<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - TLS</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/tls.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2023-10-25T13:00:00+11:00</updated><entry><title>JA4 and JA4+ Network Fingerprinting</title><link href="https://www.peakhour.io/blog/overview-of-ja4-network-fingerprinting/" rel="alternate"></link><published>2023-10-25T13:00:00+11:00</published><updated>2023-10-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-25:/blog/overview-of-ja4-network-fingerprinting/</id><summary type="html">&lt;p&gt;How JA4 constructs a TLS client fingerprint, what JA4+ names, and which details sorting and hashing discard.&lt;/p&gt;</summary><content type="html">&lt;p&gt;JA4+ is the name FoxIO uses for a family of network fingerprinting methods. JA4 itself is the TLS ClientHello method. It
builds on lessons from JA3, but the wider family also contains separate methods for servers, HTTP, certificates, TCP,
SSH and other observations.&lt;/p&gt;
&lt;h2&gt;JA4 and JA4+&lt;/h2&gt;
&lt;p&gt;JA4 produces an &lt;code&gt;a_b_c&lt;/code&gt; value. Its readable &lt;code&gt;a&lt;/code&gt; section records selected connection properties and counts. The &lt;code&gt;b&lt;/code&gt; and
&lt;code&gt;c&lt;/code&gt; sections are truncated SHA-256 values derived from normalised ClientHello fields. Analysts can compare selected
components, such as &lt;code&gt;JA4_ac&lt;/code&gt;, when the complete fingerprint is too narrow for the question being asked. Other JA4+
methods have their own inputs and specifications; they should not be treated as extra fields inside core JA4.&lt;/p&gt;
&lt;p&gt;JA4+ consists of various components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;JA4&lt;/strong&gt;: TLS Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4S&lt;/strong&gt;: TLS Server Response&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4H&lt;/strong&gt;: HTTP Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4L&lt;/strong&gt;: Light Distance/Location&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4X&lt;/strong&gt;: X509 TLS Certificate&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4SSH&lt;/strong&gt;: SSH Traffic&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For a more thorough breakdown, the &lt;a href="https://blog.foxio.io/ja4-network-fingerprinting-9376fe9ca637"&gt;JA4 blog&lt;/a&gt; provides
the announcement and describes the fingerprints.&lt;/p&gt;
&lt;p&gt;JA4+ brings useful improvements, but a few aspects and quirks deserve closer attention.&lt;/p&gt;
&lt;h2&gt;What sorting changes&lt;/h2&gt;
&lt;p&gt;JA4 sorts cipher identifiers and most extension identifiers before hashing them. This was especially useful after
Chrome began permuting TLS extension order. Sorting puts those permutations back into one cohort. It also discards the
order as evidence. That is the trade-off: a more stable identifier retains less information about how the ClientHello
was serialised.&lt;/p&gt;
&lt;p&gt;Where investigation matters, retain the raw JA4 form as well as the compact value. &lt;code&gt;JA4_r&lt;/code&gt; exposes the normalised
cipher, extension and signature-algorithm lists, which makes a difference easier to inspect.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.peakhour.io/blog/tls-fingerprinting/"&gt;overview of TLS fingerprinting&lt;/a&gt; provides a more in-depth explanation of how a TLS signature is formed.&lt;/p&gt;
&lt;p&gt;Chrome's change was intended to stop servers and middleboxes from depending on one fixed extension order. In our
&lt;a href="/blog/tls-extension-randomisation/"&gt;extension-randomisation analysis&lt;/a&gt;, the number of order-sensitive TLS fingerprints
rose sharply after the rollout. Sorting reduced that artificial fragmentation. It did not make the resulting value a
client identity, and it did not preserve every distinction in the original handshake.&lt;/p&gt;
&lt;h2&gt;JA3 and Mercury took different paths&lt;/h2&gt;
&lt;p&gt;Before digging further into JA4+'s features and limitations, it helps to separate two related lineages. The
&lt;a href="https://github.com/salesforce/ja3"&gt;original JA3&lt;/a&gt; established a portable TLS fingerprint that was easy to share and
match. Cisco Mercury developed a richer protocol representation and a separate destination-context classification
system. Mercury is not a predecessor in the JA3-to-JA4 naming line. Our &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;history of the two lineages&lt;/a&gt;
explains where their work overlaps and where it does not.&lt;/p&gt;
&lt;h2&gt;Implementation differences still matter&lt;/h2&gt;
&lt;p&gt;While sharing signatures through SHA is appealing, it has limits, most notably potential compatibility issues. As Fastly
&lt;a href="https://www.fastly.com/blog/the-state-of-tls-fingerprinting-whats-working-what-isnt-and-whats-next"&gt;noted&lt;/a&gt;, differences
in the implementation can be hidden behind the SHA hash, causing issues when searching for and correlating signatures
between different services. Record the implementation and version that generated a value; a shared format name does not
prove that two sensors handled every field identically.&lt;/p&gt;
&lt;h2&gt;Check the method, implementation and licence&lt;/h2&gt;
&lt;p&gt;The &lt;a href="https://github.com/FoxIO-LLC/ja4"&gt;official JA4+ repository&lt;/a&gt; contains the current specifications and implementations.
