JA4 Fingerprint
Qu'est-ce que JA4 Fingerprint ?
JA4 FingerprintA 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols.
JA4 (and the JA4+ family — JA4S, JA4H, JA4X, JA4SSH, JA4T, JA4L) is a 2023 evolution of JA3 published by John Althouse at FoxIO. Where JA3 produced an opaque MD5, JA4 produces a structured string with explicit fields and a small truncated hash, so a fingerprint is both human-readable and trivially groupable by partial match. JA4 covers more parts of the handshake (e.g. signature algorithms, ALPN, the actual TLS version negotiated vs. the offered one) and ignores well-known fields that change for noise reasons, making the resulting fingerprint more stable across TLS-extension shuffling. JA4S fingerprints the server's response, JA4H fingerprints HTTP requests, JA4X fingerprints X.509 certificate issuers, JA4T fingerprints raw TCP options, JA4L estimates light-latency on the path, and JA4SSH fingerprints SSH client handshakes. The license is BSD-3, and integrations exist in Zeek, Wireshark, Suricata, Cloudflare's edge, and several commercial NDR products. JA4-based detections increasingly replace or complement JA3 in modern threat-hunt content.
● Exemples
- 01
An NDR product tags a high-confidence Cobalt Strike beacon by matching its JA4 fingerprint plus a JA4H HTTP header pattern.
- 02
A defender writes a Suricata rule that alerts on any TLS client whose JA4 matches a known Go-`net/http` malware family but whose JA4H differs from the legitimate Go SDK signature.
● Questions fréquentes
Qu'est-ce que JA4 Fingerprint ?
A 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols. Cette notion relève de la catégorie Sécurité réseau en cybersécurité.
Que signifie JA4 Fingerprint ?
A 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols.
Comment fonctionne JA4 Fingerprint ?
JA4 (and the JA4+ family — JA4S, JA4H, JA4X, JA4SSH, JA4T, JA4L) is a 2023 evolution of JA3 published by John Althouse at FoxIO. Where JA3 produced an opaque MD5, JA4 produces a structured string with explicit fields and a small truncated hash, so a fingerprint is both human-readable and trivially groupable by partial match. JA4 covers more parts of the handshake (e.g. signature algorithms, ALPN, the actual TLS version negotiated vs. the offered one) and ignores well-known fields that change for noise reasons, making the resulting fingerprint more stable across TLS-extension shuffling. JA4S fingerprints the server's response, JA4H fingerprints HTTP requests, JA4X fingerprints X.509 certificate issuers, JA4T fingerprints raw TCP options, JA4L estimates light-latency on the path, and JA4SSH fingerprints SSH client handshakes. The license is BSD-3, and integrations exist in Zeek, Wireshark, Suricata, Cloudflare's edge, and several commercial NDR products. JA4-based detections increasingly replace or complement JA3 in modern threat-hunt content.
Comment se défendre contre JA4 Fingerprint ?
Les défenses contre JA4 Fingerprint combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de JA4 Fingerprint ?
Noms alternatifs courants : JA4+, JA4S, JA4H, JA4X.
● Termes liés
- network-security№ 628
JA3 Fingerprint
A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.
- network-security№ 1280
Handshake TLS
Echange initial du protocole Transport Layer Security qui authentifie le serveur (et eventuellement le client) et derive les cles symetriques chiffrant le reste de la session.
- network-security№ 1279
TLS (Transport Layer Security)
Protocole cryptographique standardisé par l'IETF qui fournit confidentialité, intégrité et authentification au trafic entre deux applications en réseau.
- defense-ops№ 338
Ingenierie de detection
Discipline consistant a concevoir, tester, deployer et maintenir des detections de securite comme du code, avec une couverture mesurable des techniques adverses.
- network-security№ 326
Inspection approfondie des paquets (DPI)
Technique d'inspection qui examine la totalité de la charge utile des paquets, pas seulement leurs en-têtes, pour identifier applications, contenus et menaces.
- network-security№ 609
Système de détection d'intrusion (IDS)
Contrôle de sécurité passif qui surveille l'activité réseau ou hôte à la recherche de comportements malveillants et émet des alertes sans bloquer le trafic.