{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T05:25:54Z","timestamp":1755926754340,"version":"3.40.3"},"publisher-location":"Cham","reference-count":33,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031284854"},{"type":"electronic","value":"9783031284861"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,3,10]],"date-time":"2023-03-10T00:00:00Z","timestamp":1678406400000},"content-version":"vor","delay-in-days":68,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Collecting metadata from Transport Layer Security (TLS) servers on a large scale allows to draw conclusions about their capabilities and configuration. This provides not only insights into the Internet but it enables use cases like detecting malicious Command and Control (C &amp;C) servers. However, active scanners can only observe and interpret the behavior of TLS servers, the underlying configuration and implementation causing the behavior remains hidden. Existing approaches struggle between resource intensive scans that can reconstruct this data and light-weight fingerprinting approaches that aim to differentiate servers without making any assumptions about their inner working. With this work we propose DissecTLS, an active TLS scanner that is both light-weight enough to be used for Internet measurements and able to reconstruct the configuration and capabilities of the TLS stack. This was achieved by modeling the parameters of the TLS stack and derive an active scan that dynamically creates scanning probes based on the model and the previous responses from the server. We provide a comparison of five active TLS scanning and fingerprinting approaches in a local testbed and on toplist targets. We conducted a measurement study over nine weeks to fingerprint C &amp;C servers and analyzed popular and deprecated TLS parameter usage. Similar to related work, the fingerprinting achieved a maximum precision of 99\u00a0% for a conservative detection threshold of 100\u00a0%; and at the same time, we improved the recall by a factor of 2.8.<\/jats:p>","DOI":"10.1007\/978-3-031-28486-1_6","type":"book-chapter","created":{"date-parts":[[2023,3,13]],"date-time":"2023-03-13T00:03:35Z","timestamp":1678665815000},"page":"110-126","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["DissecTLS: A Scalable Active Scanner for\u00a0TLS Server Configurations, Capabilities, and\u00a0TLS Fingerprinting"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7322-5804","authenticated-orcid":false,"given":"Markus","family":"Sosnowski","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2918-016X","authenticated-orcid":false,"given":"Johannes","family":"Zirngibl","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9375-3113","authenticated-orcid":false,"given":"Patrick","family":"Sattler","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2347-1839","authenticated-orcid":false,"given":"Georg","family":"Carle","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,3,10]]},"reference":[{"key":"6_CR1","unstructured":"abuse.ch: Feodo Tracker. https:\/\/feodotracker.abuse.ch\/. Accessed 28 Oct 28 (2022)"},{"key":"6_CR2","unstructured":"abuse.ch: SSL Certificate Blacklist. https:\/\/sslbl.abuse.ch\/. Accessed 28 Oct 2022"},{"key":"6_CR3","unstructured":"Althouse, J., Atkinson, J., Atkins, J.: TLS Fingerprinting with JA3 and JA3S (2019). https:\/\/engineering.salesforce.com\/tls-fingerprinting-with-ja3-and-ja3s-247362855967"},{"key":"6_CR4","unstructured":"Althouse, J., Smart, A., Nunnally Jr., R., Brady, M.: Easily identify malicious servers on the internet with JARM (2020). https:\/\/engineering.salesforce.com\/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a"},{"key":"6_CR5","doi-asserted-by":"publisher","unstructured":"Anderson, B., McGrew, D.: OS fingerprinting: new techniques and a study of information gain and obfuscation. In: 2017 IEEE Conference on Communications and Network Security (CNS) (2017). https:\/\/doi.org\/10.1109\/CNS.2017.8228647","DOI":"10.1109\/CNS.2017.8228647"},{"key":"6_CR6","unstructured":"Anderson, B., McGrew, D., Kendler, A.: Classifying Encrypted Traffic With TLS-Aware Telemetry. FloCon (2016)"},{"key":"6_CR7","unstructured":"Anderson, B., McGrew, D.A.: Accurate TLS fingerprinting using destination context and knowledge bases. CoRR (2020). https:\/\/doi.org\/10.48550\/arXiv.2009.01939"},{"key":"6_CR8","unstructured":"Censys: JARM in Censys Search 2.0 (2022). https:\/\/support.censys.io\/hc\/en-us\/articles\/4409122252692-JARM-in-Censys-Search-2-0. Accessed 14 Oct 2022"},{"key":"6_CR9","doi-asserted-by":"crossref","unstructured":"Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (2006). https:\/\/doi.org\/10.17487\/RFC4346","DOI":"10.17487\/rfc4346"},{"key":"6_CR10","unstructured":"Diquet, A.: SSLyze. https:\/\/github.com\/nabla-c0d3\/sslyze. Accessed 13 Oct 2022"},{"key":"6_CR11","doi-asserted-by":"crossref","unstructured":"Dittrich, D., Kenneally, E., et al.: The Menlo Report: Ethical principles guiding information and communication technology research. US Department of Homeland Security (2012)","DOI":"10.2139\/ssrn.2445102"},{"key":"6_CR12","unstructured":"Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the USENIX Security Symposium (2013)"},{"key":"6_CR13","doi-asserted-by":"publisher","DOI":"10.1080\/10361146.2014.900530","author":"J Fraenkel","year":"2014","unstructured":"Fraenkel, J., Grofman, B.: The Borda Count and its real-world alternatives: comparing scoring rules in Nauru and Slovenia. Aust. J. Pol. Sci. (2014). https:\/\/doi.org\/10.1080\/10361146.2014.900530","journal-title":"Aust. J. Pol. Sci."