Check the licence for the individual method before adopting it: core JA4 is BSD-3-Clause, while most other JA4+ methods
use the FoxIO Licence and place additional conditions on commercial use.&lt;/p&gt;
&lt;p&gt;For a field-level example rather than a format summary, our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;same-ClientHello lab&lt;/a&gt;
records JA3, JA4, &lt;code&gt;JA4_r&lt;/code&gt; and Mercury NPF output from one packet and pins the implementations that generated them.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="TLS"></category><category term="SOC 2"></category><category term="Threat Detection"></category></entry><entry><title>A Secure Internet</title><link href="https://www.peakhour.io/blog/chrome-https-default-experiment/" rel="alternate"></link><published>2023-08-16T00:00:00+10:00</published><updated>2023-08-16T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-08-16:/blog/chrome-https-default-experiment/</id><summary type="html">&lt;p&gt;Google Chrome is advancing towards making the web secure by default through HTTPS-First Mode.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Here at Peakhour, we track browser security changes because they affect how sites are delivered and how users experience
warnings. Google Chrome has made another move towards encrypted and authenticated traffic by expanding HTTPS-First Mode.
Here is what Chrome unveiled on August 16, 2023, and what it means for HTTPS by default.&lt;/p&gt;
&lt;h2&gt;Automatic Upgrades to HTTPS&lt;/h2&gt;
&lt;p&gt;Chrome aims to make HTTPS the standard protocol by automatically upgrading all HTTP navigations to HTTPS. Even if you
click a link explicitly declaring HTTP, Chrome will try HTTPS first. If the upgrade fails because of an invalid
certificate or another issue, Chrome will fall back to HTTP.&lt;/p&gt;
&lt;p&gt;The change is part of an experiment in Chrome version 115. It does not protect against active network attackers, but it
does shift more everyday traffic away from passive eavesdropping and towards HTTPS as the default.&lt;/p&gt;
&lt;h2&gt;Warning on Insecurely Downloaded Files&lt;/h2&gt;
&lt;p&gt;Chrome is also adding warnings before users download high-risk files over insecure connections. Downloaded files can
contain malicious code that compromises a computer. The warning gives users a clearer signal before they proceed, while
still allowing the download if they accept the risk. The rollout of these warnings is expected to start in mid-September.&lt;/p&gt;
&lt;h2&gt;Expanding HTTPS-First Mode Protections&lt;/h2&gt;
&lt;p&gt;Chrome's longer-term goal is to enable HTTPS-First Mode for all users. It is expanding those protections in several
areas:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Enabling HTTPS-First Mode for users in Google's Advanced Protection Program who are also signed into Chrome.&lt;/li&gt;
&lt;li&gt;Planning to enable HTTPS-First Mode by default in Incognito Mode for a more secure browsing experience.&lt;/li&gt;
&lt;li&gt;Experimenting with automatically enabling HTTPS-First Mode on sites frequently accessed over HTTPS.&lt;/li&gt;
&lt;li&gt;Exploring automatically enabling HTTPS-First Mode for users who rarely use HTTP.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Try it Out&lt;/h2&gt;
&lt;p&gt;For users who want to try HTTPS upgrading or insecure download warnings before the full rollout, Chrome has provided
options in the browser's settings to enable these features.&lt;/p&gt;
&lt;h2&gt;Peakhour's HTTPS Redirection Feature at the Edge&lt;/h2&gt;
&lt;p&gt;At Peakhour, HTTPS redirection is a practical edge control. It helps enforce encrypted and authenticated connections
before a request reaches the origin.&lt;/p&gt;
&lt;p&gt;When a user attempts to access a site over HTTP, our edge identifies the unsecured connection. Instead of allowing that
connection through, we redirect the request to the HTTPS version of the site.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Enhanced Security&lt;/strong&gt;: By enforcing HTTPS, data transmitted between your website and your users is encrypted and
   protected from potential attackers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance with Best Practices&lt;/strong&gt;: This feature aligns with industry standards and recent browser policies, including
   Chrome's push towards HTTPS-first mode.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;User Trust&lt;/strong&gt;: A secure connection gives users a clearer reason to trust the site, improving the user experience and
   potentially supporting higher conversion rates.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;We also offer options for customisation, allowing you to set specific rules and behaviours for how HTTP requests are
