VMLogin anti-association browser 1.2.6.7 has added the customization of SSL fingerprint.
You can mainly set the number and order of cipher suites, which can counteract some websites that use JA3 methods to detect SSL fingerprints. Generally, each browser has a relatively fixed SSL fingerprint. When doing multiple accounts or anti-association projects, the change of SSL fingerprint may play a certain role in weighting, but if you don’t know what SSL fingerprint is, then it is recommended , Or don’t set it up randomly, because it may be counterproductive.
JA3 is a method for creating SSL/TLS client fingerprints, which should be easy to generate on any platform and can be easily shared for threat intelligence.
What is SSL fingerprint? It can be said that every browser generally has a fixed SSL fingerprint.
The JA3 method is used to collect the decimal value of the following fields in the client Hello packet: version, accepted password, extension list, elliptic curve and elliptic curve format. Then, use "," to separate each field, use "-" to separate the values in each field, and concatenate these values together in order.
Sample client Hello packet viewed in Wireshark
The order of the fields is as follows:
TLSVersion,Ciphers,Extensions,EllipticCurves,EllipticCurvePointFormats
例:
769,47–53–5–10–49161–49162–49171–49172–50–56–19–4,0–10–11,23–24–25,0
If there is no TLS extension in the client Hello, these fields will be left blank.
769,4–5–10–9–100–98–3–6–19–18–99,
Then, these strings are MD5 hashed to generate a 32-character fingerprint that is easy to use and share. This is the JA3 TLS client fingerprint
769.47-53-5-10-49161-49162-49171-49172-50-56--19-4.0--10-11.23-24-25.0 → ada70206e40642a3e4461f35503241d5
769.4-5-10-9 –100--98--3--6--19-18--99, → de350869b8c85de67a350c8d186f11e6
We also need to introduce some code to explain Google's GREASE (Generate Random Extensions And Sustain Extensibility), as described here. In fact, Google will use this mechanism to prevent scalability failures in the TLS ecosystem. However, JA3 will completely ignore these values to ensure that programs using GREASE can still use a single JA3 hash value to complete fingerprint identification.
Websites that can be used for SSL fingerprint testing:
https://browserleaks.com/ssl
summary
JA3 and JA3S are a security analysis method based on TLS fingerprint. JA3 fingerprints can indicate the way the client application communicates via TLS, and JA3 fingerprints can indicate the server's response. If the two are combined, the fingerprint of the encryption negotiation between the client and the server is essentially generated. Although TLS-based detection methods are not necessarily a panacea, nor are they guaranteed to be mapped to client applications, they are always the axis of security analysis.
VMLogin design SSL custom method, mainly to change the JA3 fingerprint from this browser, which is not comprehensive, but it is also very simple and efficient. Need to help some users who are pursuing perfectionism. At the same time, I hope to provide us with better suggestions and help.