HTTP Client Fingerprinting Using SSL Handshake Analysis
A cipher suite, in SSL, is a collection of cryptographic techniques that defines a secure communication channel. There are hundreds of cipher suites, and they are all built out of a dozen or so basic building blocks: key exchange, encryption and integrity validation algorithms. Different programs often use different cipher suites. By observing the list of supported cipher suites one can determine the maximal communication strength, and often even guess the make of the SSL client on the other side.
- System administrators can make informed decisions about which cipher suites to enable in the SSL servers they maintain. The general goal is disable as many of the weak(er) cipher suites, while leaving enough to still make it possible for users to connect.
- Cross-checking the supported cipher suites with the HTTP client identity offered in the User-Agent header may help uncover some automated attack tools that masquarade themselves as browsers. Although the cipher suites used by an SSL client is completely under its control, such evasive actions require a new layer of SSL expertise. (Whereas it is trivial to spoof the contents of the User-Agent header.)
Proof of Concept
To obtain the list of supported cipher suites you need to have direct access to the connection data stream, which can be obtained either by sniffing
on a network interface or by altering the server application that's handling one end of a SSL connection. Our proof of concept implementation is an
Apache module (
mod_sslhaf) that passively monitors initial SSL handshakes to extract SSL client capabilities, making it possible
to log such information.
You can get mod_sslhaf from its GitHub repository:
- Passive SSL Client Fingerprinting in the SSL Labs Research Wiki
- Examples of the information collected from SSL handshakes (July 9, 2009)
- The analysis of Googlebot's frugal cipher suite list (July 2, 2009)
- HTTP client fingerprinting using SSL handshake analysis (June 17, 2009)