handled and redirected to HTTPS. Peakhour's HTTPS redirection feature at the edge is a small control with a clear job:
move HTTP traffic onto HTTPS automatically, protect users, and keep sites aligned with current browser expectations.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Chrome's push towards a secure-by-default web is another step towards a fully encrypted and authenticated internet. It
also matches the way Peakhour thinks about everyday security controls: enforce the basics at the edge, and make the safe
path the default.&lt;/p&gt;
&lt;p&gt;Chrome's changes may require developers, enterprises, and users to adapt. The direction is still clear: less plain HTTP,
more HTTPS by default, and fewer silent insecure paths. If your organisation is reviewing its HTTP handling, Peakhour can
help you apply the right redirects and edge rules.&lt;/p&gt;</content><category term="Interest"></category><category term="TLS"></category><category term="HTTP"></category></entry><entry><title>Chrome's TLS Extension Randomisation Experiment</title><link href="https://www.peakhour.io/blog/tls-extension-randomisation/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-extension-randomisation/</id><summary type="html">&lt;p&gt;Does TLS extension randomisation assist in hiding Chrome?&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="/blog/tls-fingerprinting/"&gt;Transport Layer Security (TLS) fingerprinting&lt;/a&gt; is a commonly used
technique for identifying client processes. To reduce the
risk of server and middlebox fingerprinting of Chrome's current
ClientHello and to make the TLS ecosystem more resilient to changes,
Google Chrome ran an experiment to randomise a portion of
the TLS fingerprint. This experiment was included in Chrome version 108,
which was released on December 8, 2022. You can read the status of the
current experiment on the &lt;a href="https://chromestatus.com/feature/5124606246518784"&gt;chrome status site&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;The aim of this experiment was to make it more difficult for server
implementers to fingerprint Chrome and assume specific implementation
behaviour from a fixed extension order. By randomly ordering
extensions (subject to the pre_shared_key constraint in the RFC),
Chrome hoped to reduce the risk of server and middlebox fixating on
details of its current ClientHello.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-over-time" src="/static/images/blog/tls-unsorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to the Chrome experiment and subsequent
release of the feature. The number of unique TLS signatures dramatically
increased.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;From Peakhour data, we can see a large number of unique
fingerprints appearing since the date of the experiment, making it
very difficult to identify the Chrome network stack by a TLS
fingerprint alone. However, &lt;a href="https://hnull.org/2022/12/01/sorting-out-randomized-tls-fingerprints/"&gt;an analysis&lt;/a&gt; by
David McGrew,
a Cisco Fellow, cast doubt on the effectiveness of this experiment. In his
article, McGrew proposed a lexicographical sorting of TLS extensions and
found that 98.8% of signatures were unique after sorting. He argues that
the canonical ordering of the TLS extensions in the TLS fingerprint can
achieve nearly the same level of entropy as randomising them and still
be effective at client identification. Furthermore, he claims that the
RFC should be amended to state that extensions SHOULD be sent in an
ordered fashion in the ClientHello packet. McGrew also highlights the
potential dangers of allowing unordered extension lists, as it could
create a \"subliminal channel\" that could be used for tracking or
transmitting information. Let's now graph, over the same period, the number
of TLS signatures with TLS extension sorting.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-sorted-extensions-over-time" src="/static/images/blog/tls-sorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to David's assertion that sorting TLS
extensions has minimal impact on TLS fingerprinting.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;It appears that David's assertion is correct: sorting TLS extensions has
minimal impact on the number of unique TLS fingerprints. Let's now look
