What is TLS Fingerprinting?

The Transport layer Security or TLS 'fingerprint' is based on how your computer negotiates a TLS connection to a server. The JA3 algorithm is one of several that perform 'TLS snooping' in that they use data passed between a client computer and a server to identify the client. As long as your computer (operating system, web browser, and browser extensions) doesn't change; that fingerprint will be good.

If you use a different web browser from the same computer with different extensions installed in that web browser you should see a different signature. I say should because some TLS snooping implementations have the capability to 'fuzz' or ignore certain data like browser extensions.

TLS fingerprinting is valuable for an organization that wants to make sure that the secure communications between their server and their clients remains secure. If I know the TLS fingerprint for all authorized devices I can accept connections from those and ignore connection requests from hosts for which I don't have a matching fingerprint.

A deployment issue with TLS fingerprints is that if a user installs an extension in a web browser OR if the web browser or operating system is updated the fingerprint might need to be renewed or re-generated. Often users are always installing extensions unless they don't have the rights to install software. Same for operating system updates. The host computers and the server have to be rigorously controlled and managed.

Why do installed browser extensions matter when it comes to creating a TLS connection? Browser extensions are often either application or server specific and contain security settings for how that application works or how a server prefers to be contacted. If you had an extension loaded that needs to communicate with a specific server using SSLv3 that gets passed to the browser and the browser requirements get passed to the operating system. If the operating system supports SSLv3 then for that server the host will use SSLv3. That SSLv3 support becomes part of the TLS signature for that host. When negotiating any TLS connection the host will respond that it can 'speak' SSLv3 and TLS versions.

So your host security is only as good as your weakest extension.

What should happen when you 'harden' a host is that the operating system should report that it was asked by a browser or extension to support SSLv3. That doesn't always work by default. You can often figure that out using additional security tools that scan the system and browser logs looking for these conditions.

JA3 is an open source TLS Fingerprint project that was started by some engineers at Salesforce dot com. See https://github.com/salesforce/ja3

What's your take on biometric authentication?

What's the FAR and FRR of the biometric system you are considering? What's the CER?

FAR = False Acceptance Rate or when someone who is not an authorized user is granted access.

FRR = False Reject Rate or when a authorized user is rejected.

The CER = Crossover Error Rate which is the point at which the FAR and FRR meet.

You want your FAR and FRR to both be very low. If your FAR was 1 time in every 100 unique authorizations that would be 1%. Is that acceptable given the number of people using the system? You should try to account in your design for a FAR event (unauthorized user with access) and have some other protection in place; so that leads to a MFA (multi factor authorization) scheme.

FRR is what will truly frustrate your authorized users because they will be turned away and unable to access the system. That drives up the cost of operating the system since some additional person will have to be standing by to allow the rejected but authorized person access.

Another consideration for biometric systems is your user community and the design. Does the biometric system require touch? How's that work given the pandemic? If the biometric involve a camera; at what height is the camera set? Will it work for a person in a wheel chair?

Studying Cyber Security on a PC

A student asked me about how to get more familiar with Linux if they have a Windows PC?  I suggest looking at Oracle VirtualBox for virtualization. It's available for free.  It runs on almost any hardware.  It runs several distros of Linux (that I have used it for) very well. 

Linux distributions (distros) to look at.  Ubuntu.  I suggest looking at desktop first because the requirements are less and it has a GUI.  For studying cyber you want to look at Security Onion and Kali. Security Onion is great in that it has the essential Network security Monitoring (read that 'Blue Team') tools installed.  Kali has many, many tools installed for exploring both offense (Red team) and defensive (Blue Team) security.

If you want to run and use more than one operating system at the same time you'll probably want an external monitor (rather then trying to switch back and forth between virtual machine and Windows).  make sure that your computer supports a second display.

I'd suggest a minimum i5, with 8-16 Gb RAM, and 1 Tb HDD. 14-15 inch display capable of 1920x1080. 2 USB ports (USB v3 if possible). HDMI port is nice to have. Lots of Dell hardware comes with a DisplayPort; which via and adapter can drive a VGA or HDMI display.  Windows 10 Pro. Oracle VirtualBox. See Dell Refurb.