JA3 Fingerprint.

A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload. 它属于网络安全的 网络安全 分类。

A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.

JA3 is a TLS client fingerprinting technique published by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce in 2017. It hashes a deterministic, ordered string of the TLS ClientHello's negotiation parameters — TLS version, accepted ciphers, extensions, elliptic curves, and elliptic-curve point formats — into a 32-character MD5 string. Because most clients (browsers, libraries, malware C2 implants) produce a stable, library-specific ClientHello, JA3 hashes group traffic by client implementation regardless of destination, certificate, or SNI. A companion JA3S hashes the server's ServerHello. JA3 has been used widely to detect malware C2 channels whose Go/curl/Python TLS libraries produce distinctive hashes that differ from typical browsers, to fingerprint scanners and tools (Nmap, Burp, Cobalt Strike default profiles), and to enable TLS inventory without packet decryption. Modern weaknesses are well known: attackers can mimic browser ClientHellos with libraries such as utls; JA3 hashes can collide across genuinely different clients. JA4 (2023) and its variants address several JA3 limitations.

针对 JA3 Fingerprint 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: JA3, JA3 hash。