TLS fingerprinting is a passive traffic analysis technique that identifies a client application by inspecting the specific parameters advertised in its TLS Client Hello message. Unlike user-agent strings, which are trivially spoofed, this method examines the cryptographic handshake's cipher suites, supported extensions, elliptic curves, and signature algorithms to construct a unique, high-entropy identifier for the connecting software.
Glossary
TLS Fingerprinting (JA4)

What is TLS Fingerprinting (JA4)?
A technique that identifies client applications by analyzing the specific parameters of the TLS Client Hello message, with JA4 being the modern standardized hash method.
The JA4 standard modernizes legacy JA3 hashing by incorporating Application-Layer Protocol Negotiation (ALPN) values, sorting extensions to prevent trivial hash evasion, and producing a compact 12-character fingerprint. This enables security architects to reliably distinguish headless browsers, Python requests libraries, and custom scrapers from standard human-driven browsers at the network edge.
Key Features of JA4 Fingerprinting
JA4 provides a modern, standardized method for identifying client applications by hashing specific parameters of the TLS 1.3 Client Hello message, enabling precise bot detection and network security analysis.
Standardized Hashing Algorithm
JA4 generates a compact fingerprint by concatenating and hashing specific TLS Client Hello fields: TLS version, cipher suites, extensions, and elliptic curves. Unlike its predecessor JA3, JA4 uses a truncated SHA-256 hash that produces a consistent 12-character fingerprint regardless of input length. The algorithm sorts cipher suites and extensions alphabetically before hashing to ensure deterministic output across different client implementations.
- Format:
JA4=tls_version+cipher_hash+ext_hash+curve_hash - Consistency: Identical TLS stacks always produce identical fingerprints
- Collision resistance: SHA-256 prevents fingerprint collisions between different clients
JA4+ Suite Extensions
Beyond the base JA4 fingerprint, the JA4+ suite provides additional fingerprinting dimensions for comprehensive client identification. JA4S fingerprints the server's TLS Server Hello response, capturing the server's chosen cipher suite and extensions. JA4H fingerprints HTTP/2 and HTTP/3 session parameters. JA4X captures X.509 certificate attributes. JA4SSH extends the methodology to SSH protocol negotiation.
- JA4S: Server-side TLS fingerprinting for detecting spoofed servers
- JA4H: HTTP/2 SETTINGS frame and pseudo-header order analysis
- JA4X: TLS certificate issuer, validity period, and extension profiling
- JA4SSH: SSH key exchange algorithm and cipher negotiation fingerprinting
Network Traffic Analysis Integration
JA4 fingerprints integrate directly into packet capture analysis and flow monitoring tools without requiring decryption of TLS traffic. Since the Client Hello is sent in cleartext before the encrypted tunnel is established, JA4 generation works on passive network observations. This enables Zeek, Suricata, and Wireshark plugins to tag sessions with JA4 hashes for threat hunting and anomaly detection.
- Passive monitoring: No TLS decryption required; Client Hello is unencrypted
- Zeek integration: Native JA4 scripting for real-time connection logging
- Threat hunting: Identify C2 malware families by their distinctive TLS fingerprints
- Flow correlation: Link encrypted sessions to specific applications without deep packet inspection
JA3 vs JA4: Key Improvements
JA4 addresses critical limitations of the legacy JA3 fingerprinting method. JA3 used MD5 hashing, which is vulnerable to collision attacks and produces unnecessarily long 32-character hashes. JA4 switches to truncated SHA-256 for security and brevity. JA4 also introduces GREASE detection — it identifies and ignores randomized TLS extension values that browsers inject to prevent protocol ossification, which JA3 incorrectly treated as unique fingerprint components.
- Hash function: JA3 uses MD5; JA4 uses SHA-256
- GREASE handling: JA4 automatically filters randomized extension values
- Fingerprint length: JA3 produces 32 chars; JA4 produces 12 chars
- Protocol support: JA4 natively supports TLS 1.3, while JA3 was designed for TLS 1.2
- Backward compatibility: JA4 includes a JA3 compatibility mode for legacy systems
Enterprise Bot Management Deployment
JA4 fingerprinting is deployed at the CDN edge or reverse proxy layer to classify incoming traffic before it reaches origin servers. Combined with IP reputation and behavioral analysis, JA4 provides a hard-to-spoof signal for bot scoring. Enterprise implementations typically maintain a fingerprint allowlist for legitimate browser versions and a denylist for known automation tooling TLS signatures.
