🗓️ Join us June 18 for the next insightful episode of runZero Hour! Register Now!

runZero Hour, Ep. 2: Deep dive into Transport Layer Security (TLS)

Overview

Episode 2 of the runZero Hour webcast took a quick survey of new IoT devices that showed up on the network over the holidays at the end of 2023. Did you know that crockpots are now on the network?! We also took a deep dive into Transport Layer Security (TLS). The latter discussion included a look at how fingerprinting is done in general.

There are three primary ways to gather information for fingerprinting: self-identification, attribute-based, and behavior-based. Self-identification is just whatever the target responds with about itself and is typically the first step in asset identification. It’s also the naive method because:

  1. The target service or protocol may not support any form of self-identification.
  2. The “target” may be an intervening device that may modify or redact that identification.
  3. The target itself may respond with an incorrect identification or not granular enough to be useful.
  4. Sometimes, users can configure services to omit the identification.

The next two are proxy indicators, which allow you to learn something without a full and potentially intrusive examination. For example, eyeglasses are a proxy indicator telling you that someone might have vision impairment even though you didn’t perform an eye exam.

With TLS, the client sends a Client Hello with a list of protocols, ciphers, and extensions it supports. In the response, the Server Hello, the server specifies which ones it wants to use. By sending varying combinations of these options and observing which the server has selected, we can learn much about the target TLS stack.

TLS

Finally, there is behavior-based, where the scanner varies its operation at the connection level to elicit tell-tale reactions from the server. Typically, when the client side of a TCP connection unexpectedly terminates, the client OS sends a TCP FIN packet–this state is known as a half-close. How does the TLS endpoint respond to half-closes? Interestingly, some versions of OpenSSL do not respond, while others respond with an TLS alert message. Other TLS stacks, such as GnuTLS, may respond with entirely different TLS alert messages. Want to know which version does which? Watch the full to find out and learn additional insights on funky protocols, oddball devices, and more in-depth details about TLS.

Meet Our Speakers

HD Moore

Founder & CEO

Huxley Barbee

Contributor

Rob King

Director of Security Research

Tom Sellers

Principal Research Engineer

Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Resources

Webcasts
Unknown Assets: A Lurking Threat to Network Security
In this EcoCast, presented by Tod Beardsley VP of Security Research, discusses proactive strategies for defending against zero-day exploits and...
Watch Now
Webcasts
Vulnerability management is broken: what's the fix?
HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t...
Watch Now
Webcasts
From Exposed to Empowered: Fixing Fatal Flaws in Vulnerability Management
In this on-demand session, HD Moore joins Secon Cyber to expose the limitations of legacy vulnerability management and show why many of today’s...
Watch Now
Webcasts
runZero Hour Ep. 18: Unpacking vulnerability scoring systems with EPSS expert Jay Jacobs
Vulnerability scoring expert Jay Jacobs joins us for an insightful session exploring how scoring systems like CVSS, EPSS, and SSVC signal risk —...
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
© Copyright 2025 runZero, Inc. All Rights Reserved