2016
DOI: 10.1186/s13635-016-0030-7
|View full text |Cite
|
Sign up to set email alerts
|

HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

Abstract: The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and corre… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

1
41
0

Year Published

2016
2016
2021
2021

Publication Types

Select...
6
2
1

Relationship

1
8

Authors

Journals

citations
Cited by 80 publications
(42 citation statements)
references
References 23 publications
1
41
0
Order By: Relevance
“…Specific versions of Firefox browsers used in Kali Linux 4 , a well known penetration testing tool collection, was also detected. This is in line with previous research; for example, Husák et al obtained similar results when fingerprinting applications [10]. Although preliminary look into this feature gave extremely positive results, it is also something that the adversary may choose to change, as e.g.…”
Section: Tls Fingerprintssupporting
confidence: 90%
“…Specific versions of Firefox browsers used in Kali Linux 4 , a well known penetration testing tool collection, was also detected. This is in line with previous research; for example, Husák et al obtained similar results when fingerprinting applications [10]. Although preliminary look into this feature gave extremely positive results, it is also something that the adversary may choose to change, as e.g.…”
Section: Tls Fingerprintssupporting
confidence: 90%
“…Empirical research by Husák et al [7] investigated the feasibility of monitoring TLS handshakes to fingerprint and identify clients. They found, that especially the supported cipher suite lists vary among various client applications and their versions.…”
Section: Related Workmentioning
confidence: 99%
“…Roni and Langberg classified encrypted network flows by their application type [4] .Velan and Milan found that the initiation of an encrypted connection and the protocol structure give away much information about traffic clissificaion [5] .The SSL/TLS protocol and its applications were analyzed by Qualys SSL Lab [6] , they proposed the idea of HTTP client fingerprinting using the information of SSL/TLS handshake. Martin Husák and colleagues gave a way to estimate User-Agent of a client in HTTPS communication through the fingerprint of initial SSL/TLS handshake in 2015 [7] .However, due to the fuzziness of the fingerprint, the identification of browsers was not accurate.Salusky and Thomas disclosed for fingerprinting and identifying client applications based on the analysis of client requests in an HTTP-based communication [8] .For the algorithm of traffic identification, Alshammari and his colleagues assessed the robustness of machine learning for classifying encrypted traffic [9] . They foound that the C4.5 based approach performs much better than adaboost, support vector machine, Naive Bayesian and RIPPER.…”
Section: Related Workmentioning
confidence: 99%