Easily Identify Malicious Servers on the Internet with JARM

I&#x27;m wary of relying on the response from unknown hosts on a messy, adversarial network like the internet, even if I&#x27;m hoping to catalog some as malicious. There really is no reason why I should expect well- and consistently-ordered responses against which I can fingerprint. Adjusting the underlying libraries to generate a randomized list of acceptable ciphers, or to randomize any other data that program is using to build this fingerprint is trivial.<p>Putting aside the adversarial case, I can imagine even well intentioned networks with, say, anycasted addresses munging this up as well. I can give you one IP address but six, 11, 91 or however many different responses if I so choose. Which response is the &#x27;correct&#x27; one? Are you going to ban entire blocks of addresses because one happened to match a known C&amp;C host?

&gt; Moving from reactive to proactive cybersecurity blocklists.<p>Well that might explain why once a year Salesforce randomly stops working with some server and of course support being so useless we just move server. 1 month later we get message “ah yeah that was us”.<p>But that was pleasant read. Wonder if anyone ever tried to scan entire ipv6

This appears to be complementary to their other TLS fingerprinting project, JA3. Where JARM quickly scans servers for TLS configuration, JA3 sniffs network traffic to fingerprint client&#x2F;server TLS handshakes.<p>I wonder what research is happening at Salesforce to create these byproducts.

seems like its only a matter of time then that malicious servers wrap their TLS libs in a one time randomizer that gives them the appearance of not matching other C&amp;C hosts.