at in-the-wild Chrome 109 data:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;strong&gt;Hashed sorted TLS Fingerprint&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Unique unsorted TLS fingerprints&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Browser&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Version&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of clients&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of hits&lt;/strong&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Chrome Mobile WebView&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.14&lt;/td&gt;
&lt;td&gt;1.01&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3313291307&lt;/td&gt;
&lt;td&gt;8566&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;1.83&lt;/td&gt;
&lt;td&gt;1.54&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;26587&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.05&lt;/td&gt;
&lt;td&gt;4.64&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3944870384&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Chrome Mobile iOS&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;4.31&lt;/td&gt;
&lt;td&gt;5.35&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;51594&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;16.9&lt;/td&gt;
&lt;td&gt;14.43&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;121346&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;15.66&lt;/td&gt;
&lt;td&gt;20.7&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;156405&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;35.52&lt;/td&gt;
&lt;td&gt;37.79&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;em&gt;It's interesting that the experiment does not run on WebView.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;While Chrome's experiment may have reduced the risk of
server and middlebox fingerprinting of Chrome's current ClientHello, it
seems that randomising TLS extensions alone is not enough to
prevent TLS fingerprinting, and may be a useful indicator that
it is The Real Chrome.&lt;/p&gt;
&lt;p&gt;This experiment became one of the reasons newer formats normalise extension order. Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;JA3, JA4 and Mercury lab&lt;/a&gt; shows exactly where each format keeps, sorts or discards ClientHello detail. The accompanying &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;history of the two TLS fingerprinting lineages&lt;/a&gt; explains why Cisco Mercury and JA4 made related but different design choices.&lt;/p&gt;
&lt;p&gt;The remaining research question is whether discarded order ever helps distinguish an imitator or evasive client. &lt;a href="/blog/tls-fingerprint-canonicalisation-attacker-variation/"&gt;Does TLS fingerprint canonicalisation hide useful attacker variation?&lt;/a&gt; defines the labelled corpus and holdout study needed to answer it without confusing uniqueness with detection accuracy.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="TLS"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="API Security"></category></entry><entry><title>TLS Fingerprinting</title><link href="https://www.peakhour.io/blog/tls-fingerprinting/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-fingerprinting/</id><summary type="html">&lt;p&gt;What is fingerprinting, and in particular TLS fingerprinting?&lt;/p&gt;</summary><content type="html">&lt;h2&gt;What is Fingerprinting?&lt;/h2&gt;
&lt;p&gt;Fingerprinting is a technique that may be used to identify the specific device, web browser,
and operating system making a request, regardless of what the client says in its user-agent header.
By helping organisations identify and characterise the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;Fingerprinting can also refer to techniques for following or uniquely identifying individual users across the web.
That is a separate set of techniques and is not discussed in this article.&lt;/p&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-tls-fingerprinting/"&gt;Transport Layer Security (TLS) Fingerprinting&lt;/a&gt; determines the specific characteristics of a client's TLS
implementation by examining the initial TLS handshake packet, known as the "Client Hello." This packet
contains fields and parameters such as supported cipher suites, extensions, and the client's preferred order of
those parameters, which can be used to create a unique "fingerprint" of the client's TLS implementation.&lt;/p&gt;
&lt;h2&gt;Why is it used?&lt;/h2&gt;
&lt;p&gt;Fingerprinting has several uses, including &lt;a href="/products/bot-management/"&gt;bot protection&lt;/a&gt;, DDoS protection, and client
identification. By identifying and characterising the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;h2&gt;How does TLS Fingerprinting work?&lt;/h2&gt;
&lt;p&gt;TLS Fingerprinting examines the initial TLS handshake packet, known as the "Client Hello".
