Inferensys

Glossary

TLS Fingerprinting (JA4)

TLS fingerprinting is a technique that identifies client applications by analyzing the specific parameters of the TLS Client Hello message, including cipher suites, extensions, and elliptic curves, with JA4 being the modern standardized hash.
Modern WeWork hardware lab area with product team collaborating around AI device prototypes, 3D printer in background, dramatic industrial lighting with product sketches on glass walls.
CRYPTOGRAPHIC CLIENT IDENTIFICATION

What is TLS Fingerprinting (JA4)?

A technique that identifies client applications by analyzing the specific parameters of the TLS Client Hello message, with JA4 being the modern standardized hash method.

TLS fingerprinting is a passive traffic analysis technique that identifies a client application by inspecting the specific parameters advertised in its TLS Client Hello message. Unlike user-agent strings, which are trivially spoofed, this method examines the cryptographic handshake's cipher suites, supported extensions, elliptic curves, and signature algorithms to construct a unique, high-entropy identifier for the connecting software.

The JA4 standard modernizes legacy JA3 hashing by incorporating Application-Layer Protocol Negotiation (ALPN) values, sorting extensions to prevent trivial hash evasion, and producing a compact 12-character fingerprint. This enables security architects to reliably distinguish headless browsers, Python requests libraries, and custom scrapers from standard human-driven browsers at the network edge.

TLS CLIENT HELLO ANALYSIS

Key Features of JA4 Fingerprinting

JA4 provides a modern, standardized method for identifying client applications by hashing specific parameters of the TLS 1.3 Client Hello message, enabling precise bot detection and network security analysis.

01

Standardized Hashing Algorithm

JA4 generates a compact fingerprint by concatenating and hashing specific TLS Client Hello fields: TLS version, cipher suites, extensions, and elliptic curves. Unlike its predecessor JA3, JA4 uses a truncated SHA-256 hash that produces a consistent 12-character fingerprint regardless of input length. The algorithm sorts cipher suites and extensions alphabetically before hashing to ensure deterministic output across different client implementations.

  • Format: JA4=tls_version+cipher_hash+ext_hash+curve_hash
  • Consistency: Identical TLS stacks always produce identical fingerprints
  • Collision resistance: SHA-256 prevents fingerprint collisions between different clients
12 chars
Fingerprint Length
SHA-256
Hash Function
02

JA4+ Suite Extensions

Beyond the base JA4 fingerprint, the JA4+ suite provides additional fingerprinting dimensions for comprehensive client identification. JA4S fingerprints the server's TLS Server Hello response, capturing the server's chosen cipher suite and extensions. JA4H fingerprints HTTP/2 and HTTP/3 session parameters. JA4X captures X.509 certificate attributes. JA4SSH extends the methodology to SSH protocol negotiation.

  • JA4S: Server-side TLS fingerprinting for detecting spoofed servers
  • JA4H: HTTP/2 SETTINGS frame and pseudo-header order analysis
  • JA4X: TLS certificate issuer, validity period, and extension profiling
  • JA4SSH: SSH key exchange algorithm and cipher negotiation fingerprinting
04

Network Traffic Analysis Integration

JA4 fingerprints integrate directly into packet capture analysis and flow monitoring tools without requiring decryption of TLS traffic. Since the Client Hello is sent in cleartext before the encrypted tunnel is established, JA4 generation works on passive network observations. This enables Zeek, Suricata, and Wireshark plugins to tag sessions with JA4 hashes for threat hunting and anomaly detection.

  • Passive monitoring: No TLS decryption required; Client Hello is unencrypted
  • Zeek integration: Native JA4 scripting for real-time connection logging
  • Threat hunting: Identify C2 malware families by their distinctive TLS fingerprints
  • Flow correlation: Link encrypted sessions to specific applications without deep packet inspection
05

JA3 vs JA4: Key Improvements

JA4 addresses critical limitations of the legacy JA3 fingerprinting method. JA3 used MD5 hashing, which is vulnerable to collision attacks and produces unnecessarily long 32-character hashes. JA4 switches to truncated SHA-256 for security and brevity. JA4 also introduces GREASE detection — it identifies and ignores randomized TLS extension values that browsers inject to prevent protocol ossification, which JA3 incorrectly treated as unique fingerprint components.

  • Hash function: JA3 uses MD5; JA4 uses SHA-256
  • GREASE handling: JA4 automatically filters randomized extension values
  • Fingerprint length: JA3 produces 32 chars; JA4 produces 12 chars
  • Protocol support: JA4 natively supports TLS 1.3, while JA3 was designed for TLS 1.2
  • Backward compatibility: JA4 includes a JA3 compatibility mode for legacy systems
06

Enterprise Bot Management Deployment

JA4 fingerprinting is deployed at the CDN edge or reverse proxy layer to classify incoming traffic before it reaches origin servers. Combined with IP reputation and behavioral analysis, JA4 provides a hard-to-spoof signal for bot scoring. Enterprise implementations typically maintain a fingerprint allowlist for legitimate browser versions and a denylist for known automation tooling TLS signatures.

  • Edge deployment: Integrate with HAProxy, NGINX, or cloud WAF solutions
  • Fingerprint database: Maintain versioned signatures for Chrome, Firefox, Safari, and Edge releases
  • Correlation engine: Combine JA4 with JA4H and JA4S for multi-layer verification
  • False positive mitigation: Allowlist legitimate enterprise TLS-terminating proxies and API clients
TLS FINGERPRINTING EVOLUTION

JA3 vs. JA4 Fingerprinting

A technical comparison of the JA3 and JA4 TLS fingerprinting methodologies, detailing improvements in hash granularity, protocol coverage, and evasion resistance.

FeatureJA3JA4JA4+

Hashing Algorithm

MD5

SHA-256

SHA-256

Input Components

TLS Version, Ciphers, Extensions, Elliptic Curves

QUIC/TLS Version, Ciphers, Extensions, ALPN

JA4 + JA4_r (Response) + JA4_h (HTTP Headers)

Protocol Support

TLS 1.0 - 1.3

TLS 1.3, QUIC

TLS 1.3, QUIC, HTTP

Grease Resistance

Randomized Cipher Suites

HTTP/2 Fingerprinting

Server Response Fingerprinting

Hash Collision Risk

High (MD5)

Low (SHA-256)

Low (SHA-256)

TLS FINGERPRINTING

Frequently Asked Questions

Explore the mechanics of TLS fingerprinting and the JA4 standard, a critical technique for identifying AI crawlers and automated agents by analyzing the cryptographic parameters of their connection handshakes.

TLS Fingerprinting is a technique that identifies client applications by passively analyzing the specific parameters advertised in the TLS Client Hello message. When a client initiates a secure connection, it sends a packet listing its supported cipher suites, TLS extensions, elliptic curves, and signature algorithms. The unique combination and ordering of these attributes form a fingerprint that is highly specific to the TLS library and operating system stack. Unlike User-Agent strings, which are trivially spoofed, TLS parameters are generated deep within the cryptographic library and are extremely difficult to modify without breaking the handshake. This makes TLS fingerprinting a robust method for distinguishing legitimate browsers from headless automation tools, Python requests libraries, or custom AI crawlers.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.