« Analysis of Googlebot's frugal cipher suite list | Main | Firefox SSL extensions »

Examples of the information collected from SSL handshakes

July 09, 2009

I've received an email or two asking me about the information I collected using mod_sslhaf, so I decided to make it available for everyone. Here it is:

The file contains a list of unique user agents seen on SSL Labs, each with information on the handshake they used and the protocols and cipher suites they offered to use. For example:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 \
(KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20
Handshake: h3
Protocol: 03.01

TLS_RSA_WITH_RC4_128_SHA (0x05)
TLS_RSA_WITH_RC4_128_MD5 (0x04)

The information gives insight into how SSL is used in real-life, but it's not reliable enough to support any conclusions about individual clients. There are several problems I need to solve:

  1. Parse User-Agent fields to group related clients.
  2. Record request IP addresses in order to be able to verify the search engine clients are who they say they are.
  3. Record request IP addresses to use them as a mechanism to determine forged User-Agent fields.
  4. Deploy mod_sslhaf to multiple high-traffic sensors, in order to further minimise the possibility of using forged User-Agent fields.

Update (10 July): Now with no unknown cipher suites in the output.