« CRIME: Information leakage attack against SSL/TLS | Main | Large-scale passive SSL monitoring at ICSI »

Improved passive SSL fingerprinting in sslhaf

October 18, 2012

I've had some available time recently to work on sslhaf, my passive SSL fingerprinting tool. I made the following improvements:

  • Detect browser BEAST mitigation (1/n-1 splitting)
  • Extract compression support
  • Extract TLS extensions
  • Change licence from GPLv2 to BSD
  • Bug fixes

I think that the detection of BEAST mitigation measures is particularly useful, because it will help understand the risk coming from this attack. Most, but not all, major browsers have mitigations in place. In addition, we don't know how many vulnerable older clients there are. I hope to publish some measurements soon.

The tool is stable but technically still experimental, so use at your own risk. I'd be willing to make it production ready if there's anyone interested in deploying it in a large web site.

MY BOOK: If you like this blog post, you will love Bulletproof SSL and TLS. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.