DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting

Abstract Collecting metadata from Transport Layer Security (TLS) servers on a large scale allows to draw conclusions about their capabilities and configuration. This provides not only insights into the Internet but it enables use cases like detecting malicious Command Control (C &C) servers. However, active scanners can observe interpret behavior of TLS servers, underlying configuration implementation causing remains hidden. Existing approaches struggle between resource intensive scans that reconstruct this data light-weight fingerprinting aim differentiate without making any assumptions inner working. With work we propose DissecTLS, an scanner is both enough be used for measurements able stack. was achieved by modeling parameters stack derive scan dynamically creates scanning probes based model previous responses server. We provide comparison five in local testbed toplist targets. conducted measurement study over nine weeks fingerprint C &C analyzed popular deprecated parameter usage. Similar related work, maximum precision 99 % conservative detection threshold 100 %; at same time, improved recall factor 2.8.