{"id":10812,"date":"2023-03-08T05:05:20","date_gmt":"2023-03-08T05:05:20","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=10812"},"modified":"2023-05-19T10:28:48","modified_gmt":"2023-05-19T10:28:48","slug":"commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/","title":{"rendered":"COMMSEC: Exploring JARM &#8211; An Active TLS Fingerprinting Algorithm"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS #COMMSEC D1 - Exploring JARM \u2013 An Active TLS Fingerprinting Algorithm -  Mohamad Mokbel\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/MbgM4G1Ixv0?list=PLmv8T5-GONwTibHQJImf1kCiQ5XGNFg-l\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D1%20COMMSEC%20-%20Exploring%20JARM%20-%20An%20Active%20TLS%20Fingerprinting%20Algorithm%20-%20Mohamad%20Mokbel.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">JARM is an active TLS fingerprinting algorithm developed by Salesforce. The algorithm could be used to cluster servers with similar TLS configuration, identify default application settings, and hunt for malware C&amp;C servers and other malicious servers. It works by sending specially crafted 10 TLS Client Hello requests, with different options, probing the server for specific TLS Server Hello messages. In this talk, we will present the first C++ implementation of the algorithm, that supports additional functionalities, along with a deep technical analysis of how JARM works. Moreover, we explore what makes a JARM fingerprint unique or shared, and some exciting oddities that certain servers exhibit, which might lower the confidence level in the fingerprint. Additionally, we attempt to demonstrate some improvement on the algorithm that might improve the confidence level in the fingerprint. Moreover, we&#8217;ll highlight some exciting results from scanning the top 1 million Alexa websites and the top 100k WordPress sites. The source code and supporting data will be published on GitHub.<\/p>\n","protected":false},"template":"","class_list":["post-10812","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>COMMSEC: Exploring JARM - An Active TLS Fingerprinting Algorithm - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"COMMSEC: Exploring JARM - An Active TLS Fingerprinting Algorithm - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) JARM is an active TLS fingerprinting algorithm developed by Salesforce. The algorithm could be used to cluster servers with similar TLS configuration, identify default application settings, and hunt for malware C&amp;C servers and other malicious servers. It works by sending specially crafted 10 TLS Client Hello requests, with different options, probing the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-19T10:28:48+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/\",\"name\":\"COMMSEC: Exploring JARM - An Active TLS Fingerprinting Algorithm - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2023-03-08T05:05:20+00:00\",\"dateModified\":\"2023-05-19T10:28:48+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"COMMSEC: Exploring JARM &#8211; An Active TLS Fingerprinting Algorithm\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"COMMSEC: Exploring JARM - An Active TLS Fingerprinting Algorithm - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/","og_locale":"en_US","og_type":"article","og_title":"COMMSEC: Exploring JARM - An Active TLS Fingerprinting Algorithm - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) JARM is an active TLS fingerprinting algorithm developed by Salesforce. The algorithm could be used to cluster servers with similar TLS configuration, identify default application settings, and hunt for malware C&amp;C servers and other malicious servers. It works by sending specially crafted 10 TLS Client Hello requests, with different options, probing the [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-19T10:28:48+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/","name":"COMMSEC: Exploring JARM - An Active TLS Fingerprinting Algorithm - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2023-03-08T05:05:20+00:00","dateModified":"2023-05-19T10:28:48+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-exploring-jarm-an-active-tls-fingerprinting-algorithm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"COMMSEC: Exploring JARM &#8211; An Active TLS Fingerprinting Algorithm"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/10812"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=10812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}