Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend TLS inspector to capture JA3n and JA4 #35739

Closed
kashyap-db opened this issue Aug 18, 2024 · 7 comments
Closed

Extend TLS inspector to capture JA3n and JA4 #35739

kashyap-db opened this issue Aug 18, 2024 · 7 comments
Labels
area/tls enhancement Feature requests. Not bugs or questions. stale stalebot believes this issue/PR has not been touched recently

Comments

@kashyap-db
Copy link

Title: Extend TLS inspector to capture JA3n and JA4

Description:
This issue 3 years ago requested the JA3 feature. JA3 is no longer effective and gets permuted after Chrome 110 making it ineffective. Also JA4 has now been released. JA4 is a much more effective way of identifying malicious activity than IP address.

See the original issue for a detailed motivation for this.

[optional Relevant Links:]
#16622
https://github.com/FoxIO-LLC/ja4
net4people/bbs#220
https://security.stackexchange.com/questions/273101/why-the-ja3-hash-changed-everytime-refresh-the-webpage
@kashyap-db kashyap-db added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Aug 18, 2024
@agrawroh
Copy link
Contributor

cc @ggreenway

@ggreenway
Copy link
Contributor

PRs welcome for adding this!

@ggreenway ggreenway added area/tls and removed triage Issue requires triage labels Aug 19, 2024
@agrawroh
Copy link
Contributor

agrawroh commented Aug 19, 2024
edited
Loading

@ggreenway Should we add a new field called tls_fingerprinting alongside enable_ja3_fingerprinting here and deprecate the latter in favor of the newly added field?

JA3/JA4 could be set as an ENUM:

tls_fingerprinting: {
  enable: BOOL,
  engine: ENUM { JA3 = DEFAULT, JA3S, JA4}
}

We'll also have to change the access loggers accordingly. I see that we have TLS_JA3_FINGERPRINT to surface the captured JA3s in the access logs. We'll have to add another TLS_FINGERPRINT with both the engine and the value or two commands like TLS_FINGERPRINT_ENGINE and TLS_FINGERPRINT_VALUE.

For gRPC [See This], we can use tls_fingerprint with engine and value as well.

@ggreenway
Copy link
Contributor

@envoyproxy/api-shepherds can help with how to structure the config. If you're going to use an enum, I think having a default value of none, and not having a bool to enable/disable, is simpler.

I'd also be fine with just adding more booleans for enable_ja3s_fingerprinting and enable_ja4_fingerprinting.

@kashyap-db
Copy link
Author

Minor clarification JA3s (server fingerprinting) is different from JA3n (what we want). JA3n just sorts the Client Hello SSL Extensions.

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label Sep 18, 2024
@github-actions GitHub Actions
Copy link

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls enhancement Feature requests. Not bugs or questions. stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ggreenway @agrawroh @kashyap-db