[Oisf-users] tls1.3 and certificate sniffing

Pierre Chifflier chifflier at wzdftpd.net
Fri Apr 20 20:16:05 UTC 2018

On 04/20/2018 06:23 PM, erik clark wrote:
> So, with Bro I've got _some_ certificate visibility into a tls1.3
> transaction, but cannot pull the actual certificate. Will the
> certificate sniffing signatures of suri still work with tls1.3 as a
> result? Examples are the apple fake ssl certificates and fake linkedin
> certificates in the ET Pro list.


In TLS 1.3, certificates are now encrypted, so it is not possible
anymore to filter or extract the certificates (passively).
It may be the SNI extension (which gives the server name asked by the
client), which is still in clear.


More information about the Oisf-users mailing list