How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
A Quick Recap: What is JA3 TLS Fingerprinting?
JA3 is a method for creating a fingerprint of a client's TLS implementation based on the parameters in its initial Client Hello packet. When a client (like a browser or a script) initiates a secure connection, it sends a Client Hello message that advertises its capabilities, such as the TLS version, cipher suites it supports, extensions, and elliptic curves.
JA3 works by concatenating the decimal values of these fields in a specific order and then generating an MD5 hash of the resulting string.
JA3 = MD5(TLSVersion,Ciphers,Extensions,EllipticCurves,EllipticCurvePointFormats)
This 32-character hash is the JA3 fingerprint. Different clients (e.g., Chrome on Windows, a Python requests script, a piece of malware) will have different TLS implementations, resulting in a unique JA3 fingerprint. Security tools use this to identify and block malicious clients, as malware often has a different, and more static, JA3 hash than a standard web browser.
The Limitations of JA3
While powerful, JA3 has some limitations that attackers have learned to exploit:
- Lack of Granularity: The MD5 hash combines everything into a single, opaque value. You can't see why two fingerprints are different without looking at the raw data.
- Cipher Suite Ordering: Some legitimate applications, particularly those built with certain libraries like Go, randomize the order of their cipher suites. This causes their JA3 hash to change with every connection, making them difficult to track.
- Limited Application-Layer Info: JA3 only looks at the TLS layer. It has no information about the application making the request (e.g., the browser's User-Agent).
Introducing JA4: The Next Evolution
JA4 is a suite of TLS fingerprinting methods designed by the same creators as JA3 to address these limitations. It's not a single fingerprint but a collection of related fingerprints that provide more context and are more resilient to evasion. The main components are JA4, JA4S (for the server side), and JA4X (for certificate data). Here, we'll focus on the client-side JA4.
The JA4 fingerprint is a string composed of three distinct parts, separated by underscores.
JA4 = Protocol_CipherCount+CipherList_ExtensionCount+ExtensionList_SignatureAlgorithms
Let's break it down:
Part 1: Protocol and TLS Version (t or q)
tfor TLS 1.2 and below.qfor TLS 1.3.- Followed by the TLS version (e.g.,
t12for TLS 1.2,q13for TLS 1.3).
Part 2: Cipher Suites (Sorted)
- The number of cipher suites offered.
- An underscore
_. - A 5-character "fuzzy" hash of the sorted list of cipher suites.
- Why is this important? By sorting the cipher suites before hashing them, JA4 solves the problem of randomization seen in Go-based clients. A client that randomizes its cipher list will now have a consistent JA4 fingerprint.
Part 3: Extensions and Signature Algorithms
- The number of extensions.
- An underscore
_. - A 5-character "fuzzy" hash of the extensions list (also sorted).
- An underscore
_. - The signature algorithms used.
An Example JA4 Fingerprint
A typical JA4 fingerprint for a Chrome browser might look like this:
t13_17_15ae45e35b_13_22a2da45a2_0017
This is far more readable and useful than a simple MD5 hash. You can immediately see it's a TLS 1.3 client offering 17 ciphers and 13 extensions.
JA4+ and Application Data
The JA4 suite also introduces JA4+, which combines the JA4 network fingerprint with application-layer data from the HTTP request, such as:
- HTTP Method (GET, POST)
- HTTP Version (h1, h2)
- User-Agent
- Accept-Language header
This creates a much richer fingerprint that links the underlying TLS implementation to the specific application behavior, making it significantly harder for malware to impersonate a legitimate browser.
JA3 vs. JA4: Key Improvements
| Feature | JA3 | JA4 |
|---|---|---|
| Format | Single 32-character MD5 hash | Multi-part, human-readable string |
| Cipher Suite Order | Sensitive to order (problematic for Go) | Insensitive to order (solves the randomization problem) |
| Granularity | Opaque; no insight into the components | Transparent; shows protocol, counts, and hashes of individual parts |
| Extensibility | Limited | Part of a larger suite (JA4S, JA4X, JA4+) that adds server-side, certificate, and application data |
| Resilience | Can be brittle and easy to change | More robust and harder for attackers to mimic |
Conclusion
JA4 is a significant advancement in TLS fingerprinting. By providing a more granular, readable, and resilient fingerprint, it gives security teams a much more powerful tool for identifying malicious clients, tracking threat actors, and defending against sophisticated botnets and malware. As it sees wider adoption, it will raise the bar for attackers and improve the state of network threat detection.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.