research-article

Open access

TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior

Authors:

Blake Anderson and

David McGrewAuthors Info & Claims

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

Pages 379 - 392

https://doi.org/10.1145/3355369.3355601

Published: 21 October 2019 Publication History

Abstract

The Transport Layer Security (TLS) protocol has evolved in response to different attacks and is increasingly relied on to secure Internet communications. Web browsers have led the adoption of newer and more secure cryptographic algorithms and protocol versions, and thus improved the security of the TLS ecosystem. Other application categories, however, are increasingly using TLS, but too often are relying on obsolete and insecure protocol options.

To understand in detail what applications are using TLS, and how they are using it, we developed a novel system for obtaining process information from end hosts and fusing it with network data to produce a TLS fingerprint knowledge base. This data has a rich set of context for each fingerprint, is representative of enterprise TLS deployments, and is automatically updated from ongoing data collection. Our dataset is based on 471 million endpoint-labeled and 8 billion unlabeled TLS sessions obtained from enterprise edge networks in five countries, plus millions of sessions from a malware analysis sandbox. We actively maintain an open source dataset that, at 4,500+ fingerprints and counting, is both the largest and most informative ever published. In this paper, we use the knowledge base to identify trends in enterprise TLS applications beyond the browser: application categories such as storage, communication, system, and email. We identify a rise in the use of TLS by nonbrowser applications and a corresponding decline in the fraction of sessions using version 1.3. Finally, we highlight the shortcomings of naïvely applying TLS fingerprinting to detect malware, and we present recent trends in malware's use of TLS such as the adoption of cipher suite randomization.

References

[1]

2012. SSL Fingerprinting for p0f. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/.

[2]

2018. macOS Security: Overview for IT. https://www.apple.com/business/resources/docs/macOS_Security_Overview.pdf.

[3]

2018. OpenSSL 1.1.0 Series Release Notes. https://www.openssl.org/news/openssl-1.1.0-notes.html.

[4]

2018. TLS Cipher Suites in Windows 10 v1703. https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-10-v1709.

[5]

2019. Apple Developer: Network Framework Documentation. https://developer.apple.com/documentation/network?language=objc.

[6]

2019. BrowserStack. https://www.browserstack.com/.

[7]

2019. Cisco AnyConnect Secure Mobility Client. http://www.cisco.com/go/anyconnect.

[8]

2019. OpenSSL Changelog. https://www.openssl.org/news/changelog.html.

[9]

2019. Psiphon. https://www.psiphon3.com.

[10]

2019. Ultrasurf. https://ultrasurf.us.

[11]

2019. uTLS. https://github.com/refraction-networking/utls.

[12]

Nadhem AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt. 2013. On the Security of RC4 in TLS. In USENIX Security Symposium. 305--320.

[13]

Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. 2016. Post-quantum Key Exchange-A New Hope. In USENIX Security Symposium. 327--343.

[14]

John B. Althouse, Jeff Atkinson, and Josh Atkins. 2017. JA3. https://github.com/salesforce/ja3.

[15]

Bernhard Amann, Matthias Vallentin, Seth Hall, and Robin Sommer. 2012. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12-014 (2012).

[16]

Blake Anderson, Subharthi Paul, and David McGrew. 2018. Deciphering Malware's Use of TLS (without Decryption). Journal of Computer Virology and Hacking Techniques 14, 3 (2018), 195--211.

[17]

David Benjamin. 2019. Applying GREASE to TLS Extensibility. Internet-Draft (Informational). https://tools.ietf.org/html/draft-ietf-tls-grease-04.

[18]

Hanno Böck, Juraj Somorovsky, and Craig Young. 2018. Return of Bleichengbacher's Oracle Threat (ROBOT). In USENIX Security Symposium. 817--849.

[19]

Remi Bricout, Sean Murphy, Kenneth G Paterson, and Thyla Van der Merwe. 2018. Analysing and exploiting the Mantin biases in RC4. Designs, Codes and Cryptography 86, 4, 743--770.

