Inferensys

Glossary

JA4 Fingerprinting

A modern TLS fingerprinting method that generates a concise hash of the Client Hello packet parameters, enabling high-fidelity identification of malware and scraping tools regardless of destination IP.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
TLS CLIENT IDENTIFICATION

What is JA4 Fingerprinting?

JA4 is a modern TLS fingerprinting method that generates a concise, human-readable hash of the Client Hello packet parameters, enabling high-fidelity identification of malware and scraping tools regardless of destination IP.

JA4 Fingerprinting is a passive network traffic analysis technique that creates a compact digital signature from the specific parameters negotiated during the initial Transport Layer Security (TLS) Client Hello handshake. Unlike its predecessor JA3, the JA4 method introduces a modular, extensible hashing format that separates protocol, cipher, and extension fields into distinct sections, allowing analysts to identify the originating client software, operating system, or malicious tool with greater granularity and precision.

This method is critical for web scraping mitigation and bot management because it operates transparently before any application data is exchanged. By fingerprinting the TLS layer, security infrastructure can identify and block automated scraping tools, headless browsers, and malware command-and-control traffic based on their unique cryptographic handshake patterns, even when the traffic is routed through residential proxies or VPNs designed to mask the source IP address.

TLS CLIENT HELLO HASHING

Key Features of JA4 Fingerprinting

JA4 fingerprinting generates a compact, human-readable hash from the parameters of the TLS Client Hello packet, enabling high-fidelity identification of client applications regardless of destination IP or port.

01

The JA4 Hash Structure

The JA4 fingerprint is a 12-character string composed of four distinct fields separated by underscores: JA4 = PROTO_TLS_CIPHER_EXT.

  • PROTO: Indicates the TLS version (e.g., t13 for TLS 1.3, t12 for TLS 1.2).
  • TLS: A hash of the ordered list of cipher suites.
  • CIPHER: A hash of the ordered list of TLS extensions.
  • EXT: A hash of the ALPN (Application-Layer Protocol Negotiation) values. This structured format allows for rapid, human-readable comparison and grouping of similar client behaviors.
12 chars
Hash Length
4 fields
Data Segments
02

Sorting for Stability

A critical innovation of JA4 over its predecessor JA3 is the mandatory sorting of cipher suites and extensions before hashing.

  • JA3 generated different fingerprints if a client randomized the order of its cipher list, causing fragmentation.
  • JA4 enforces a canonical sort order, ensuring that the same logical configuration always produces the same hash. This eliminates a major source of false negatives in threat hunting and asset identification.
100%
Ordering Consistency
03

Application Identification via ALPN

The fourth field of the JA4 hash is derived from the Application-Layer Protocol Negotiation (ALPN) extension. This field captures the specific application protocol the client intends to speak.

  • A standard web browser will present h2 and http/1.1.
  • A malware C2 agent might present a custom or absent ALPN value.
  • A Python requests library will have a distinct ALPN signature. This provides a powerful, high-level discriminator for identifying the software category.
h2, http/1.1
Common Browser ALPN
04

Grease Values and Intentional Randomization

Modern TLS libraries, particularly those in browsers, inject GREASE (Generate Random Extensions And Sustain Extensibility) values into the Client Hello.

  • These are random, invalid cipher suites and extensions designed to prevent protocol ossification.
  • JA4 intelligently filters out known GREASE codes before hashing.
  • Without this filtering, every connection from a Chrome browser would produce a unique, useless fingerprint. This filtering is essential for generating a stable, useful identifier.
0x0A0A
Example GREASE Code
05

Passive Network Deployment

JA4 fingerprinting is a passive identification technique. It operates by observing the initial unencrypted Client Hello packet in a TCP stream.

  • No injection: No packets are sent to the client.
  • No decryption: The analysis is performed on the plaintext handshake.
  • Minimal latency: The fingerprint is computed in microseconds. This makes it ideal for high-throughput network sensors, IDS/IPS platforms, and Zeek integrations where inline blocking or real-time alerting is required.
< 1 ms
Computation Time
06

Hunting Malware and C2 Frameworks

JA4 is a cornerstone of modern threat hunting because malware implants and command-and-control (C2) frameworks use distinct TLS libraries with unique, hard-coded configurations.

  • Cobalt Strike beacons have a characteristic set of cipher suites and extensions.
  • Metasploit payloads generate a different, equally identifiable JA4 hash.
  • Custom RATs often use outdated or minimal TLS stacks that stand out sharply against a background of standard browser traffic. Security teams maintain threat intelligence feeds of known-malicious JA4 hashes to detect compromised hosts.
Cobalt Strike
Commonly Fingerprinted
TLS FINGERPRINTING EVOLUTION

JA4 vs. JA3 vs. JA3S Fingerprinting

Comparison of three generations of TLS client fingerprinting methods used for identifying malware, botnets, and scraping tools in encrypted traffic.

FeatureJA3JA3SJA4

Hashing Target

Client Hello packet

Server Hello packet

Client Hello packet

Number of Fields Hashed

5 fields

5 fields

10+ fields

Protocol Support

TLS 1.2 and earlier

TLS 1.2 and earlier

TLS 1.2 and TLS 1.3

QUIC Protocol Support

Encrypted Client Hello (ECH) Resilience

ALPN Negotiation Captured

Hash Collision Rate

0.05%

0.05%

< 0.001%

Output Format

32-char MD5

32-char MD5

12-char truncated SHA-256

JA4 FINGERPRINTING

Frequently Asked Questions

Clear answers to the most common technical questions about JA4 fingerprinting, its operational mechanics, and its role in modern bot management and threat detection workflows.

JA4 fingerprinting is a method for generating a concise, human-readable hash of the parameters within a TLS Client Hello packet to identify the client application initiating an encrypted connection. It works by capturing specific, unencrypted fields from the initial handshake—including the TLS version, cipher suites, extensions, and elliptic curve preferences—and feeding them through a standardized hashing algorithm. The output is a short string like ja4=t13d1516h2_8daaf6152771_e5627efa2ab1. Unlike its predecessor JA3, JA4 introduces separate fingerprints for the client and server sides of the connection, accounts for QUIC protocol traffic, and normalizes the hash format to reduce collisions and improve consistency across diverse network environments. This passive identification technique requires no decryption and operates purely on observable metadata, making it ideal for high-throughput network monitoring and bot management platforms.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.