What is an Account-Control Surface?
Understand the account-control surface and why account protection has to cover more than the login form.
Support FAQ
Mercury NPF, JA4, and JA3 can all describe features of a TLS ClientHello, but they make different tradeoffs. JA3 produces a compact exact-match identifier. JA4 produces a structured, partly readable identifier designed to be stable when ClientHello lists are reordered. NPF can retain a richer, versioned tree and also offers a compact hash nickname.
None of them identifies an application, device, or person with certainty. The useful question is not “which fingerprint wins?” It is “what representation and supporting context does this job require?”
| Question | JA3 | JA4 | Mercury NPF |
|---|---|---|---|
| What is the core output? | MD5 hash of a canonical TLS feature string | Three-part TLS identifier with a readable prefix and truncated SHA-256 sections | Versioned tree of selected protocol bytes, or a truncated SHA-256 nickname |
| Is the full selected structure retained? | Not in the hash | Partly; counts and a few properties are readable, while lists are hashed | Yes, in the full string representation |
| How is order handled? | Order remains significant after GREASE values are removed | Cipher and extension identifiers are sorted before hashing | The named format decides which lists remain ordered or are sorted |
| What matching fits naturally? | Exact lookup | Exact full or component lookup | Exact, and potentially prefix or approximate comparison with the full tree |
| Is classification built into the format? | No | No | No; Mercury can optionally add a separate knowledge base and destination-context classifier |
| Protocol scope | TLS client fingerprints | JA4 itself fingerprints TLS clients; JA4+ names a broader family | The draft NPF specification defines formats for several protocols |
Read the canonical details in what is JA3 fingerprinting?, what is JA4 fingerprinting?, and Cisco's draft NPF specification.
JA3 remains common in historical datasets, rules, and incident reports. Its fixed MD5 value is easy to index and compare. That compatibility can matter more than adopting a newer format immediately.
Its limitations are equally clear. A hash hides the source fields, exact matching is brittle when ordered features change, and a shared TLS stack can create collisions at the meaning level even when the hash itself has not collided. Keep the pre-hash string when investigation and migration matter.
JA4 is a good fit for compact telemetry, grouping, and rules that benefit from a more readable prefix and canonical sorting. Components can also be used separately when an analyst wants a broader cohort than the complete value.
JA4 is the TLS-client method. JA4+ is the name of a wider family that includes other protocol and direction-specific methods; it is not simply “JA4 with more server fields.” Cloudflare's “JA4 Signals” are behavioural aggregates around JA4, not another name for the JA4 format.
Normalisation improves stability, but it deliberately discards variation. Different clients can still share a JA4, and an active client can imitate the fields from another implementation.
NPF suits investigations and research where retained structure, explicit rule versions, and multiple protocol formats are valuable. An operator can inspect the selected bytes, see which parts were sorted, and retain a full representation for later comparison. The optional hash makes indexing easier without redefining the underlying fingerprint.
That richness costs storage and operational complexity. Systems must retain the format version, agree on matching rules, and handle longer values. Mercury's optional process analysis also needs a suitable, current knowledge base. It should not be compared with JA4 as though classifier output were part of the NPF string. See destination context and TLS attribution.
All three observe the handshake available at one capture point. A reverse proxy or TLS terminator can replace the visible client handshake on the next network leg. Browser and library updates cause drift. Shared stacks cause different software to look alike. Packet loss can prevent extraction, and deliberate mimicry can defeat naive attribution.
For threat hunting, retain raw context and review matches. For rate limits or blocking, combine a fingerprint with behaviour, route, account, network, and time-window evidence. A fingerprint is strongest as a cohort signal whose provenance can be checked later.
For the representation itself, read inside a Mercury NPF fingerprint. For the familiar portable formats, JA3 vs JA4 gives the narrower comparison.
Understand the account-control surface and why account protection has to cover more than the login form.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.