Digital Library

[20]

Lee Brotherston. 2015. FingerprinTLS. https://github.com/synackpse/tls-fingerprinting.

[21]

Edmund Brumaghin. 2016. Want Tofsee My Pictures? A Botnet Gets Aggressive. https://blog.talosintelligence.com/2016/09/tofsee-spam.html.

[22]

Tim Dierks and Eric Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). http://www.ietf.org/rfc/rfc5246.txt.

[23]

Roger Dingledine and Nick Mathewson. 2017. Tor Protocol Specification. https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt.

[24]

Alban Diquet. 2019. SSLyze. https://github.com/nabla-c0d3/sslyze.

[25]

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson. 2017. The Security Impact of HTTPS Interception. In Network and Distributed System Security Symposium (NDSS).

[26]

Stephan Friedl, Andrei Popov, Adam Langley, and Emile Stephan. 2014. Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension. RFC 7301 (Proposed Standard). http://www.ietf.org/rfc/rfc7301.txt.

[27]

Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In Network and Distributed System Security Symposium (NDSS).

[28]

Ralph Holz, Johanna Amann, Olivier Mehani, Matthias Wachs, and Mohamed Ali Kaafar. 2016. TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication. In Network and Distributed System Security Symposium (NDSS).

[29]

Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov. 2013. The Parrot is Dead: Observing Unobservable Network Communications. In IEEE Symposium on Security and Privacy (S&P). 65--79.

Digital Library

[30]

Martin Husák, Milan Cermák, Torná Jirsík, and Pavel Celeda. 2015. Network-Based HTTPS Client Identification using SSL/TLS Fingerprinting. In Availability, Reliability and Security (ARES). 389--396.

[31]

IANA. 2019. Transport Layer Security (TLS) Extensions. https://www.iana.org/assignments/tls-extensiontype-values/.

[32]

IANA. 2019. Transport Layer Security (TLS) Parameters. https://www.iana.org/assignments/tls-parameters/.

[33]

Jana Iyengar and Martin Thomson. 2019. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet Draft. https://tools.ietf.org/html/draft-ietf-quic-transport-23.

[34]

Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson, Narseo Vallina-Rodriguez, and Juan Caballero. 2018. Coming of Age: A Longitudinal Study of TLS Deployment. In ACM SIGCOMM Internet Measurement Conference (IMC). 415--428.

[35]

David McGrew, Blake Anderson, Bill Hudson, and Philip Perricone. 2017. Joy. https://github.com/cisco/joy.

[36]

David McGrew, Brandon Enright, Blake Anderson, and Shekhar Acharya. 2019. Mercury: Fast TLS, TCP, and IP Fingerprinting. https://github.com/cisco/mercury.

[37]

Mozilla. 2018. CipherScan. https://github.com/mozilla/cipherscan.

[38]

Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. 2017. Studying TLS Usage in Android Apps. In International Conference on emerging Networking EXperiments and Technologies (CoNEXT). 350--362.

[39]

ioerror rbsec. 2019. sslscan. https://github.com/rbsec/sslscan.

[40]

Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard). http://www.ietf.org/rfc/rfc8446.txt.

[41]

Eric Rescorla and Nagendra Modadugu. 2012. Datagram Transport Layer Security Version 1.2. RFC 6347 (Proposed Standard). http://www.ietf.org/rfc/rfc6347.txt.

[42]

Ivan Ristic. 2009. HTTP Client Fingerprinting using SSL Handshake Analysis. https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html.

[43]

Ivan Ristić. 2012. sslhaf. https://github.com/ssllabs/sslhaf.

[44]

runa. 2012. UAE uses DPI to block Tor. https://trac.torproject.org/projects/tor/ticket/6246.

[45]

SSLBL. 2019. SSL Blacklist: JA3 Fingerprints. https://sslbl.abuse.ch/ja3-fingerprints/.

[46]

Tatu Ylonen and Chris Lonvick. 2006. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard). 4253 (2006). http://www.ietf.org/rfc/rfc4253.txt.

