TLS client fingerprinting with Bro

In this post, we will play with Bro IDS as a client fingerprinting techniques exploration tool.

As is known, during the initial TLS handshake (used, among others, by HTTPS on web browsers), a message called ClientHello is exchanged. In this message, the client specifies the supported cryptographic primitives (the so-called cipher suites).

For example, Firefox 50.1.0 under Linux sends a ClientHello like this, as shown with the Wireshark dissector: [Read more…]