PAS-16: Browser Fingerprinting

Issue Information

Issue Type: New Feature
Priority: Major
Status: Open

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Unresolved
Affects Version: 0.1,
Target version: 0.2,
Components: Fingerprinting ,
Labels: Fingerprinting, SSL, TLS,

Created: 2015-11-26 18:12:06
Time Spent Working
45 minutes
45 minutes
0 minutes

The selection (and more importantly, ordering) of ciphersuites suggested in a client hello can help us identify the browser in use.

Maintaining a list of browsers and their ciphersuites would be a big task, so want to avoid.

Instead, better to use http referers (where available) to extract user-agent. Lookup ciphers offered to the referring https domain and suggest as the user agent for all matches for those ciphersuites in that order.

Need to handle duplications gracefully, but would allow identification of use-cases where a different browser is used for something else (e.g firefox for browsing, chrome for porn)

Maybe also introduce a report showing ciphers offered to each domain

Ciperfamilies   comma sep list of fqdns

Toggle State Changes


btasker added '0.2' to Fix Version
btasker removed '0.1' from Fix Version