We collect anonymized TLS Client Hello messages from the University of Colorado Boulder campus network, in order to measure the popularity of various implementations actually used in practice.
Why collect fingerprints?
TLS fingerprints allow us to identify problems in common TLS applications. For example, we can investigate the ability of censorship circumvention tools to mimic and blend in with other popular TLS implementations. Censors can block circumvention tools that send uncommon TLS fingerprints. To combat this, we can observe the fingerprints that circumvention tools produce and compare them to our dataset. Less popular fingerprints are at risk of being blocked by censors at low cost.
We can also measure Weak cipher suites still in widespread use, and track the popularity of TLS Versions and Extensions.
To help mimic rapidly-changing popular TLS implementations, we have developed the uTLS library, that provides fine-grained control over the Client Hello message, including what cipher suites and extensions are sent. This site also provides auto-generated uTLS configuration code to mimic fingerprints we observe.
Details on our collected data, analysis, and uTLS library can be found in our paper:
Sergey Frolov and Eric Wustrow (University of Colorado Boulder) In The Network and Distributed System Security Symposium 2019 (NDSS'19)