JA3 Fingerprint
Qu'est-ce que JA3 Fingerprint ?
JA3 FingerprintA TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.
JA3 is a TLS client fingerprinting technique published by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce in 2017. It hashes a deterministic, ordered string of the TLS ClientHello's negotiation parameters — TLS version, accepted ciphers, extensions, elliptic curves, and elliptic-curve point formats — into a 32-character MD5 string. Because most clients (browsers, libraries, malware C2 implants) produce a stable, library-specific ClientHello, JA3 hashes group traffic by client implementation regardless of destination, certificate, or SNI. A companion JA3S hashes the server's ServerHello. JA3 has been used widely to detect malware C2 channels whose Go/curl/Python TLS libraries produce distinctive hashes that differ from typical browsers, to fingerprint scanners and tools (Nmap, Burp, Cobalt Strike default profiles), and to enable TLS inventory without packet decryption. Modern weaknesses are well known: attackers can mimic browser ClientHellos with libraries such as utls; JA3 hashes can collide across genuinely different clients. JA4 (2023) and its variants address several JA3 limitations.
● Exemples
- 01
A SOC sees a JA3 hash matching a known Cobalt Strike default malleable profile on an internal endpoint, kicking off an IR investigation.
- 02
A passive TLS inventory groups traffic by JA3 to estimate the share of corporate traffic still using outdated OpenSSL versions.
● Questions fréquentes
Qu'est-ce que JA3 Fingerprint ?
A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload. Cette notion relève de la catégorie Sécurité réseau en cybersécurité.
Que signifie JA3 Fingerprint ?
A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.
Comment fonctionne JA3 Fingerprint ?
JA3 is a TLS client fingerprinting technique published by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce in 2017. It hashes a deterministic, ordered string of the TLS ClientHello's negotiation parameters — TLS version, accepted ciphers, extensions, elliptic curves, and elliptic-curve point formats — into a 32-character MD5 string. Because most clients (browsers, libraries, malware C2 implants) produce a stable, library-specific ClientHello, JA3 hashes group traffic by client implementation regardless of destination, certificate, or SNI. A companion JA3S hashes the server's ServerHello. JA3 has been used widely to detect malware C2 channels whose Go/curl/Python TLS libraries produce distinctive hashes that differ from typical browsers, to fingerprint scanners and tools (Nmap, Burp, Cobalt Strike default profiles), and to enable TLS inventory without packet decryption. Modern weaknesses are well known: attackers can mimic browser ClientHellos with libraries such as utls; JA3 hashes can collide across genuinely different clients. JA4 (2023) and its variants address several JA3 limitations.
Comment se défendre contre JA3 Fingerprint ?
Les défenses contre JA3 Fingerprint combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de JA3 Fingerprint ?
Noms alternatifs courants : JA3, JA3 hash.
● Termes liés
- network-security№ 629
JA4 Fingerprint
A 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols.
- network-security№ 1280
Handshake TLS
Echange initial du protocole Transport Layer Security qui authentifie le serveur (et eventuellement le client) et derive les cles symetriques chiffrant le reste de la session.
- network-security№ 1279
TLS (Transport Layer Security)
Protocole cryptographique standardisé par l'IETF qui fournit confidentialité, intégrité et authentification au trafic entre deux applications en réseau.
- cryptography№ 190
Suite cryptographique
Combinaison nommée d'algorithmes — échange de clés, authentification, chiffrement, intégrité — négociée par des protocoles comme TLS pour une session donnée.
- defense-ops№ 338
Ingenierie de detection
Discipline consistant a concevoir, tester, deployer et maintenir des detections de securite comme du code, avec une couverture mesurable des techniques adverses.
- network-security№ 326
Inspection approfondie des paquets (DPI)
Technique d'inspection qui examine la totalité de la charge utile des paquets, pas seulement leurs en-têtes, pour identifier applications, contenus et menaces.