In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.