Blake Anderson
ABSTRACT
The Transport Layer Security (TLS) protocol has evolved in response to different attacks and is increasingly relied on to secure Internet communications. Web browsers have led the adoption of newer and more secure cryptographic algorithms and protocol versions, and thus improved the security of the TLS ecosystem. Other application categories, however, are increasingly using TLS, but too often are relying on obsolete and insecure protocol options.
To understand in detail what applications are using TLS, and how they are using it, we developed a novel system for obtaining process information from end hosts and fusing it with network data to produce a TLS fingerprint knowledge base. This data has a rich set of context for each fingerprint, is representative of enterprise TLS deployments, and is automatically updated from ongoing data collection. Our dataset is based on 471 million endpoint-labeled and 8 billion unlabeled TLS sessions obtained from enterprise edge networks in five countries, plus millions of sessions from a malware analysis sandbox. We actively maintain an open source dataset that, at 4,500+ fingerprints and counting, is both the largest and most informative ever published. In this paper, we use the knowledge base to identify trends in enterprise TLS applications beyond the browser: application categories such as storage, communication, system, and email. We identify a rise in the use of TLS by nonbrowser applications and a corresponding decline in the fraction of sessions using version 1.3. Finally, we highlight the shortcomings of naïvely applying TLS fingerprinting to detect malware, and we present recent trends in malware's use of TLS such as the adoption of cipher suite randomization.
- 2012. SSL Fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/.Google Scholar
- 2018. macOS Security: Overview for IT. https://www.apple.com/business/resources/docs/macOS_Security_Overview.pdf.Google Scholar
- 2018. OpenSSL 1.1.0 Series Release Notes. https://www.openssl.org/news/openssl-1.1.0-notes.html.Google Scholar
- 2018. TLS Cipher Suites in Windows 10 v1703. https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-10-v1709.Google Scholar
- 2019. Apple Developer: Network Framework Documentation. https://developer.apple.com/documentation/network?language=objc.Google Scholar
- 2019. BrowserStack. https://www.browserstack.com/.Google Scholar
- 2019. Cisco AnyConnect Secure Mobility Client. http://www.cisco.com/go/anyconnect.Google Scholar
- 2019. OpenSSL Changelog. https://www.openssl.org/news/changelog.html.Google Scholar
- 2019. Psiphon. https://www.psiphon3.com.Google Scholar
- 2019. Ultrasurf. https://ultrasurf.us.Google Scholar
- 2019. uTLS. https://github.com/refraction-networking/utls.Google Scholar
- Nadhem AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt. 2013. On the Security of RC4 in TLS. In USENIX Security Symposium. 305--320.Google Scholar
- Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. 2016. Post-quantum Key Exchange-A New Hope. In USENIX Security Symposium. 327--343.Google Scholar
- John B. Althouse, Jeff Atkinson, and Josh Atkins. 2017. JA3. https://github.com/salesforce/ja3.Google Scholar
- Bernhard Amann, Matthias Vallentin, Seth Hall, and Robin Sommer. 2012. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12-014 (2012).Google Scholar
- Blake Anderson, Subharthi Paul, and David McGrew. 2018. Deciphering Malware's Use of TLS (without Decryption). Journal of Computer Virology and Hacking Techniques 14, 3 (2018), 195--211.Google ScholarCross Ref
- David Benjamin. 2019. Applying GREASE to TLS Extensibility. Internet-Draft (Informational). https://tools.ietf.org/html/draft-ietf-tls-grease-04.Google Scholar
- Hanno Böck, Juraj Somorovsky, and Craig Young. 2018. Return of Bleichengbacher's Oracle Threat (ROBOT). In USENIX Security Symposium. 817--849.Google Scholar
- Remi Bricout, Sean Murphy, Kenneth G Paterson, and Thyla Van der Merwe. 2018. Analysing and exploiting the Mantin biases in RC4. Designs, Codes and Cryptography 86, 4, 743--770.Google ScholarDigital Library
- Lee Brotherston. 2015. FingerprinTLS. https://github.com/synackpse/tls-fingerprinting.Google Scholar
- Edmund Brumaghin. 2016. Want Tofsee My Pictures? A Botnet Gets Aggressive. https://blog.talosintelligence.com/2016/09/tofsee-spam.html.Google Scholar
- Tim Dierks and Eric Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). http://www.ietf.org/rfc/rfc5246.txt.Google Scholar
