Theencryption of network traffic is an ever-growing phenomenon as the worldmarches steadily further into the information age. Much of the world’s day-to-daycorrespondences are now reliant on network communication for the transmissionand reception of vital data. The benefits of encrypting communications areobvious, but the security it provides can be a double-edged sword. Security andencryption techniques can make it difficult for network security measures toidentify malicious communications and the precursors to attacks, makingmalignant communications all but invisible to many standard detection measures.One of the more popular and common network traffic encryption protocols is TLS.
TheTransport Layer Security (TLS) is a security technique that provides a methodof selecting communication and encryption protocols that both a HTTPS clientand a server can effectively utilize. TLS provides security for a wide varietyof communication between networks, ranging from financial transactions on majorretail websites, to private communications between individuals, all the waydown to malware returning the data it has illicitly acquired to the creator. TLSis effective because of the inherent extreme difficulty any eavesdropper wouldexperience, given that they were wishing to analyze the encrypted traffic andnot simply record whether or not communication had occurred. TLS users operateconfidently under this belief; that although an eavesdropper could easilyobserve the existence of their session, that the content itself will remain secureand unintelligible without access to the cryptographic keys that would removethe obfuscation. However, there do exist tools that can subvert this assurance andbe used to quickly determine the HTTPS client in the communication. Enter the TLSfingerprinting technique. Theprimary reason that this identification technique can be successful is due tothe fact that the Transport Security Layer needs to generate an initialcommunication between the HTTPS client and server before any sort of encryptedcommunication can take place.
This initial transmission consists of packetswhich inform both the HTTPS client and selected server of the other’scapabilities and preferences in regards to security algorithms. This is done sothat the selection of algorithms that are mutually acceptable for both the HTTPSclient and the server can be determined. These selections can range fromcryptographic methods and cipher suites, compression systems for files anddata, hashing algorithms, the list goes on. Logically, this communication ofpreferred selection has to be done out in the open without encryption, since nomethod of encryption or obfuscation has been selected yet and anyimplementation of such would have no guarantee of being intelligible to theparty being communicated to. While this does not present an opportunity for thebreaking of any sort of future encryption that either party selects, mereobservance of an event does nothing to indicate the details of it in this case,this unguarded exchange provides the key element which TLS fingerprintingrequires to function.
Becauseof this unguarded exchange, it is possible to build a metric for the identificationof a particular HTTPS client, by capturing the data contained in the initial packetthat the client sends to the server when trying to determine the protocols forthe TLS session. The nature of theseinitial packets changes only infrequently, and a fingerprint can be built fromtheir elements and then utilized in order to recognize a particular HTTPSclient in a future session. The fields and data points that need to be capturedfrom this observance are: the active TLSversion the HTTPS client is using, the TLS version in the HTTPS client’s recordlayer, the ciphers and algorithms that were chosen and applied, any compressionmethods utilized in the communication, and the list of active extensionsutilized by the HTTPS client.
Of these,the field with the most variance, and thus one of the best to use for thepurposes of identification, is the HTTPS client’s list of supported ciphersuites. A cipher suite is a collection of cryptographic techniques that definesa secure communication. There are hundreds of cipher suites, and even morecombinations of them, but they are all built from a small number rudimentary elements:key exchange, encryption algorithms and methods integrity validation.
Differentprograms often use very distinct cipher suites. This combined data set iseffectively changed only on a very rare basis for any particular HTTPS clientor server, and thus offers far greater granularity than assessing cipher suitesalone. Capturingthe initial communication between the HTTPS client and server is an excellentmethod for fingerprinting client packets for several reasons. First andforemost, it is possible to capture the packets from initial TLS handshake witha high degree of accuracy, initial communication bursts occur rarely enoughthat it is a manageable task to observe and record all of them that occur on atarget network. Storing these initial packets also requires little in regard tostorage space, reducing the overall cost of acquiring and analyzing the data.This is in direct contrast to the normally exorbitant cost associated with fulldata surveillance and recording.
