Wednesday, February 17, 2010

SSL/TLS Fingerprinting

I've been following Thierry Zoller off and on for years now, probably helped that he was one of the first people to find and mention Satori back in the day.

He's come up with a new tool that fingerprints SSL/TLS connections called SSL/TLS Audit. Actually, it is a tool that does SSL/TLS Auditing, just happens to have a feature that in turn fingerprints the ssl engine.

"Apart from scanning available ciphersuites it has an interesting tidbit : The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.

SSL Audit is able to fingerprint :
· IIS7.5 (Schannel)
· IIS7.0 (Schannel)
· IIS 6.0 (Schannel)
· Apache (Openssl)
· Apache (NSS)
· Certicom

They have an upcoming paper due out it looks like, so it will be interesting to see what information they provide. Gives me some ideas, so depending on time in the near future I may have to look into this a bit more.

No comments: