search

LeeBrotherston / tls-fingerprinting

TLS Fingerprinting
GNU General Public License v3.0
375 stars 80 forks source link

Identifying spotify traffic #2

Closed mackensen closed 9 years ago

mackensen commented 9 years ago

I've noticed that Spotify makes a number of requests when it starts up. Some of these haven't been fingerprinted yet but the majority are identified as coming from Adium (which wasn't running at the time). This is the full log:

Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61927 to 216.58.216.66:443 Servername: "securepubads.g.doubleclick.net"
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61928 to 216.58.216.70:443 Servername: "ad.doubleclick.net"
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61929 to 107.21.244.57:443 Servername: "appserver.efsharp.com"
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61930 to 107.21.244.57:443 Servername: "appserver.efsharp.com"
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61933 to 216.58.216.78:443 Servername: "www.google-analytics.com"
{"id": 0, "desc": "Unknown: XXX.XXX.XXX.XXX:61931 -> 54.214.41.129:443", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0022", "ciphersuite": "0xC02B 0xC02F 0x009E 0xCC14 0xCC13 0xCC15 0xC00A 0xC014 0x0039 0xC009 0xC013 0x0033 0x009C 0x0035 0x002F 0x000A 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0005 0x3374 0x0012 0x000B 0x000A", "e_curves": "0x0017 0x0018", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203", "ec_point_fmt": "0x00", "server_name": "oa.efsharp.com"}
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61932 to 54.214.41.129:443 Servername: "oa.efsharp.com"
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61934 to 50.18.177.64:443 Servername: "f3-metrics-us.efsharp-hosting.com"
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61935 to 50.18.177.64:443 Servername: "f3-metrics-us.efsharp-hosting.com"
Fingerprint Matched: "Adium 1.5.10" TLSv1.2 connection from XXX.XXX.XXX.XXX:61936 to 54.192.88.250:443 Servername: "cdn.efsharp.com"
{"id": 0, "desc": "Unknown: XXX.XXX.XXX.XXX:61937 -> 54.214.41.129:443", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0022", "ciphersuite": "0xC02B 0xC02F 0x009E 0xCC14 0xCC13 0xCC15 0xC00A 0xC014 0x0039 0xC009 0xC013 0x0033 0x009C 0x0035 0x002F 0x000A 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0005 0x3374 0x0012 0x000B 0x000A 0x0015", "e_curves": "0x0017 0x0018", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203", "ec_point_fmt": "0x00", "server_name": "oa.efsharp.com"}

Split out, here's the unidentified fingerprint:

{"id": 0, "desc": "Unknown: XXX.XXX.XXX.XXX:61937 -> 54.214.41.129:443", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0022", "ciphersuite": "0xC02B 0xC02F 0x009E 0xCC14 0xCC13 0xCC15 0xC00A 0xC014 0x0039 0xC009 0xC013 0x0033 0x009C 0x0035 0x002F 0x000A 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0005 0x3374 0x0012 0x000B 0x000A 0x0015", "e_curves": "0x0017 0x0018", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203", "ec_point_fmt": "0x00", "server_name": "oa.efsharp.com"}

This is Spotify 1.0.14.124.g4dfabc51.

LeeBrotherston commented 9 years ago

Hmmm, interesting. I wonder if the Adium signature should be for something more generic like a library that it and Spotify share... Or if this is some kind of collision.

Thanks for bringing it up, I'll dig into it when I'm on more than a cellphone ;)

LeeBrotherston commented 9 years ago

That signature could still be an issue... which I'm looking into.

But I also noticed that my fingerprint cleanser script introduced some additional whitespace into files which was causing issues with a couple of fingerprints. I used it to remove test server names from the json files prior to uploading them here for derbycon and so had a few inaccurate prints included over the weekend.

I have fixed that issue now, so some signatures will be more accurate now. So it might be worth a retest with the latest version. I will do some proper tests on this signature though as this one in particular I have some suspicions about now

LeeBrotherston commented 9 years ago

I have done some research and one of the Adium signatures (which I clever gave the same names to... oops) was actually a websockets connection made by Adium. Chrome also does this when it experiences a wss:// (websockets) link. I'm going to guess Spotify is also doing the same.

Changes here:

https://github.com/LeeBrotherston/tls-fingerprinting/commit/44982daa91af2b9a042a9671b1334d9c4871c137#diff-d0f8ddc900eed03047fd22c81a916b9f