The Client Hello packet is sent by the client during the initial phase of the TLS handshake, which establishes a secure
connection between the client and the server. It contains information about the client's preferred encryption methods,
extensions, and parameters, including:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Protocol Version: The version of the TLS protocol desired by the client.&lt;/li&gt;
&lt;li&gt;Random: A 32-byte random value generated by the client, used in key generation and derivation.&lt;/li&gt;
&lt;li&gt;Session ID: An optional session identifier for resuming a previous session.&lt;/li&gt;
&lt;li&gt;Cipher Suites: A list of supported encryption algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Compression Methods: A list of supported compression algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Extensions: Optional extensions that can negotiate additional parameters, such as Server Name Indication (SNI) and
   Elliptic Curve Supported (ECS).&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The Client Hello packet is central to the operation and security of the TLS connection because it provides information
the server uses to select encryption algorithms and parameters. The packet also enables the client and server to
negotiate an appropriate encryption method for their communication. The Client Hello's variable
content, based on the TLS version, library, cipher suites, extensions, and settings supported by the client, makes it
a strong candidate for fingerprinting.&lt;/p&gt;
&lt;p&gt;Common components used to create a TLS fingerprint include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Cipher Suites: The order of cipher suites supported by the client.&lt;/li&gt;
&lt;li&gt;Extensions: Supported extensions included in the Client Hello packet, such as SNI and ECS.&lt;/li&gt;
&lt;li&gt;TLS Point Formats: Encoding of cryptographic parameters in a format that can be transmitted as part of the TLS
   protocol, used in elliptic curve cryptography (ECC).&lt;/li&gt;
&lt;li&gt;TLS Curves: The specific elliptic curves used in ECC, a type of public-key cryptography used in the TLS protocol.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;TLS fingerprinting has been a topic of research for several years, with a number of tools and techniques developed
from that work. Notable examples include &lt;a href="/learning/fingerprinting/what-is-ja3-fingerprinting/"&gt;JA3&lt;/a&gt;, developed by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce,
which uses a hash of the client's SSL/TLS parameters as a unique identifier for tracking and analysing
SSL/TLS traffic. Another tool, Mercury by David McGrew and Blake Anderson, can be used to fingerprint client connections
and identify the device, operating system, and application making the connection.&lt;/p&gt;
&lt;p&gt;TLS fingerprinting has a variety of uses, including bot protection, DDoS protection, malware identification and
client identification. By enabling organisations to identify and characterise the attributes of a client's TLS
implementation, TLS fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;In production, TLS fingerprints are most useful when combined with &lt;a href="/products/ip-intelligence/"&gt;IP intelligence&lt;/a&gt; and &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt;, rather than treated as a standalone verdict.&lt;/p&gt;
&lt;h2&gt;Representation of a TLS Fingerprint&lt;/h2&gt;
&lt;p&gt;A TLS fingerprint is commonly represented as a string or hash that summarises the important components of the Client
Hello packet. The most common components used to create a TLS fingerprint include the supported cipher suites,
extensions, and TLS point formats. The cipher suites are represented as a list of hexadecimal values in the order
they are presented by the client, while extensions and point formats are represented as a list of hexadecimal values
or a unique identifier.&lt;/p&gt;
&lt;p&gt;Raw JA3 signatures are represented by the following fields, which are then hashed with MD5:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example raw signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt; 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An MD5 hash is then applied, resulting in the final signature.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="mf"&gt;579&lt;/span&gt;&lt;span class="n"&gt;ccef312d18482fc42e2b822ca2430&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Mercury signatures are represented by:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&amp;quot;tls/1&amp;quot; (TLS_Version) (TLS_Ciphersuite) [ Extension* ]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;tls/1/
(0303)
(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)
[
   (0000)
   (000a000c000a001d0017001e00190018)
   (000b000403000102)
   (000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)
   (0016)
   (0017)
   (0023)
   (002b0009080304030303020301)
   (002d00020101)
   (0033)
]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Hash Functions for Representing TLS Fingerprints&lt;/h2&gt;
&lt;p&gt;Hashing algorithms, such as MD5, are commonly used to create a unique representation of a TLS fingerprint.
