Understand the JA4 Fingerprint Family

What is TLS Fingerprinting?

TLS fingerprinting identifies a client (browser, app, bot) by how it builds the TLS ClientHello. Even without cookies or IP stability, the combination of version, ciphers, extensions, and ALPN can persist across networks.

JA4, JA4_r, JA4_o, and JA4_ro

  • JA4: The canonical fingerprint. It normalizes cipher and extension ordering before hashing so equivalent handshakes stay easier to match.
  • JA4_r: The readable raw string behind ja4, useful for inspection and change tracking.
  • JA4_o: The original-order fingerprint. It preserves the exact order advertised in the ClientHello.
  • JA4_ro: The readable raw string behind ja4_o, useful for debugging client and proxy behavior.

Limitations and caveats

  • Fingerprints shift with browser/OS updates, enterprise policies, or TLS-intercepting proxies.
  • JA4 is more stable because it normalizes order, while JA4_o is more sensitive to middleboxes and implementation differences.
  • The JA4 family still reflects only ClientHello metadata, not full session behavior.

How is it created?

The fingerprint is derived by analyzing these parts of the TLS handshake:

  • TLS Version (e.g., TLS 1.3)
  • SNI presence and ALPN token
  • Accepted Cipher Suites
  • List of Extensions
  • Signature Algorithms
  • Whether lists are normalized or kept in original order

JA4 raw values use hex IDs matching IANA registries. ja4 sorts list fields for stability, while ja4_o preserves their original order.

Privacy Security Networking

Make your results actionable

Test other clients

  • If your curl build and the endpoint support it, use curl --http3 https://tlsinfo.me/json to see how fingerprints change with QUIC/HTTP3.
  • Compare curl --tlsv1.3 https://tlsinfo.me/json vs --tlsv1.2.
  • Capture fingerprints from automation stacks (Playwright/Selenium) and compare browsers like Chrome and Firefox.
  • Re-run with VPN/proxy to check how middleboxes mutate the handshake.

Security team checklist

  • Treat JA4 and JA4_o as supporting telemetry; never block solely on a hash match.
  • Pair fingerprints with behavior, URI patterns, and auth context to reduce false positives.
  • Alert on sudden fingerprint changes per host/user—often malware or TLS interception.
  • Document privacy posture; disclose any correlation of fingerprints with identities.

Operationalize baselines

  • Pull https://tlsinfo.me/json from build agents to track JA4 / JA4_o drift before deploying browser or proxy updates.
  • Store the JA4 / JA4_o pair alongside user agents and OS versions to explain anomalous hashes in your SIEM.
  • Alert when handshake components (ALPN, signature schemes) change unexpectedly on critical services.
  • Keep a "golden" TLS profile for outbound tooling so bots and scripts don’t stand out from standard clients.

TLS Fingerprinting FAQ

ja4 gives you the canonical, normalized view of the handshake, which is better for matching equivalent clients. ja4_o preserves the original ordering from the wire, which is better for debugging exact client behavior. The raw strings ja4_r and ja4_ro show the component lists behind each hash.

Changing the fingerprint requires altering TLS handshake parameters. Some browsers and privacy tools randomize or standardize these fields, but doing so can interfere with compatibility. Review your network policies before deploying custom TLS stacks.

Treat the JA4 family as supporting telemetry, not a single source of truth. Combine fingerprint matches with behavioral analytics, maintain transparency with users, and respect regional privacy regulations when correlating device identities.

Small differences in OS, hardware acceleration, enterprise policies, proxies, or browser flags change cipher lists and extension order. Because ja4_o preserves ordering, it changes more readily than canonical ja4 when a middlebox or client stack reorders the ClientHello.

A VPN changes your IP but usually not your TLS stack. Your JA4 / JA4_o values often stay the same unless the VPN client or its proxy re-terminates TLS. Some stealth VPNs standardize TLS to blend in.

TLS 1.3 encrypts more of the handshake after the first messages, but the JA4 family relies on the unencrypted ClientHello. TLS 1.3 can reduce variance because modern stacks share similar defaults, yet extension order, ALPN, and signature schemes still provide identifiable signals.

Encrypted Client Hello (ECH) is a newer TLS extension that encrypts sensitive parts of the ClientHello, including the SNI and many other extensions. When ECH is active, network observers only see an "outer" generic ClientHello, significantly reducing the uniqueness of the fingerprint and making client identification much harder.

Use the copy buttons to grab the JSON or the JA4 / JA4_o values. Avoid pasting into public trackers with user identifiers attached; hashes alone do not expose your traffic contents but can correlate sessions if logged.

This page calls https://tlsinfo.me/json to compute your fingerprint. Like any website, that server sees your IP address and TLS ClientHello. The hashes and breakdowns shown here are rendered in your browser from the returned JSON. If you need to test without sending traffic, use sample data or run the API yourself.