HTTP Client Fingerprinting Using SSL Handshake Analysis

A cipher suite, in SSL, is a collection of cryptographic techniques that defines a secure communication channel. There are hundreds of cipher suites, and they are all built out of a dozen or so basic building blocks: key exchange, encryption and integrity validation algorithms. Different programs often use different cipher suites. By observing the list of supported cipher suites one can determine the maximal communication strength, and often even guess the make of the SSL client on the other side.

Possible uses:

Proof of Concept

To obtain the list of supported cipher suites you need to have direct access to the connection data stream, which can be obtained either by sniffing on a network interface or by altering the server application that's handling one end of a SSL connection. Our proof of concept implementation is an Apache module (mod_sslhaf) that passively monitors initial SSL handshakes to extract SSL client capabilities, making it possible to log such information.

You can get mod_sslhaf from its GitHub repository: