JA3 Fingerprint.

A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload. サイバーセキュリティの ネットワークセキュリティ カテゴリに属します。

A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.

JA3 is a TLS client fingerprinting technique published by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce in 2017. It hashes a deterministic, ordered string of the TLS ClientHello's negotiation parameters — TLS version, accepted ciphers, extensions, elliptic curves, and elliptic-curve point formats — into a 32-character MD5 string. Because most clients (browsers, libraries, malware C2 implants) produce a stable, library-specific ClientHello, JA3 hashes group traffic by client implementation regardless of destination, certificate, or SNI. A companion JA3S hashes the server's ServerHello. JA3 has been used widely to detect malware C2 channels whose Go/curl/Python TLS libraries produce distinctive hashes that differ from typical browsers, to fingerprint scanners and tools (Nmap, Burp, Cobalt Strike default profiles), and to enable TLS inventory without packet decryption. Modern weaknesses are well known: attackers can mimic browser ClientHellos with libraries such as utls; JA3 hashes can collide across genuinely different clients. JA4 (2023) and its variants address several JA3 limitations.

JA3 Fingerprint に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: JA3, JA3 hash。