Additional material of the publication Active TLS Stack Fingerprinting: Characterizing TLS Server Deployments at Scale and access to published data and tools.

The paper was published at the at the TMA 2022 and received the Best Paper Award.

Measurement Pipeline and Software

For the analyses of the paper we have developed 10 general-purpose Client Hellos and extended the Goscanner with a custom TLS library and TLS fingerprinting functionalities:

  • Export of fingerprintable TLS metadata
  • Ability to define arbitrary Client Hellos per target
  • A random Client Hello generator
  • Input list preparation

Active TLS fingerprinting with the goscanner is desigend to be used in a more comprehensive measurement pipeline. The steps to reproduce the fingerprinting used in the paper are described under Pipeline. If you use the goscanner for fingerprinting, please cite our paper.

Paper

Abstract Active measurements can be used to collect server characteristics on a large scale. This kind of metadata can help discovering hidden relations and commonalities among server deployments offering new possibilities to cluster and classify them. As an example, identifying a previously-unknown cybercriminal infrastructures can be a valuable source for cyber-threat intelligence. We propose herein an active measurement-based methodology for acquiring Transport Layer Security (TLS) metadata from servers and leverage it for their fingerprinting. Our fingerprints capture the characteristic behavior of the TLS stack primarily caused by the implementation, configuration, and hardware support of the underlying server. Using an empirical optimization strategy that maximizes information gain from every handshake to minimize measurement costs, we generated 10 general-purpose Client Hellos used as scanning probes to create a large database of TLS configurations used for classifying servers. We fingerprinted 28 million servers from the Alexa and Majestic toplists and two Command and Control (C2) blocklists over a period of 30 weeks with weekly snapshots as foundation for two long-term case studies: classification of Content Delivery Network and C2 servers. The proposed methodology shows a precision of more than 99 % and enables a stable identification of new servers over time. This study describes a new opportunity for active measurements to provide valuable insights into the Internet that can be used in security-relevant use cases.

Paper Read the final version of our paper published over ifip: [PDF]

Authors Markus Sosnowski, Johannes Zirngibl, Patrick Sattler, Georg Carle, Claas Grohnfeldt, Michele Russo, and Daniele Sgandurra

Referencing our Work

If you are referring to our work or use the collected data in your publication, please refer to it with the following reference [bib]:

@inproceedings{sosnowski2022tlsfingerprinting,
  author = {Sosnowski, Markus and Zirngibl, Johannes and Sattler, Patrick and Carle, Georg and Grohnfeldt, Claas and Russo, Michele and Sgandurra, Daniele},
  title = {{Active TLS Stack Fingerprinting: Characterizing TLS Server Deployments at Scale}},
  booktitle = {Proc. Network Traffic Measurement and Analysis Conference (TMA)},
  year = {2022},
  month = jun,
}

Reproducibility

Our data are published at TUM University Library to enable reproducible analyses and to guarantee long-term availability.
Dataset DOI: 10.14459/2022mp1658435

Details of the data are described here.