With my current interest in the CRIME attack, I am currently trying to check if there actually exits a way to "fingerprint" a server that supports SPDY?
My research lead me to believe only that the response header "X-Firefox-SPDY" can help. Is there another way?
The answer to your question would depend on the context in which you're interested.
If you're interested in detecting SPDY servers while browsing the web you'll first need a browser that supports SPDY (e.g. Firefox 11+ or Chrome). In this scenario the best way to detect SPDY is browser dependant.
For Chrome there are a couple of ways:
chrome://net-internals/#spdy for a list of all currently open SPDY connections (because SPDY connections are persistent - every tab that contains a document from a server which supports SPDY should be present).window.chrome.loadTimes().wasFetchedViaSpdy DOM property.For Firefox, the only way I'm aware of is to look for the presence of X-Firefox-Spdy response header. Do note that for this to work, you must enable SPDY support (it is on by default as of Firefox 13, otherwise - set network.http.spdy.enabled to true.
All this depends on using a SPDY enabled browser, and manually checking servers. If you'll want to automate this, use a browser that doesn't support SPDY, or just plainly skip the browser - you'll need another strategy. As I see you have two options in this case:
SPDY servers can be configured to advertise their support of SPDY when sending HTTP responses. This would require you to inspect the presence of the appropriate Alternative-Protocol headers (outlined in the SPDY draft).
Simply establish a TCP connection to the server an send it a SETTIGNS (HELLO) or a SYN_STREAM frame and see if it responds according to the SPDY protocol.
