DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting

Markus Sosnowski, Johannes Zirngibl, Patrick Sattler, Georg Carle

Publikation: Beitrag in Buch/Bericht/KonferenzbandKonferenzbeitragBegutachtung

5 Zitate (Scopus)

Abstract

Collecting metadata from Transport Layer Security (TLS) servers on a large scale allows to draw conclusions about their capabilities and configuration. This provides not only insights into the Internet but it enables use cases like detecting malicious Command and Control (C &C) servers. However, active scanners can only observe and interpret the behavior of TLS servers, the underlying configuration and implementation causing the behavior remains hidden. Existing approaches struggle between resource intensive scans that can reconstruct this data and light-weight fingerprinting approaches that aim to differentiate servers without making any assumptions about their inner working. With this work we propose DissecTLS, an active TLS scanner that is both light-weight enough to be used for Internet measurements and able to reconstruct the configuration and capabilities of the TLS stack. This was achieved by modeling the parameters of the TLS stack and derive an active scan that dynamically creates scanning probes based on the model and the previous responses from the server. We provide a comparison of five active TLS scanning and fingerprinting approaches in a local testbed and on toplist targets. We conducted a measurement study over nine weeks to fingerprint C &C servers and analyzed popular and deprecated TLS parameter usage. Similar to related work, the fingerprinting achieved a maximum precision of 99 % for a conservative detection threshold of 100 %; and at the same time, we improved the recall by a factor of 2.8.

OriginalspracheEnglisch
TitelPassive and Active Measurement - 24th International Conference, PAM 2023, Proceedings
Redakteure/-innenAnna Brunstrom, Marcel Flores, Marco Fiore
Herausgeber (Verlag)Springer Science and Business Media Deutschland GmbH
Seiten110-126
Seitenumfang17
ISBN (Print)9783031284854
DOIs
PublikationsstatusVeröffentlicht - 2023
Veranstaltung24th International Conference on Passive and Active Measurement, PAM 2023 - Virtual, Online
Dauer: 21 März 202323 März 2023

Publikationsreihe

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Band13882 LNCS
ISSN (Print)0302-9743
ISSN (elektronisch)1611-3349

Konferenz

Konferenz24th International Conference on Passive and Active Measurement, PAM 2023
OrtVirtual, Online
Zeitraum21/03/2323/03/23

Fingerprint

Untersuchen Sie die Forschungsthemen von „DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren