Publication details

Network-based HTTPS Client Identification Using SSL/TLS Fingerprinting

Authors

HUSÁK Martin ČERMÁK Milan JIRSÍK Tomáš ČELEDA Pavel

Year of publication 2015
Type Article in Proceedings
Conference 2015 10th International Conference on Availability, Reliability and Security
MU Faculty or unit

Institute of Computer Science

Citation
web http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7299941
Doi http://dx.doi.org/10.1109/ARES.2015.35
Field Informatics
Keywords HTTP;HTTPS;SSL/TLS;fingerprint;User-Agent;identification;network monitoring
Attached files
Description The growing share of encrypted network traffic complicates network traffic analysis and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. We discuss host-based and network-based methods of dictionary retrieval and estimate the quality of the data. The usability of the proposed method is demonstrated on two case studies of network forensics.

You are running an old browser version. We recommend updating your browser to its latest version.

More info