What is TLS Fingerprinting?

The Transport layer Security or TLS 'fingerprint' is based on how your computer negotiates a TLS connection to a server. The JA3 algorithm is one of several that perform 'TLS snooping' in that they use data passed between a client computer and a server to identify the client. As long as your computer (operating system, web browser, and browser extensions) doesn't change; that fingerprint will be good.

If you use a different web browser from the same computer with different extensions installed in that web browser you should see a different signature. I say should because some TLS snooping implementations have the capability to 'fuzz' or ignore certain data like browser extensions.

TLS fingerprinting is valuable for an organization that wants to make sure that the secure communications between their server and their clients remains secure. If I know the TLS fingerprint for all authorized devices I can accept connections from those and ignore connection requests from hosts for which I don't have a matching fingerprint.

A deployment issue with TLS fingerprints is that if a user installs an extension in a web browser OR if the web browser or operating system is updated the fingerprint might need to be renewed or re-generated. Often users are always installing extensions unless they don't have the rights to install software. Same for operating system updates. The host computers and the server have to be rigorously controlled and managed.

Why do installed browser extensions matter when it comes to creating a TLS connection? Browser extensions are often either application or server specific and contain security settings for how that application works or how a server prefers to be contacted. If you had an extension loaded that needs to communicate with a specific server using SSLv3 that gets passed to the browser and the browser requirements get passed to the operating system. If the operating system supports SSLv3 then for that server the host will use SSLv3. That SSLv3 support becomes part of the TLS signature for that host. When negotiating any TLS connection the host will respond that it can 'speak' SSLv3 and TLS versions.

So your host security is only as good as your weakest extension.

What should happen when you 'harden' a host is that the operating system should report that it was asked by a browser or extension to support SSLv3. That doesn't always work by default. You can often figure that out using additional security tools that scan the system and browser logs looking for these conditions.

JA3 is an open source TLS Fingerprint project that was started by some engineers at Salesforce dot com. See https://github.com/salesforce/ja3

What's your take on biometric authentication?

What's the FAR and FRR of the biometric system you are considering? What's the CER?

FAR = False Acceptance Rate or when someone who is not an authorized user is granted access.

FRR = False Reject Rate or when a authorized user is rejected.

The CER = Crossover Error Rate which is the point at which the FAR and FRR meet.

You want your FAR and FRR to both be very low. If your FAR was 1 time in every 100 unique authorizations that would be 1%. Is that acceptable given the number of people using the system? You should try to account in your design for a FAR event (unauthorized user with access) and have some other protection in place; so that leads to a MFA (multi factor authorization) scheme.

FRR is what will truly frustrate your authorized users because they will be turned away and unable to access the system. That drives up the cost of operating the system since some additional person will have to be standing by to allow the rejected but authorized person access.

Another consideration for biometric systems is your user community and the design. Does the biometric system require touch? How's that work given the pandemic? If the biometric involve a camera; at what height is the camera set? Will it work for a person in a wheel chair?

Studying Cyber Security on a PC

A student asked me about how to get more familiar with Linux if they have a Windows PC?  I suggest looking at Oracle VirtualBox for virtualization. It's available for free.  It runs on almost any hardware.  It runs several distros of Linux (that I have used it for) very well. 

Linux distributions (distros) to look at.  Ubuntu.  I suggest looking at desktop first because the requirements are less and it has a GUI.  For studying cyber you want to look at Security Onion and Kali. Security Onion is great in that it has the essential Network security Monitoring (read that 'Blue Team') tools installed.  Kali has many, many tools installed for exploring both offense (Red team) and defensive (Blue Team) security.

If you want to run and use more than one operating system at the same time you'll probably want an external monitor (rather then trying to switch back and forth between virtual machine and Windows).  make sure that your computer supports a second display.

I'd suggest a minimum i5, with 8-16 Gb RAM, and 1 Tb HDD. 14-15 inch display capable of 1920x1080. 2 USB ports (USB v3 if possible). HDMI port is nice to have. Lots of Dell hardware comes with a DisplayPort; which via and adapter can drive a VGA or HDMI display.  Windows 10 Pro. Oracle VirtualBox. See Dell Refurb.

Checking my connection table...

On my ASA in the office I use Cisco ASDM (Adaptive Security Device Manager) on an ASA 5500 to implement a screening policy for my office network.

An ASDM Connection table

When I check ASDM and the ASA I always look at the connection table. That tells me what traffic is being permitted through the firewall.  In the screen capture above I looked at the destination IP addresses.  Immediately one connection jumps out; 1 MB of traffic between one of my computers and a 74.125.x.x address.  It turns out I walked away from the computer while logged into a service at Google and that IP traces back to there.

Trend ProtectLink for Routers & SECaaS

Many outlets (Reuters, PC World, TweakTown, etc,...) are reporting that Trend is going to e developing and selling Security as a Service (SECaaS?) via it's ProtectLink Protect Gateway offering. I found the best description of the offer at the Cisco site. With this new software on your Internet router Trend will be able to push updates whenever they become available. Is this a great thing? In my opinion potentially yes! It's a great thing because most everyone I know NEVER looks at the software on their Internet gateway device unless it's broken.

If the software offered by Trend is stable (and I have to think that Linksys is going to make sure that it is) and the Linksys hardware has enough processing power to find and knock down threats (that's a whole other story) then this will be tremendously helpful for many Internet connected; Internet reliant businesses. And I said BUSINESSES because no matter what the start up costs this IS NOT going t be cheap. What about shared Internet settings (community centers, public wifi hotspots, etc,...)? Any kind of Firewalling or filtering in a public setting is not easy to explain to users. If you block one person from downloading a "funny picture" (no matter the malware behind it) you create the potential for a Constitutionally guaranteed (at least in the eyes of the blocked party) infringement event.

This should be interesting.