Understand TLS Fingerprinting

What is TLS Fingerprinting?

TLS fingerprinting identifies a client (browser, app, bot) by how it builds the TLS Client Hello. Even without cookies or IP stability, the combination of version, ciphers, extensions, and ALPN can persist across networks.

JA3 vs JA4

  • JA3: The original standard that concatenates and hashes five fields from the Client Hello message. It's widely used but has limitations.
  • JA4: A newer, more flexible fingerprinting method. It provides more context, is easier to parse, and better handles modern TLS features.

How is it created?

The fingerprint is derived by analyzing these parts of the TLS handshake:

  • TLS Version (e.g., TLS 1.3)
  • Accepted Cipher Suites
  • List of Extensions and their order
  • Supported Elliptic Curves & Signature Algorithms
  • Application Layer Protocols (ALPN)
Privacy Security Networking

Make your results actionable

Test other clients

  • Use curl --http3 https://tlsinfo.me/json to see how fingerprints change with QUIC/HTTP3.
  • Compare curl --tlsv1.3 https://tlsinfo.me/json vs --tlsv1.2.
  • Capture fingerprints from automation stacks (Playwright/Selenium) and compare browsers like Chrome and Firefox.
  • Re-run with VPN/proxy to check how middleboxes mutate the handshake.

Security team checklist

  • Treat JA3/JA4 as supporting telemetry; never block solely on a hash match.
  • Pair with behavior (JA3 + URI patterns + auth context) to reduce false positives.
  • Alert on sudden fingerprint changes per host/user—often malware or TLS interception.
  • Document privacy posture; disclose any correlation of fingerprints with identities.

Operationalize baselines

  • Pull https://tlsinfo.me/json from build agents to track hash drift before deploying browser or proxy updates.
  • Store the JA3/JA4 pairs alongside user agents and OS versions to explain anomalous hashes in your SIEM.
  • Alert when handshake components (ALPN, signature schemes) change unexpectedly on critical services.
  • Keep a "golden" TLS profile for outbound tooling so bots and scripts don’t stand out from standard clients.

TLS Fingerprinting FAQ

JA3 condenses TLS version, cipher suites, extensions, elliptic curves, and EC point formats into a single MD5 hash. JA4 keeps similar components but encodes them as readable tokens so analysts can compare fingerprints without decoding the hash.

Changing the fingerprint requires altering TLS handshake parameters. Some browsers and privacy tools randomize or standardize these fields, but doing so can interfere with compatibility. Review your network policies before deploying custom TLS stacks.

Treat JA3 and JA4 as supporting telemetry, not a single source of truth. Combine fingerprint matches with behavioral analytics, maintain transparency with users, and respect regional privacy regulations when correlating device identities.

Small differences in OS, hardware acceleration, enterprise policies, proxies, or browser flags change cipher lists and extension order. Middleboxes that terminate TLS can also rewrite the ClientHello, producing a different hash.

A VPN changes your IP but usually not your TLS stack. Your JA3/JA4 often stays the same unless the VPN client or its proxy re-terminates TLS. Some stealth VPNs standardize TLS to blend in.

TLS 1.3 encrypts more of the handshake after the first messages, but JA3/JA4 rely on the unencrypted ClientHello. TLS 1.3 can reduce variance because modern stacks share similar defaults, yet extension order and ALPN still provide identifiable signals.

Use the copy buttons to grab the JSON or the JA3/JA4 hashes. Avoid pasting into public trackers with user identifiers attached; hashes alone do not expose your traffic contents but can correlate sessions if logged.