Examples of the information collected from SSL handshakes
I've received an email or two asking me about the information I collected using mod_sslhaf, so I decided to make it available for everyone. Here it is:
The file contains a list of unique user agents seen on SSL Labs, each with information on the handshake they used and the protocols and cipher suites they offered to use. For example:
Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 \
(KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20
The information gives insight into how SSL is used in real-life, but it's not reliable enough to support any conclusions about individual clients. There are several problems I need to solve:
- Parse User-Agent fields to group related clients.
- Record request IP addresses in order to be able to verify the search engine clients are who they say they are.
- Record request IP addresses to use them as a mechanism to determine forged User-Agent fields.
- Deploy mod_sslhaf to multiple high-traffic sensors, in order to further minimise the possibility of using forged User-Agent fields.
Update (10 July): Now with no unknown cipher suites in the output.