TLS Fingerprinting - a method for identifying a TLS client without decrypting
Published Dec 30, 2016
Version 1.0Was this article helpful?
<quote>
While testing this I noticed that newer versions of Chrome and Opera added what looked like "markers" to the ciphersuite list, extensions list, and elliptic curves list (ex. 9A9A, 5A5A, EAEA, BABA - always some alphanumeric value, followed by 'A', and repeated.). A cursory search didn't explain what these are, so maybe someone will know and report back.
</quote>
I know this is old article and by now you might have already figured it out. I am replying it for the readers just in case if they are not aware of this. the strange codes (e.g. 0x9a9a, etc) that you see are TLS GREASE values. For more info see the internet draft https://www.ietf.org/id/draft-ietf-tls-grease-04.txt (as of today it is in version 4).