COMMSEC: Exploring JARM – An Active TLS Fingerprinting Algorithm

Date

April 20, 2023

Time

14:00

Track

CommSec Track

PRESENTATION SLIDES (PDF)


JARM is an active TLS fingerprinting algorithm developed by Salesforce. The algorithm could be used to cluster servers with similar TLS configuration, identify default application settings, and hunt for malware C&C servers and other malicious servers. It works by sending specially crafted 10 TLS Client Hello requests, with different options, probing the server for specific TLS Server Hello messages. In this talk, we will present the first C++ implementation of the algorithm, that supports additional functionalities, along with a deep technical analysis of how JARM works. Moreover, we explore what makes a JARM fingerprint unique or shared, and some exciting oddities that certain servers exhibit, which might lower the confidence level in the fingerprint. Additionally, we attempt to demonstrate some improvement on the algorithm that might improve the confidence level in the fingerprint. Moreover, we’ll highlight some exciting results from scanning the top 1 million Alexa websites and the top 100k WordPress sites. The source code and supporting data will be published on GitHub.

Speakers

Senior Security Researcher

Trend Micro

Other Talks in This Track

LOCATION

CommSec Track

DATE

April 20

TIME

11:00

LOCATION

CommSec Track

DATE

April 20

TIME

11:30

LOCATION

CommSec Track

DATE

April 20

TIME

12:00

LOCATION

CommSec Track

DATE

April 20

TIME

15:00