aapooksman
commented
1 year ago Hi, That would of course make identifying different connections (= certificate validators) easier and increase the coverage, so it is something that needs to be implemented.
I've been experimenting for some time with JA3 and TS1 fingerprinting libraries, but feel like these might not have enough aspects of the client hello included in the hash calculation and TS1 does not seem to work that well.
I might want to look at doing this manually with dpkt as we do not need standard fingerprinting and are fine with some false matches. As long as most connections are correctly identified and no connection will be constantly getting retested, it should be fine.
I'll have to do some looking into the research behind JA3 and TS1 on why they have chosen to work the way they do.
- aapo
consider using JA3 to further distinguish client TLS libraries and their configurations.
this would help detect weaknesses when a client is reaching out to the same base domain but with differently configured libraries.