These hash functions take the client's TLS parameters as input and produce a fixed-length output, which serves as
a unique identifier for the client. The hash value can be compared against a database of known TLS fingerprints to
help determine the identity of the client.&lt;/p&gt;
&lt;p&gt;Other techniques for representing TLS fingerprints include base64 encoding of the client's TLS parameters, such as in the
Mercury fingerprint.&lt;/p&gt;
&lt;h2&gt;Challenges with TLS fingerprinting&lt;/h2&gt;
&lt;p&gt;TLS fingerprinting is not a foolproof method for identifying clients and their attributes. It has several limitations
that need to be considered.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;False Positives: TLS fingerprinting relies on the assumption that the client's Client Hello packet uniquely
   identifies a connecting process by its TLS implementation. However, it is possible for a client to alter the Client
   Hello packet by customising TLS parameters, which affects the Client Hello packet and can result in a false
   positive
   identification. This makes it important to use multiple methods for identifying clients. For example, Mercury takes
   into account destination ports to add additional context.&lt;/li&gt;
&lt;li&gt;False Negatives: While TLS fingerprinting can identify many different clients and their attributes, it is not capable
   of identifying all clients. Some clients may have a unique or unusual TLS implementation that cannot be accurately
   fingerprinted. Additionally, some clients may actively attempt to evade fingerprinting by customising
   TLS parameters or using tools to anonymise their connections.&lt;/li&gt;
&lt;li&gt;Forging of TLS Fingerprints: It is possible for attackers to deliberately forge or modify the information contained
   in their Client Hello packet to appear as a different client. This makes it difficult for fingerprinting tools to
   accurately identify the true identity of a client and can be used for malicious purposes, such as evading security
   measures or disguising the origin of an attack.&lt;/li&gt;
&lt;li&gt;Incomplete Data: TLS fingerprinting is limited by the information contained in the Client Hello packet, which may not
   contain all of the necessary data to accurately identify a client. For example, a client may not send a full list of
   supported cipher suites or extensions, may use a modified version of the TLS protocol that is not recognised by
   the fingerprinting tool, or the fingerprint may not be present in available databases.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Different fingerprinting implementations can result in different hashes for the same TLS connection, even though the
underlying SSL/TLS protocol remains unchanged. This happens due to the various algorithms, parameters, and
representations used by different fingerprinting tools.&lt;/p&gt;
&lt;p&gt;For instance, implementation differences when generating the TLS fingerprint may cause hashes found in public databases
to be inconsistent with a locally generated hash.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Be aware of the limitations and differences between fingerprinting implementations, and choose the right tool and
representation for your specific use case. Standardising the representation of fingerprints and using common hash
algorithms can help avoid confusion and improve interoperability between databases.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="TLS"></category><category term="HTTP"></category><category term="DDoS"></category></entry><entry><title>Setting Up A Chia Hobby Farm</title><link href="https://www.peakhour.io/blog/setting-up-a-chia-hobby-farm/" rel="alternate"></link><published>2021-04-30T13:00:00+10:00</published><updated>2021-04-30T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2021-04-30:/blog/setting-up-a-chia-hobby-farm/</id><summary type="html">&lt;p&gt;Chia is a new blockchain aiming to one up Bitcoin that's taking the crypto world by storm. We decided to jump on the bandwagon.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Here at Peakhour, when we're not making websites faster and more secure, we like new tech and we like a good scheme. We ran Seti@home while at uni,
and mined some bitcoin back in its early days (unfortunately we don’t have them anymore). Just recently we
decided to set up a Chia farm, not the super-food Chia, but the new crypto coin Chia!&lt;/p&gt;
&lt;h2&gt;What is Chia?&lt;/h2&gt;
&lt;p&gt;Chia is not just a cryptocurrency; it is a brand new blockchain and smart transaction platform that implements the first new
&lt;a href="https://coinmarketcap.com/alexandria/article/what-is-the-nakamoto-consensus" target="new"&gt;Nakamoto consensus&lt;/a&gt; algorithm since Bitcoin.
It was invented by the engineer behind BitTorrent, Bram Cohen, who set out to address the shortcomings of Bitcoin.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.chia.net" target="new"&gt;Chia network&lt;/a&gt; is set to officially launch on May 3rd, and the crypto world is going crazy getting ready.&lt;/p&gt;
&lt;h2&gt;I thought Bitcoin was great, what’s wrong with it?&lt;/h2&gt;
&lt;p&gt;The major flaws that Chia sets out to address are:&lt;/p&gt;
&lt;h3&gt;The environmental impact&lt;/h3&gt;
&lt;p&gt;Without getting too technical, Bitcoin relies on very intensive computations to verify transactions (Proof of work).
These computations are carried out by 'miners' who are rewarded for their efforts from an ever decreasing pool of
possible bitcoin. As the blockchain gets older, the verification gets harder, and as a result the Bitcoin network is now
consuming as much electricity as a &lt;a href="https://www.bloomberg.com/news/articles/2021-04-13/bitcoin-power-consumption-jumped-66-fold-since-2015-citi-says" target="new"&gt;mid-sized country like Argentina&lt;/a&gt;.
