Testing for Encryption

Network Monitoring for Encryption using Swift

I have lately been considering a way to test, in the wild, whether a specific network connection is encrypted or not. There’s an idea called information entropy. Information entropy is the measure of how random a data source is. There are well understood formulas out there that will allow one to measure this. Wikipedia shows a function for its calculation for those who are curious.

We can approximate this value by utilizing gzip. First we take a stream of packet capture data, stripping off the headers of each one. Then we compress the packet contents, and provoide a ratio of it’s compressed size compared to its uncompressed size. Of course, the problem then becomes that a small enough data packet will not be able to be compressed. To address that, we accumulate several packets of data based on connection and consider them at once.

I saw a lot of DNS traffic using QUIC over UDP. as well as encrypted DNS traffic over TLS (DoT) on port 853.

See the code

You can find the source code for this project here.