Model and implementation of user activity tracking utilizing the TLS Client Hello's server name extension

This paper puts forward a feasible, non-intrusive, method of tracking user activity using TLS's Client Hello section of a handshake (specified in the TLS protocol), namely the server name extension. This method can provide an attacker with relevant information regarding patterns and services utilized inside of the target network, further expanding their understanding of the attack surface, potentially, serving as a tool to determine the timing of an attack or, even, provide an attacker with knowledge of a point of entry to a given system.