Finally, the collection of these packets takeplace without the requirement to keep track of the current state of the TransmissionControl Protocol (TCP) or the observance of the packet in that particular stream.This reduces the overall cost again, this time in the area of necessaryprocessing power and amount of memory that needs to be allocated to track anyassociated packets. This ties into the real-world applications of the TLSfingerprinting technique as an economical and low-upkeep method of surveillance.Thepractical application for TLS Fingerprinting lies in its use as form of passivesurveillance and detection. The technique allows for a low-cost, and lowinvestment form of communication monitoring that enables the detection of anear limitless variety of traffic without requiring access to either the serveror the HTTPS client endpoints.
The ability to detect malicious programs orunwanted software without having to specifically search for a narrow range is avery useful ability for anyone monitoring network traffic, whether legitimatelyor not. Using TLS fingerprinting, potentially unwanted forms of software canalso be detected, as almost every application with a TLS connection possesses itsown semi-unique and inherent fingerprint. The detection of unusualcommunications streams is also a simple and useful application of the TLSfingerprinting technique, and is something most network security plans shouldfind worthy of investigation due to how simple to it is to detect. For example,many web services are expecting a human to interact with them via a browser andare designed for such. Amazon, for instance, would be very interested in aconnection from a script or bot program that starts buying large amounts ofproducts, whether with legitimate funds or not. Networktraffic analysis is also something that the use of the TLS fingerprintingtechnique makes easier. Given that each HTTPS client we identify has a uniquefingerprint, we can utilize the collected data for network traffic analysis. Bycalculating the number of unique IDs that share the same IP address, we canquantify the number of HTTPS clients using a specific machine, and any NATmechanisms that might be present.
This sort of HTTPS client identification can makea large contribution to any given network’s security and ability to detecthostile activity targeting network assets or users. By monitoring the activityof HTTPS clients, and utilizing a metric for suspicious activity, the detectionand prevention of network attacks and the spread of malware can be drasticallylessened. However, the establishment of this metric for behavior and a dynamicaccurate solution for determining malice is beyond the scope of this writing.Ofcourse, the TLS fingerprinting technique is not a foolproof one and there doexist techniques to counter it. Thenatural response is to, as a HTTPS client, modify your own TLS fingerprint inorder to subvert this form of identification.
While possible, there are severalcomplexities inherent to this idea. To avoid being identified by an existingfingerprint, the initial handshake that the HTTPS client and server exchangewith each other must be modified, which by necessity entails artificiallychoosing to support, or not support, many cipher suites and other features ofencryption, communication and compression. Doing this means lowering thesecurity of any communication between the HTTPS client and server byintroducing the requirement to support different, potentially less efficient,communication options.
Even worse, if a specific server has strictcommunication protocols, these changes might prevent the HTTPS client from anyexchange of information with it, or necessitate a change in the server’sprotocols as well. Another response for a HTTPS client, is to utilize a proxywhen connecting. This causes the technique to detect the various extensions,communication protocols, and cipher suites of the proxy instead of the true HTTPSclient. This method is only a stop-gap solution however, as any given proxy canstill be fingerprinted, identified, and its traffic marked accordingly orrefused. Inconclusion, as the variety of communication avenues grows, HTTPS client/servercommunication protocols will continue to rely on TLS to provide a swift methodof reasonable security and privacy via cryptographic techniques. Theutilization of TLS fingerprinting allows for a quick and resource-cheap method ofdetermining which ciphers are being used, and thus allows for the more precise applicationof defensive strategies and communication filtering for network administratorsand security professionals.
TLSfingerprinting also enhances the abilities of network traffic analysis byproviding an economical network-based form of identification of HTTPS clients.The technique is lightweight, not limited in the scope of its deployment, anddoes not violate the confidentiality, security, or availability of a client’sdata, making it an excellent candidate for implementation even in network’shandling traffic composed of sensitive material.