The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshak...

Abstract— Bot networks are a serious threat to cyber security, whose destructive behavior affects network performance directly. Detecting of infected HTTP communications is a big challenge because infected HTTP connections are clearly merged with other types of HTTP traffic. Cybercriminals prefer to use the web as a communication environment to launch application layer attacks and secretly enga...

Network forensics is increasingly hampered by the ubiquitous use of encrypted channels by legitimate and illegitimate network traffic. Both types of traffic are frequently tunneled over application-layer encryption mechanisms, generally using the ubiquitous TLS (SSL) protocol. This results in traditional network forensics tools being largely limited to recording external characteristics (source...

To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the middle of the host’s communications. We set out to analyze such proxies as there are known problems in other (more matured) TLS processing engines, such as browsers and common TLS libraries. Compared to regular proxies, client-end TLS proxies impose several unique constraints, and ...

To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the middle of the host’s communications. We set out to analyze such proxies as there are known problems in other (more matured) TLS processing engines, such as browsers and common TLS libraries. Compared to regular proxies, client-end TLS proxies impose several unique constraints, and ...

This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead fro...

This memo proposes a mechanism to upgrade HTTP/1.1 connections to use Transport Layer Security (TLS). Using an Upgrade: TLS/x.y request header would allow unsecured and secured traffic to share the same port (in this case, 80). A companion document describes the current practice of using a separate port for HTTP over TLS, .

FUS/TLS is a nucleic acid binding protein that, when mutated, can cause a subset of familial amyotrophic lateral sclerosis (fALS). Although FUS/TLS is normally located predominantly in the nucleus, the pathogenic mutant forms of FUS/TLS traffic to, and form inclusions in, the cytoplasm of affected spinal motor neurons or glia. Here we report a yeast model of human FUS/TLS expression that recapi...

This memo applies the Upgrade mechanism in HTTP/1.1 to employ Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured traffic to share the same well known port (in this case, http: at 80 rather than https: at 443). This also enables "virtual hosting," by allowing a single HTTP + TLS server to disambiguate traffic intended for several hostnames at a sing...