uTLS Fingerprint Mismatch Vulnerability in GREASE ECH Cipher Suite Selection
Vulnerability
A fingerprint mismatch vulnerability has been identified in uTLS versions 1.6.0 through 1.8.0, specifically when using GREASE ECH. This issue arises from how cipher suites are selected, leading to a mismatch with Chrome's handling of ECH. In uTLS, the Chrome parrot hardcodes a preference for AES in the outer ClientHello while randomly selecting between AES and ChaCha20 for the ECH cipher suite. This creates a 50% chance of an incompatible selection, as Chrome does not allow such a combination. The vulnerability only affects GREASE ECH; in standard ECH, uTLS correctly mirrors Chrome's cipher suite selection. The issue has been resolved in uTLS version 1.8.1.
Impact
Exploitation of this vulnerability causes a fingerprint mismatch with Chrome, which could lead to improper handling of ECH and potential fingerprinting resistance issues.
Remediation
Users can upgrade to uTLS version 1.8.1 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.