},{"key":"6_CR14","doi-asserted-by":"crossref","unstructured":"Friedl, S., Popov, A., Langley, A., Emile, S.: Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension. RFC 7301 (2014). https:\/\/doi.org\/10.17487\/RFC7301","DOI":"10.17487\/rfc7301"},{"key":"6_CR15","unstructured":"Gasser, O., Sosnowski, M., Sattler, P., Zirngibl, J.: Goscanner (2022). https:\/\/github.com\/tumi8\/goscanner"},{"key":"6_CR16","doi-asserted-by":"publisher","unstructured":"Hus\u00e1k, M., Cerm\u00e1k, M., Jirs\u00edk, T., Celeda, P.: Network-based HTTPS client identification using SSL\/TLS fingerprinting. In: 2015 10th International Conference on Availability, Reliability and Security (2015). https:\/\/doi.org\/10.1109\/ARES.2015.35","DOI":"10.1109\/ARES.2015.35"},{"key":"6_CR17","unstructured":"IANA: Transport Layer Security (TLS) Parameters. https:\/\/www.iana.org\/assignments\/tls-parameters\/tls-parameters.xhtml. Accessed 13 Oct 2022"},{"key":"6_CR18","unstructured":"Labovitz, C.: Internet traffic 2009\u20132019. In: Proceedings of the Asia Pacific Regional Internet Conference on Operational Technologies (2019)"},{"key":"6_CR19","doi-asserted-by":"crossref","unstructured":"Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczy\u0144ski, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (2019). https:\/\/doi.org\/10.14722\/ndss.2019.23386","DOI":"10.14722\/ndss.2019.23386"},{"key":"6_CR20","series-title":"IFIP Advances in Information and Communication Technology","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-58469-0_1","volume-title":"ICT Systems Security and Privacy Protection","author":"W Mayer","year":"2017","unstructured":"Mayer, W., Schmiedecker, M.: Turning active TLS scanning to eleven. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 3\u201316. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-58469-0_1"},{"key":"6_CR21","doi-asserted-by":"crossref","unstructured":"Moeller, B., Langley, A.: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks. RFC 7507 (2015). https:\/\/doi.org\/10.17487\/RFC7507","DOI":"10.17487\/RFC7507"},{"key":"6_CR22","doi-asserted-by":"crossref","unstructured":"Moriarty, K., Farrell, S.: Deprecating TLS 1.0 and TLS 1.1. RFC 8996 (2021). https:\/\/doi.org\/10.17487\/RFC8996","DOI":"10.17487\/RFC8996"},{"key":"6_CR23","unstructured":"Mozilla: SSL configuration generator (2022). https:\/\/ssl-config.mozilla.org. Accessed 13 Oct 2022"},{"key":"6_CR24","doi-asserted-by":"publisher","unstructured":"Partridge, C., Allman, M.: Addressing ethical considerations in network measurement papers. In: Proceedings of the 2015 ACM SIGCOMM Workshop on Ethics in Networked Systems Research. Association for Computing Machinery (2016). https:\/\/doi.org\/10.1145\/2793013.2793014","DOI":"10.1145\/2793013.2793014"},{"key":"6_CR25","doi-asserted-by":"crossref","unstructured":"Popov, A.: Prohibiting RC4 Cipher Suite. RFC 7507 (2015). https:\/\/doi.org\/10.17487\/RFC7465","DOI":"10.17487\/rfc7465"},{"key":"6_CR26","doi-asserted-by":"publisher","unstructured":"Rasoamanana, A.T., Levillain, O., Debar, H.: Towards a systematic and automatic use of state machine inference to uncover security flaws and fingerprint TLS stacks. In: Computer Security - ESORICS (2022). https:\/\/doi.org\/10.1007\/978-3-031-17143-7_31","DOI":"10.1007\/978-3-031-17143-7_31"},{"key":"6_CR27","doi-asserted-by":"crossref","unstructured":"Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (2018). https:\/\/doi.org\/10.17487\/RFC8446","DOI":"10.17487\/RFC8446"},{"key":"6_CR28","doi-asserted-by":"crossref","unstructured":"Rescorla, E., Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (2008). https:\/\/doi.org\/10.17487\/RFC5246","DOI":"10.17487\/rfc5246"},{"key":"6_CR29","unstructured":"Sosnowski, M., Zirngibl, J., Sattler, P., Carle, G.: DissecTLS Measurement Data. https:\/\/doi.org\/10.14459\/2023mp1695491"},{"key":"6_CR30","unstructured":"Sosnowski, M., Zirngibl, J., Sattler, P., Carle, G.: DissecTLS: Additional Material (2023). https:\/\/dissectls.github.io\/"},{"key":"6_CR31","unstructured":"Sosnowski, M., et al.: Active TLS stack fingerprinting: characterizing TLS server deployments at scale. In: Proceedings of the Network Traffic Measurement and Analysis Conference (TMA) (2022)"},{"key":"6_CR32","unstructured":"The Tcpdump Group: tcpdump. https:\/\/www.tcpdump.org. Accessed 27 Oct 2022"},{"key":"6_CR33","unstructured":"Wetter, D.: Testing TLS\/SSL encryption. https:\/\/testssl.sh\/. Accessed 27 Oct 2022"}],"container-title":["Lecture Notes in Computer Science","Passive and Active Measurement"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-28486-1_6","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,4,4]],"date-time":"2023-04-04T12:31:32Z","timestamp":1680611492000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-28486-1_6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031284854","9783031284861"],"references-count":33,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-28486-1_6","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"10 March 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"PAM","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Passive and Active Network Measurement","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 March 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23 March 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"pam2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/pam2023.networks.imdea.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"HotCRP","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"80","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"18","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"9","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"23% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3.8","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"5","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}