- Roger Dingledine and Nick Mathewson. 2017. Tor Protocol Specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt.Google Scholar
- Alban Diquet. 2019. SSLyze. https://github.com/nabla-c0d3/sslyze.Google Scholar
- Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson. 2017. The Security Impact of HTTPS Interception. In Network and Distributed System Security Symposium (NDSS).Google Scholar
- Stephan Friedl, Andrei Popov, Adam Langley, and Emile Stephan. 2014. Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension. RFC 7301 (Proposed Standard). http://www.ietf.org/rfc/rfc7301.txt.Google Scholar
- Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Ralph Holz, Johanna Amann, Olivier Mehani, Matthias Wachs, and Mohamed Ali Kaafar. 2016. TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication. In Network and Distributed System Security Symposium (NDSS).Google Scholar
- Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov. 2013. The Parrot is Dead: Observing Unobservable Network Communications. In IEEE Symposium on Security and Privacy (S&P). 65--79.Google ScholarDigital Library
- Martin Husák, Milan Cermák, Torná Jirsík, and Pavel Celeda. 2015. Network-Based HTTPS Client Identification using SSL/TLS Fingerprinting. In Availability, Reliability and Security (ARES). 389--396.Google Scholar
- IANA. 2019. Transport Layer Security (TLS) Extensions. https://www.iana.org/assignments/tls-extensiontype-values/.Google Scholar
- IANA. 2019. Transport Layer Security (TLS) Parameters. https://www.iana.org/assignments/tls-parameters/.Google Scholar
- Jana Iyengar and Martin Thomson. 2019. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet Draft. https://tools.ietf.org/html/draft-ietf-quic-transport-23.Google Scholar
- Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson, Narseo Vallina-Rodriguez, and Juan Caballero. 2018. Coming of Age: A Longitudinal Study of TLS Deployment. In ACM SIGCOMM Internet Measurement Conference (IMC). 415--428.Google Scholar
- David McGrew, Blake Anderson, Bill Hudson, and Philip Perricone. 2017. Joy. https://github.com/cisco/joy.Google Scholar
- David McGrew, Brandon Enright, Blake Anderson, and Shekhar Acharya. 2019. Mercury: Fast TLS, TCP, and IP Fingerprinting. https://github.com/cisco/mercury.Google Scholar
- Mozilla. 2018. CipherScan. https://github.com/mozilla/cipherscan.Google Scholar
- Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. 2017. Studying TLS Usage in Android Apps. In International Conference on emerging Networking EXperiments and Technologies (CoNEXT). 350--362.Google Scholar
- ioerror rbsec. 2019. sslscan. https://github.com/rbsec/sslscan.Google Scholar
- Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard). http://www.ietf.org/rfc/rfc8446.txt.Google Scholar
- Eric Rescorla and Nagendra Modadugu. 2012. Datagram Transport Layer Security Version 1.2. RFC 6347 (Proposed Standard). http://www.ietf.org/rfc/rfc6347.txt.Google Scholar
- Ivan Ristic. 2009. HTTP Client Fingerprinting using SSL Handshake Analysis. https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html.Google Scholar
- Ivan Ristić. 2012. sslhaf. https://github.com/ssllabs/sslhaf.Google Scholar
- runa. 2012. UAE uses DPI to block Tor. https://trac.torproject.org/projects/tor/ticket/6246.Google Scholar
- SSLBL. 2019. SSL Blacklist: JA3 Fingerprints. https://sslbl.abuse.ch/ja3-fingerprints/.Google Scholar
- Tatu Ylonen and Chris Lonvick. 2006. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard). 4253 (2006). http://www.ietf.org/rfc/rfc4253.txt.Google Scholar
Index Terms
- TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior
Recommendations
TLS 1.3 in Practice:How TLS 1.3 Contributes to the Internet
WWW '21: Proceedings of the Web Conference 2021Transport Layer Security (TLS) has become the norm for secure communication over the Internet. In August 2018, TLS 1.3, the latest version of TLS, was approved, providing improved security and performance of the previous TLS version. In this paper, we ...
Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS
SIGCOMM '15: Proceedings of the 2015 ACM Conference on Special Interest Group on Data CommunicationA significant fraction of Internet traffic is now encrypted and HTTPS will likely be the default in HTTP/2. However, Transport Layer Security (TLS), the standard protocol for encryption in the Internet, assumes that all functionality resides at the ...
Comments