Frequently Asked Questions about TLS Fingerprint

Frequently Asked Questions about TLS Fingerprint
Fingerprint

Transport layer security or TLS is an algorithm that is used to encrypt all the internet traffic and helps you with cybersecurity needs. This protocol uses cryptographic algorithms to encrypt web-based communication between a server and its clients. This technique is developed to secure the connection from server side, allowing servers to identify the client at a higher degree of accuracy which is present even on the first packet as well. To learn further about TLS security, we first need to look at how it works and what the term TLS handshake is.

TLS handshaking : how does it work ?

TLS handshake is the term to encrypt and secure the connection from both ends, the client and the server at the same time. When a client accesses a TLS encrypted site, it performs a TLS handshake with the server, the handshake basically means the process of identification of the client. The process starts with a request from the client to initiate the secure session of the website. This secure access session is called ‘hello’ session for easy understanding. As TLS is a divine encryption protocol, it has multiple versions with a wide range of encryption options (Also known as cipher suites), the client (can be a browser, script or a prompt) sends the server a list of supported encryption methods or cipher suites and the current TLS version in the ‘Client Hello’ message  to initiate the request. The server then analyses the list with its own supported ciphers and sends back the ‘Hello’ message that consists of TLS protocol, chosen cipher suite and SSL certificate that includes public encryption key. After that, the client uses public key from SSL certificate and verifies its accuracy (like Server’s name should match the DNS in the certificate, and that, it isn’t expired as well). After a complete verification session, the client sends another random string (or called premaster secret) that is encrypted using server’s public key, which server decrypts using the private key and then both, the client and server generate session key using client random, server random and premaster secret. These should be arriving with the same result, and finally, server and the client send finished message that is encrypted with session key. When both, the client and server are securely encrypted, we can say that TLS handshake is complete. Let’s have look at the diagram representing all this process.

TLS Library : Recognizing the User Client

Client Hello is actually a list of ciphers supported by the client, each one uses different TLS library which are enlisted here along with notable differences in them:

With the help of TLS fingerprinting, Server can identify TLS library used by the client and compare it with the expected outcomes, each library is different and supports even different ciphers in a separate order as well. Web clients can easily be distinguished based on their TLS signature. The thing that needs to be kept in mind is that this information is actually available upon the very first session, (or the first packet of session) which server can see even before responding to the client. Moreover, until encrypted Client Hello Message standardizes, this information is easily available for any third party network which can infer it as well.

A client might alter the User-Agent string (to mock the results or display another browser version) but Hello message can sometimes reveal its actual version and operating system, some particular browsers contain a different list of preferred ciphers as well (such as chrome 81 and 93).

Open-Source Implementation & Signature Calculation Methods

JA3

First and far-most popular method for TLS fingerprinting (or called Signature Calculation method) is JA3. It was developed by a team at salesforce and open-source in 2017, it takes Client Hello Packet and produces hash identifying the client during the TLS handshake process. Components that it takes from the packet are TLS version, Accepted ciphers, list of extensions, elliptic curve and its formats. After getting these fields, it combines them in order using comma to delimit fields themselves, and a hyphen to delimit the field values, then resulting string or the outcome is converted into MD5 hash equivalent, which is easily consumable and shareable. this outcome string is SSL client fingerprint, can be compared with known application fingerprints to indicate whether it is an authentic client or malicious. JA3 is the De-Facto standard in TLS fingerprinting and is implemented almost everywhere on the internet, has its own limitations as well.

JA3S

This is used for server-side implementation of SSL or TLS communication, is used alongside JA3 which is focused on client side and helps with judgement of legitimacy and accuracy of an app. The fingerprint is generated using the fields from Server Hello string, like TLS version, ciphers and extensions. JA3 and JA3S offer insurance against the possibility of Malware generating the same MD5 hash same as legitimate apps.

TS1

This method of TLS fingerprinting, works in a different way, by creating a unique has for each TLS signature. It was first inspired by JA3 but is now more comprehensive than that. It encodes all the parameters of Client Hello Message in JSON format, then calculates its SHA1 hash to produce the signature. In this method, different clients have different or unique hashes that can be saved into the database for easy comparison of signatures. These signatures encode more parameters than JA3 so that they can represent more accurate picture of the client to server. One thing worth mentioning is that due to the use of JSON format, this method is more like a ‘Future-proof’ for further development of TLS extensions that are not in existence till now.

Usability of TLS Fingerprinting, where is it being used?

Most common use case of TLS fingerprinting is Anti-Bot and Ant-DDOS solutions, to protect web pages from crawling attacks. Some people use it for phishing campaigns as well (which cannot ever be considered as legitimate use of course). Some common usage scenarios are:

Bot Detection and protection

An application programmed or designed to perform specific actions on other devices that often results in cyberattack. In some wide-case scenarios, a network of devices is used to complete large scale cyberattacks which are known as botnet. Researchers or professionals can track them to identify what they have in common like malware, and share the results with security community in the form of IOCs.

After the identification of a bot, you can block its IP or get the services of a bot protection institute or organization (the professionals), or you can even implement a captcha code to protect your stuff from Bots.

DDoS Protection

DDoS or Distributed denial of Service is the form of attack that aims to overwhelm a target website with junk traffic. These kinds of attacks use botnet as well. Once you detect the surge of traffic to your site, investigate the client hello of all the connected device. If the client hello fields are same in all of the devices, then you can say that all of them are infected with the same malware. You can block all their IP addresses to protect your site at this point.

Control over your TLS Signatures

Most of the time, parameters in TLS client hello message are not controllable by any kind of tools or scripts but in python, you can control cipher suites list. There are some methods that can give you full control over TLS signatures, that are :

  • Puppeteer Extra : This tool lets you run headless chrome browser so that you can get control by using a simple script.
  • Curl-impersonate : this tool helps you fake TLS signatures by implementing most popular browsers.
  • JA3Transport : it is a go library that helps you fake JA3 signature.

Conclusion

TLS fingerprinting is getting popular day by day and has become extremely common around the web for its legitimate purposes like blocking DDoS attacks and Bot Protection, but is also making the web space m less open for publics and more private and restrictive towards specific clients. Tools to protect clients by faking TLS signature are still imperfect and immature, and need further improvements and development of such tools is still very important for web to become free, Easy and open space for everyone. In that regard, the best solution would be from TLS own library side, to provide more refined control for the users to protect themselves. And providing more means to secure themselves and their site. It needs to implement 4 things in order to get a better and clean user base:

  • Allow users to control TLS extensions
  • Allow users to control exact list of ciphers
  • Support the latest extensions that some browsers are currently using
  • Making verification process more private to avoid negative use cases
  • Provide support for new and emerging programming languages