What is an Account-Control Surface?
Understand the account-control surface and why account protection has to cover more than the login form.
Support FAQ
A fingerprint database is only as trustworthy as the evidence behind its labels. A large row count, familiar application name or precise-looking hash does not establish that the mapping is correct, current or exclusive.
Use this checklist before importing a public database into hunting, classification or enforcement.
First determine whether the source is:
These categories answer different questions. What Is a Network Fingerprint Database? explains the distinctions.
Ask how the application, library, operating system or malware label was established.
Stronger evidence includes:
Weaker evidence includes an unexplained community assertion, a user agent copied from the same connection, or a label inferred from another fingerprint database.
Watch for circular evaluation. If a row was labelled “Chrome” because its JA4 looked like Chrome, that row cannot independently prove that the same JA4 identifies Chrome.
A reusable row should record more than a hash and name:
fingerprint method and rule version
raw or reversible representation
application, library, OS and device labels
label source and collection method
capture point
first and last seen
observation count
supporting capture or evidence reference
review state and confidence
licence
Most public mappings do not meet this standard. The Salesforce JA3 examples lack per-row capture evidence and timestamps. FoxIO's public JA4 sample has useful cross-method columns but no per-row submitter, observation time or confidence. Trisul combines several historical sources but does not consistently attach provenance to each record.
That does not make the rows useless. It determines how strongly they can be interpreted.
Hash-only databases are easy to index and difficult to audit.
Where possible, retain:
JA4_r beside JA4;The source fields let an operator see whether the difference came from a cipher, extension, signature algorithm, ordering choice or format implementation. They also make it possible to migrate when a fingerprint definition changes.
Two tools can expose a field called ja4 and still disagree at malformed packets, truncated handshakes or new extensions. Record the implementation revision and configuration that produced the value.
For versioned formats, retain the rule version in the key. Mercury's tls, tls/1 and tls/2 formats make different sorting and selection decisions. A database that drops that version loses part of the fingerprint's meaning.
“One million fingerprints” can mean one million unlabelled observations. “Six million fingerprints” may refer to combinations feeding a proprietary device classifier. “626 JA3 rows” may mostly describe 2018-era clients.
Coverage questions include:
The TLS Fingerprint Observatory is valuable partly because it exposes prevalence even when labels are absent. That is more honest than filling unknown observations with confident names.
A database schema should support:
one fingerprint -> several candidate applications
one application -> several fingerprints
Shared TLS and SSH libraries make this unavoidable. A single “application” column encourages consumers to treat the most familiar label as exclusive.
Cisco Mercury's documented resource model records process counts, operating-system observations and destinations for each fingerprint. Its classifier then ranks candidates using context. The public production data is absent, but the schema demonstrates the right many-to-many shape. See the Mercury resource documentation.
Threat feeds need an additional boundary.
SSLBL says its JA3 fingerprints were collected from malware-generated PCAPs and not tested against known-good traffic. A database consumer should preserve that wording as something like:
observed_in_malware_samples = true
malware_family_labels = [...]
known_good_evaluation = not_performed
It should not be rewritten as:
fingerprint_is_malware = true
The distinction matters because malware often uses common TLS libraries. Cisco's destination-context paper found that many public malware JA3 indicators were more strongly associated with benign processes in its enterprise data. Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases documents that result.
A fingerprint observed at an origin may describe a reverse proxy rather than the original client. A DHCP fingerprint comes from a different trust boundary than an HTTP user agent. A JARM value describes the TLS server behaviour seen through the scanning path.
Store the capture position and forwarding provenance. If a fingerprint is supplied in a request header, document which trusted edge generated it and strip client-supplied copies.
For every label, ask:
Public JA3 lists from 2018 remain useful for historical investigations. They should not silently become the baseline for current browser populations.
An open fingerprint algorithm does not guarantee an open database.
Core JA4 is BSD-licensed, while other JA4+ methods use the FoxIO License. That still does not establish the licence of the hosted JA4DB dataset. Nmap source and data files use the Nmap Public Source License, which places conditions on proprietary incorporation. Trisul's combined mapping repository lacks a clear dataset-wide licence.
Check:
If the dataset licence is unclear, link to the source rather than copying it into a product or public repository.
Before using a public mapping:
A database lookup should change the questions an analyst asks. It should not end the investigation by itself.
The current public resources are compared in Public Network Fingerprint Databases and What They Cover. For the protocol-level identity limit, see A Network Fingerprint Is a Cohort, Not a Client.
Understand the account-control surface and why account protection has to cover more than the login form.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.