RFCs We Love: May 2021 (TLS Fingerprinting edition)
Updated: Jun 5, 2021
This RFCsWeLove meetup was on Friday, 28th May with a focus on TLS Fingerprinting. It was our 22nd meetup and the 9th fully virtual one.
We had a great set of topics with excellent speakers who brought in-depth knowledge in the field.
Introduction by Mohit / Dhruv [Slides]
Setting the scene by Tirumaleswar Reddy [Slides]
TLS fingerprinting by Blake Anderson [Slides]
TLS fingerprinting uses metadata in the TLS client_hello to map a TLS session to the initiating process or library. The straightforward application of TLS fingerprinting fails in practice because many processes can map to the same fingerprint, with previous approaches having to either report a set of processes or the most prevalent process. In this talk, we propose a technique to disambiguate the returned list of processes by leveraging a weighted naive Bayes classifier and destination information contained within the initial packet. Our methods are made possible by a data fusion system that continuously collects and fuses endpoint and network data, building up-to-date fingerprint databases that correlate TLS fingerprints, processes, and destinations for 100+ million real-world sessions each day. We additionally provide guidance on the deployment and the applicability of these techniques with respect to QUIC.
Tirumaleswar Reddy is a Principal Engineer at McAfee. He has expertise in network and IoT/endpoint security, architecting, and developing security products and solutions. He has a proven track record of developing security and privacy standards for the Internet. He is currently chair of the TEEP WG and a member of the “security area” review team at IETF. He has co-authored 22 RFC and is an active contributor in several working groups. He has 47 patents approved and 50 patents filed in USPTO. His recent work and interests include IoT Security, Service Function Chaining, DDoS mitigation, and Encrypted DNS
Blake Anderson currently works as a Senior Technical Leader in Cisco’s Cloud and Network Security Group. Since starting at Cisco in early 2015, he has participated in and led projects aimed at encrypted network traffic analysis, which has resulted in open source projects, academic publications, and patents. He and his collaborators published the initial research that eventually became Cisco’s Encrypted Traffic Analytics (ETA) solution. Before Cisco, Blake received his Ph.D. in machine learning/security from the University of New Mexico and worked at Los Alamos National Laboratory as a staff scientist.
Find details about the previous meetup here.
Stay Safe Folks!