Anecdotally, I'm aware of similar reports where TLS fingerprinting is
used as part of anti-bot efforts and various projects try to work around
it, e.g. curl-impersonate <https://github.com/lwthiker/curl-impersonate>.
David Benjamin and I spoke about this at IETF 115 and felt that
randomizing the order of client hello extensions (subject to the PSK
coming last) was a natural solution. Compared to a fixed order, this
ensures lazy middleboxes don't assume a particular extension is always
in the same position and so cause breakage in a future version.
Chrome 110 releases to stable next week and has TLS Client Hello
Extension Permutation
<https://chromestatus.com/feature/5124606246518784> enabled by default.
We have a patch <https://bugzilla.mozilla.org/show_bug.cgi?id=1789436>
ready to go for this in Firefox as well, which we plan to land in the
coming months.
There are still plenty of other fingerprinting vectors which this won't
address of course, but it is one step along the way.
Best,
Dennis
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
