JA4 Fingerprint.

A 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols. It belongs to the Network Security category of cybersecurity.

A 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols.

JA4 (and the JA4+ family — JA4S, JA4H, JA4X, JA4SSH, JA4T, JA4L) is a 2023 evolution of JA3 published by John Althouse at FoxIO. Where JA3 produced an opaque MD5, JA4 produces a structured string with explicit fields and a small truncated hash, so a fingerprint is both human-readable and trivially groupable by partial match. JA4 covers more parts of the handshake (e.g. signature algorithms, ALPN, the actual TLS version negotiated vs. the offered one) and ignores well-known fields that change for noise reasons, making the resulting fingerprint more stable across TLS-extension shuffling. JA4S fingerprints the server's response, JA4H fingerprints HTTP requests, JA4X fingerprints X.509 certificate issuers, JA4T fingerprints raw TCP options, JA4L estimates light-latency on the path, and JA4SSH fingerprints SSH client handshakes. The license is BSD-3, and integrations exist in Zeek, Wireshark, Suricata, Cloudflare's edge, and several commercial NDR products. JA4-based detections increasingly replace or complement JA3 in modern threat-hunt content.

Defences for JA4 Fingerprint typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: JA4+, JA4S, JA4H, JA4X.