes to the protocol, to server-or client-software, or to all of them. In this paper we conduct the first large-scale longitudinal study examining the evolution of the TLS ecosystem over the last six years. We place a special focus on the ecosystem's evolution in response to high-profile attacks. For our analysis, we use a passive measurement dataset with more than 319.3B connections since February 2012, and an active dataset that contains TLS and SSL scans of the entire IPv4 address space since August 2015. To identify the evolution of specific clients we also create the-to our knowledge-largest TLS client fingerprint database to date, consisting of 1,684 fingerprints. We observe that the ecosystem has shifted significantly since 2012, with major changes in which cipher suites and TLS extensions are offered by clients and accepted by servers having taken place. Where possible, we correlate these with the timing of specific attacks on TLS. At the same time, our results show that while clients, especially browsers, are quick to adopt new algorithms, they are also slow to drop support for older ones. We also encounter significant amounts of client software that probably unwittingly offer unsafe ciphers. We discuss these findings in the context of long tail effects in the TLS ecosystem.

show abstract

“…The data features originally used in fingerprinting were from TCP/IP headers, but more recent work has made use of features from HTTP headers [19], [26] and unencrypted fields from the TLS/SSL handshake [8], [14]. These features can be analyzed independently when only a single session's data is available, which is not uncommon in some scenarios.…”

Section: Introductionmentioning

confidence: 99%

OS fingerprinting: New techniques and a study of information gain and obfuscation

Anderson

McGrew

2017

2017 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Abstract-Passive operating system fingerprinting reveals valuable information to the defenders of heterogeneous private networks; at the same time, attackers can use fingerprinting to reconnoiter networks, so defenders need obfuscation techniques to foil them. We present an effective approach for passive fingerprinting that uses data features from TLS as well as the TCP/IP and HTTP protocols in a multi-session model, which is applicable whenever several sessions can be observed within a time window. In experiments on a real-world private network, our approach identified operating system major and minor versions with accuracies of 99.4% and 97.5%, respectively, and provided significant information gain. We also show that obfuscation strategies can often be defeated due to the difficulty of manipulating data features from all protocols, especially TLS, by studying how obfuscation affects our fingerprinting system. Because devices running unpatched operating systems on private networks create significant vulnerabilities, their detection is critical; our approach achieved over 98% accuracy at this important goal.

show abstract

Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting

Cited by 25 publications

References 12 publications

The Security Impact of HTTPS Interception

The Security Impact of HTTPS Interception

Coming of Age

OS fingerprinting: New techniques and a study of information gain and obfuscation

Contact Info

Product

Resources

About