Ivan Nardi ddd08f913c

Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553) ...

Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated

All heuristics are disabled by default.

2024-09-24 14:20:31 +02:00

71 KiB

Raw History

View raw