TLS/SSL project/library discussion

[ehsandeep]

This is the comparison between crypto/tls and zmap/zcrypto by @Mzack9999

Protocol	crypto/tls	zmap/zcrypto
SSLV1	❌	❌
SSLV2	❌	❌
SSLV3	✅ (deprecated in go1.18)	✅ (up to go 1.16)
TLS1.0	✅ (deprecated in go1.18)	✅ (up to go 1.16)
TLS1.1	✅ (deprecated in go1.18)	✅ (up to go 1.16)
TLS1.2	✅ (safe ciphers)	✅ safe + unsafe cipher (up to go 1.16)
TLS1.3	✅ (cipher autoselection)	❌

A few notes:

• zmap/zcrypto is not a ready drop-in replacement of the standard library and requires using their fork of net/http implementation stuck at go1.16. Additionally, they are missing all the new features of newer go versions (ALPN, HTTP2, QUIC, elliptic curves, digest signatures, ...)
• zmap/zcrypto exposes all the tls handshake information available up to go1.16 implementation
• go standard library since go1.18 is going to be very restrictive about supporting legacy ssl/tls http encryptions. Since legacy web services are the ones with probably more vulnerabilities, it’s not very good

Additionally, I found a few interesting alternative implementations with unique features:

• refraction-networking/utls contains low-level control of TLS tickets and the whole handshake flow + built-in randomization to bypass firewalls. Unfortunately, the library is not updated, but the concept is fascinating. Each device has a particular TLS fingerprinting that can be used by WAF to block specific requests
• useflyent/fhttp, Not explicitly related to the crypto library, but there is also another fork of net/http, It implements a series of features, including http2 customization as the standard go library has builtin settings that make the device easily fingerprint-able, whereas the library makes it behave like a chrome browser