JA3 Fingerprint.

A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload. It belongs to the Network Security category of cybersecurity.

A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.

JA3 is a TLS client fingerprinting technique published by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce in 2017. It hashes a deterministic, ordered string of the TLS ClientHello's negotiation parameters — TLS version, accepted ciphers, extensions, elliptic curves, and elliptic-curve point formats — into a 32-character MD5 string. Because most clients (browsers, libraries, malware C2 implants) produce a stable, library-specific ClientHello, JA3 hashes group traffic by client implementation regardless of destination, certificate, or SNI. A companion JA3S hashes the server's ServerHello. JA3 has been used widely to detect malware C2 channels whose Go/curl/Python TLS libraries produce distinctive hashes that differ from typical browsers, to fingerprint scanners and tools (Nmap, Burp, Cobalt Strike default profiles), and to enable TLS inventory without packet decryption. Modern weaknesses are well known: attackers can mimic browser ClientHellos with libraries such as utls; JA3 hashes can collide across genuinely different clients. JA4 (2023) and its variants address several JA3 limitations.

Defences for JA3 Fingerprint typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: JA3, JA3 hash.