The Transport layer Security or TLS 'fingerprint' is based on how your computer negotiates a TLS connection to a server. The JA3 algorithm is one of several that perform 'TLS snooping' in that they use data passed between a client computer and a server to identify the client. As long as your computer (operating system, web browser, and browser extensions) doesn't change; that fingerprint will be good.
If you use a different web browser from the same computer with different extensions installed in that web browser you should see a different signature. I say should because some TLS snooping implementations have the capability to 'fuzz' or ignore certain data like browser extensions.
TLS fingerprinting is valuable for an organization that wants to make sure that the secure communications between their server and their clients remains secure. If I know the TLS fingerprint for all authorized devices I can accept connections from those and ignore connection requests from hosts for which I don't have a matching fingerprint.
A deployment issue with TLS fingerprints is that if a user installs an extension in a web browser OR if the web browser or operating system is updated the fingerprint might need to be renewed or re-generated. Often users are always installing extensions unless they don't have the rights to install software. Same for operating system updates. The host computers and the server have to be rigorously controlled and managed.
Why do installed browser extensions matter when it comes to creating a TLS connection? Browser extensions are often either application or server specific and contain security settings for how that application works or how a server prefers to be contacted. If you had an extension loaded that needs to communicate with a specific server using SSLv3 that gets passed to the browser and the browser requirements get passed to the operating system. If the operating system supports SSLv3 then for that server the host will use SSLv3. That SSLv3 support becomes part of the TLS signature for that host. When negotiating any TLS connection the host will respond that it can 'speak' SSLv3 and TLS versions.
So your host security is only as good as your weakest extension.
What should happen when you 'harden' a host is that the operating system should report that it was asked by a browser or extension to support SSLv3. That doesn't always work by default. You can often figure that out using additional security tools that scan the system and browser logs looking for these conditions.
JA3 is an open source TLS Fingerprint project that was started by some engineers at Salesforce dot com. See https://github.com/salesforce/ja3
No comments:
Post a Comment