- Edge deployment: Integrate with HAProxy, NGINX, or cloud WAF solutions
- Fingerprint database: Maintain versioned signatures for Chrome, Firefox, Safari, and Edge releases
- Correlation engine: Combine JA4 with JA4H and JA4S for multi-layer verification
- False positive mitigation: Allowlist legitimate enterprise TLS-terminating proxies and API clients
JA3 vs. JA4 Fingerprinting
A technical comparison of the JA3 and JA4 TLS fingerprinting methodologies, detailing improvements in hash granularity, protocol coverage, and evasion resistance.
| Feature | JA3 | JA4 | JA4+ |
|---|---|---|---|
Hashing Algorithm | MD5 | SHA-256 | SHA-256 |
Input Components | TLS Version, Ciphers, Extensions, Elliptic Curves | QUIC/TLS Version, Ciphers, Extensions, ALPN | JA4 + JA4_r (Response) + JA4_h (HTTP Headers) |
Protocol Support | TLS 1.0 - 1.3 | TLS 1.3, QUIC | TLS 1.3, QUIC, HTTP |
Grease Resistance | |||
Randomized Cipher Suites | |||
HTTP/2 Fingerprinting | |||
Server Response Fingerprinting | |||
Hash Collision Risk | High (MD5) | Low (SHA-256) | Low (SHA-256) |
Frequently Asked Questions
Explore the mechanics of TLS fingerprinting and the JA4 standard, a critical technique for identifying AI crawlers and automated agents by analyzing the cryptographic parameters of their connection handshakes.
TLS Fingerprinting is a technique that identifies client applications by passively analyzing the specific parameters advertised in the TLS Client Hello message. When a client initiates a secure connection, it sends a packet listing its supported cipher suites, TLS extensions, elliptic curves, and signature algorithms. The unique combination and ordering of these attributes form a fingerprint that is highly specific to the TLS library and operating system stack. Unlike User-Agent strings, which are trivially spoofed, TLS parameters are generated deep within the cryptographic library and are extremely difficult to modify without breaking the handshake. This makes TLS fingerprinting a robust method for distinguishing legitimate browsers from headless automation tools, Python requests libraries, or custom AI crawlers.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
JA4 fingerprinting operates within a broader stack of identification and access control technologies. These related concepts form the foundation of modern bot detection and AI crawler governance.
JA3 Fingerprint
The predecessor to JA4, JA3 generates an MD5 hash from five parameters of the TLS Client Hello: TLS version, accepted cipher suites, list of extensions, elliptic curves, and elliptic curve point formats. While widely adopted in threat hunting and Zeek integrations, JA3 suffers from hash collisions and cannot distinguish between clients that negotiate different ALPN protocols. JA4 improves upon this by incorporating ALPN and using a more collision-resistant hashing methodology.
JA4+ Suite
JA4 is the foundational fingerprint in a family of network traffic identification methods that extend beyond the Client Hello. The suite includes:
- JA4S: Server Hello fingerprint, capturing the server's cipher selection and extensions
- JA4H: HTTP/2 fingerprint based on SETTINGS frame order and values
- JA4X: X.509 certificate fingerprint derived from issuer and subject fields
- JA4SSH: SSH session fingerprint from key exchange algorithm negotiation This multi-protocol approach enables end-to-end session correlation even when traffic is proxied or decrypted.
TLS Client Hello
The unencrypted initial packet sent by a client to initiate a TLS handshake. It advertises the client's capabilities including supported cipher suites, TLS protocol version, compression methods, and extensions such as Server Name Indication (SNI) and Application-Layer Protocol Negotiation (ALPN). Because this packet is sent in cleartext before encryption is established, it provides a rich, observable signature that JA4 captures and hashes. Different TLS libraries (OpenSSL, BoringSSL, NSS, Go crypto/tls) produce distinct Client Hello structures.
ALPN Negotiation
Application-Layer Protocol Negotiation is a TLS extension that allows the client to advertise which application protocols it supports (e.g., h2 for HTTP/2, http/1.1, h3 for HTTP/3). The server selects one from the list. JA4 incorporates the ALPN value as a critical differentiator, enabling it to distinguish between a browser negotiating HTTP/2 and a Python requests library negotiating only HTTP/1.1—a distinction JA3 could not make. This is essential for identifying headless browsers and API clients masquerading as legitimate traffic.
GREASE Values
Generate Random Extensions And Sustain Extensibility is a protocol hardening technique defined in RFC 8701. Clients inject random, invalid values into TLS extensions, cipher suite lists, and ALPN advertisements to prevent servers from developing brittle, hardcoded assumptions about specific implementations. JA4 must correctly handle GREASE values by ignoring them during hash computation. A client that does not implement GREASE—common in custom scripts and older libraries—produces a more stable, identifiable fingerprint that stands out from browser traffic.
Passive OS Fingerprinting
A complementary technique to TLS fingerprinting that analyzes TCP/IP stack attributes in passively observed packets to identify the connecting host's operating system. Key signals include:
- Initial TTL value: Windows uses 128, Linux uses 64
- TCP window size: Varies by OS and version
- Don't Fragment (DF) flag behavior
- TCP option ordering and timestamps Combined with JA4, passive OS fingerprinting creates a multi-layer identification matrix that can detect mismatches—such as a Linux TLS stack advertising a Windows TCP signature, indicating a proxy or spoofed environment.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us