Explore the intricacies of TLS fingerprinting in this 46-minute conference talk from Derbycon 2015. Delve into stealthier attack techniques and smarter defense strategies, focusing on a "zero math, (almost) zero crypto" approach to TLS. Learn about fingerprint creation, deobfuscation, and anomaly detection. Examine various attack levels, including stealth MiTM, anti-forensics, and potential nation-state tactics. Discover the concept of fingerprint canaries and their application in homogeneous platforms. Gain insights into fingerprint-defined routing, honeypo ts, and the future of TLS fingerprinting through practical demonstrations and random observations.
Overview
Syllabus
Intro
Stealthier Attacks & Smarter Defending with TLS Fingerprinting
A "Zero Math, (almost) Zero Crypto", TLS Talk
TLS PRIMER ..... (Shhhh.... it's not a cryptographic algorithm)
Fingerprints
Why
Origin Story
Expanding.
Extensions
Significant, key-value order is!
Creating a FingerPrint
Deobfuscation
Any Port v Stateless v Asymmetric v Low Cost v
Storage & Retention
Own Fingerprint Modification
Collisions?
Yes... ok no. sort of.... a bit.... occasionally
Anomaly Detection
Not Just
Attacker Level 1: Stealth MiTM
Hacked Proxy BGP Hijacking Rogue DHCP Malicious Tor Node
TLS Attacks
Fingerprint Defined Routing Ž
Attacker Level 2: AntiForensics
Enumerated Targets Prepared Exploits Delivered Stager/Phish v Awaiting Callback...
Fingerprint Canaries
Homogeneous Platforms
End Of Level Boss: Nation State Attackers (zomg!) ?
Honorable Mention: HoneyPots
FingerPrint DB
Demo?
What's Next?
Random Observations