Huge mining operations have been set up in China,
and some even have dedicated power plants. One poster child for the environmental impacts of bitcoin is an Australian
startup looking to &lt;a href="https://www.cnet.com/news/blockchain-coal-power-plant-mining-bitcoin-cryptocurrency/" target="new"&gt;reopen a decommissioned coal power plant to power its mining operations&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;Possibility of manipulation&lt;/h3&gt;
&lt;p&gt;The huge energy requirements have led to massive server farms in cool regions near cheap electricity, concentrating
mining in the hands of a few large players. This centralisation opens up Bitcoin to the possibility of manipulation
as anyone with 50% of the network can effectively change the blockchain.&lt;/p&gt;
&lt;h2&gt;How does Chia address these issues with Bitcoin?&lt;/h2&gt;
&lt;p&gt;Chia has implemented a new consensus algorithm called proof of space and time. It relies on unused hard disk space,
which lots of people have and can use free of charge. Again, without getting too technical, 'Farmers' seed unused
space on their hard drive/SSD with 'plots' of cryptographic numbers. When verifying transactions, the network issues a
challenge to the farmers, who then scan their plots for the closest answer. The farmer passes this answer back to a server on
the network known as a 'timelord'. The farmer with the closest answer is rewarded with a coin.&lt;/p&gt;
&lt;p&gt;The more 'plots' a farmer has, the higher the chance of winning a coin.&lt;/p&gt;
&lt;h2&gt;Setting up the Farm&lt;/h2&gt;
&lt;p&gt;We got excited about the idea of Chia being the next big thing and decided to hitch a ride on the bandwagon. We had a spare old
computer lying around, so we decided to fill it up with as much storage as we could find and farm some Chia!&lt;/p&gt;
&lt;p&gt;To set up a farm you need as much space for plots as you can get your hands on. The speed of this space
is not critical, so you can use spinning drives. We found 12-terabyte NAS drives to be the sweet spot for bang for buck,
and opted for 4x Seagate Ironwolf NAS drives from Scorptec. (Note: they’ve gone up $40 since we bought them!)&lt;/p&gt;
&lt;p&gt;Seeding the plots, however, is VERY disk intensive, so you need speedy and reliable SSDs. Since they don't have moving
parts you'd think that SSDs would be very reliable, but just like spinning drives, they wear out and eventually die.
SSDs come with a TBW (Terabytes Written) rating which estimates the amount of writes you can do before the drive will die.
Popular consumer SSDs like a 500GB Samsung EVO 870 have a TBW rating of 300. Chia recommends getting server-grade SSDs
that have ratings into the Petabytes, but of course they come with a price to match.&lt;/p&gt;
&lt;p&gt;We were limited by the age of our available motherboard, so we could only choose from SATA3-compatible drives. Appropriate enterprise
SSDs were also unavailable, so in the end we settled on 500GB Seagate Firecuda 120s that are rated at 700 TBW (also
from Scorptec). We decided on two so we could double the plotting rate.&lt;/p&gt;
&lt;p&gt;Now we had our hands on the drives, we just had to install everything. Within a few hours of transferring components and
wiring it up we were good to go and started plotting.&lt;/p&gt;
&lt;div class="text-center"&gt;
&lt;img src="/static/images/blog/chia-farm.jpg" alt="HTTP Request Detail" style="width: 60%;" /&gt;&lt;br/&gt;
&lt;em&gt;Our Chia Farm!&lt;/em&gt;
&lt;/div&gt;

&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Our old hardware limits the speed of the SSDs and therefore the number of plots we generate. We're managing around 10 plots a day and will need close to 500 before we’ve filled the available storage.&lt;/p&gt;
&lt;p&gt;When we bought our equipment (28th April) the &lt;a href="https://chiacalculator.com/" target="new"&gt;chia calculator&lt;/a&gt; showed
that we’d be earning around a coin a day when fully plotted. However, with the official launch of Chia imminent, the network has exploded in growth, passing 1 Exabyte (1000 Terabytes) just one day ago. It's now up to 1.68 Exabytes! So unfortunately our estimated time to a coin is down to one every 7 days. That’s still pretty good though, and if Chia does end up supplanting Bitcoin we might just make back the setup costs.
It has been a fun exercise, even if we did spend too long on it, and if it does end up being a flash in the pan we can always use the drives for something else….&lt;/p&gt;</content><category term="Interest"></category><category term="Features"></category><category term="Machine Learning"></category><category term="Networking"></category><category term="Residential Proxies"></category><category term="TLS"></category><category term="CDN"></category></entry></feed>