Cited By

Tang KWu KChau SVilela JSchulmann HLi N(2024)Investigating TLS Version Downgrade in Enterprise SoftwareProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653263(31-42)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653263
Theofanous APapadogiannaki EShevtsov AIoannidis SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS AnalysisProceedings of the ACM on Web Conference 202410.1145/3589334.3645719(1933-1944)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645719
Yang KLi QWang HSun LLiu J(2024)Fingerprinting Industrial IoT devices based on multi-branch neural networkExpert Systems with Applications10.1016/j.eswa.2023.122371238(122371)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122371
Show More Cited By

Index Terms

TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Network security
    1. Security protocols
    2. Web protocol security

Recommendations

TLS 1.3 in Practice:How TLS 1.3 Contributes to the Internet
WWW '21: Proceedings of the Web Conference 2021

Transport Layer Security (TLS) has become the norm for secure communication over the Internet. In August 2018, TLS 1.3, the latest version of TLS, was approved, providing improved security and performance of the previous TLS version. In this paper, we ...
Read More
SSL and Tls: Theory and Practice, Second Edition
Read More
Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS
SIGCOMM '15: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication

A significant fraction of Internet traffic is now encrypted and HTTPS will likely be the default in HTTP/2. However, Transport Layer Security (TLS), the standard protocol for encryption in the Internet, assumes that all functionality resides at the ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

497 pages

ISBN:9781450369480

DOI:10.1145/3355369

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

IMC '19

Sponsor:

IMC '19: ACM Internet Measurement Conference

October 21 - 23, 2019

Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
2,350
Total Downloads

Downloads (Last 12 months)398
Downloads (Last 6 weeks)68

Other Metrics

View Author Metrics

Citations

Cited By

Tang KWu KChau SVilela JSchulmann HLi N(2024)Investigating TLS Version Downgrade in Enterprise SoftwareProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653263(31-42)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653263
Theofanous APapadogiannaki EShevtsov AIoannidis SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS AnalysisProceedings of the ACM on Web Conference 202410.1145/3589334.3645719(1933-1944)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645719
Yang KLi QWang HSun LLiu J(2024)Fingerprinting Industrial IoT devices based on multi-branch neural networkExpert Systems with Applications10.1016/j.eswa.2023.122371238(122371)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122371
Heino JJalio CHakkala AVirtanen S(2024)JAPPI: An unsupervised endpoint application identification methodology for improved Zero Trust models, risk score calculations and threat detectionComputer Networks10.1016/j.comnet.2024.110606250(110606)Online publication date: Aug-2024
https://doi.org/10.1016/j.comnet.2024.110606
Gomez GKotzias PDell’Amico MBilge LCaballero J(2023)Unsupervised Detection and Clustering of Malicious TLS FlowsSecurity and Communication Networks10.1155/2023/36766922023(1-17)Online publication date: 12-Jan-2023
https://doi.org/10.1155/2023/3676692
Trevisan MSoro FMellia MDrago IMorla R(2023)Attacking DoH and ECH: Does Server Name Encryption Protect Users’ Privacy?ACM Transactions on Internet Technology10.1145/357072623:1(1-22)Online publication date: 23-Feb-2023
https://dl.acm.org/doi/10.1145/3570726
Papadogiannaki EIoannidis S(2023)Pump Up the JARM: Studying the Evolution of Botnets Using Active TLS Fingerprinting2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218210(764-770)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218210
Anderson BMcGrew D(2023)Assessing and Exploiting Domain Name Misinformation2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00059(475-486)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00059
Jafari Siavoshani MKhajehpour ABideh AGatmiri ATaheri A(2023)Machine learning interpretability meets TLS fingerprintingSoft Computing10.1007/s00500-023-07949-927:11(7191-7208)Online publication date: 28-Mar-2023
https://doi.org/10.1007/s00500-023-07949-9
Ozdemir AKremer GTinelli CBarrett C(2023)Satisfiability Modulo Finite FieldsComputer Aided Verification10.1007/978-3-031-37703-7_8(163-186)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-37703-7_8
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents