2

JA3 was created by people at Salesforce and it is a way of creating TLS/SSL fingerprints due to the fact that negotiation is done in the clear. According to JA3, these fingerprints give someone the ability to identify client applications using the details in the SSL Client Hello packet.

According to Salesforce:

JA3 gathers the decimal values of the bytes for the following fields in the Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. It then concatenates those values together in order, using a "," to delimit each field and a "-" to delimit each value in each field.

TLS/SSL is great, but it has presented some problems for defenders. For example, beacons calling back home try to hide in the encrypted traffic. Not to mention all types of malware that can't be inspected without TLS/SSL decryption at the border.

I have a couple questions based on JA3.

1.) How might a attacker exploit this? Servers typically support TLS1.0/1.2/1.3(and some SSL3), couldn't an attacker easily change their fingerprint?

2.) Do you see this as a effective way to identify malicious traffic passing your perimeter (inbound and outbound)?

pm1391
  • 1,427
  • 2
  • 7
  • 19
  • Yes an attacker may change his fingerprint very easily, in fact if you just need to access your TLS configuration of your application an change the order of the cipher suites or add or remove them. From my point of view JA3 is effective when attacks are automated by a bot or a tool, but ineffective when there is a human behind and knows how to modify the behavior of the TLS layer that is behind the curtains. – camp0 Jul 25 '22 at 12:33

0 Answers0