########################################################################################## PAS-16: Browser Fingerprinting ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Open Resolution: Unresolved Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - Fingerprinting Affected Versions: - 0.1 Targeted for fix in version: - 0.2 Labels: Fingerprinting, SSL, TLS, Time Estimate: 45 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== The selection (and more importantly, ordering) of ciphersuites suggested in a client hello can help us identify the browser in use. Maintaining a list of browsers and their ciphersuites would be a big task, so want to avoid. Instead, better to use http referers (where available) to extract user-agent. Lookup ciphers offered to the referring https domain and suggest as the user agent for all matches for those ciphersuites in that order. Need to handle duplications gracefully, but would allow identification of use-cases where a different browser is used for something else (e.g firefox for browsing, chrome for porn) Maybe also introduce a report showing ciphers offered to each domain -- BEGIN SNIPPET -- Ciperfamilies comma sep list of fqdns -- END SNIPPET -- ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2015-11-27 13:08:37 ----------------------------------------------------------------------------------------- btasker added '0.2' to Fix Version ----------------------------------------------------------------------------------------- 2015-11-27 13:08:37 ----------------------------------------------------------------------------------------- btasker removed '0.1' from Fix Version