JA4+ is a suite of modular network fingerprints. It succeeds the 2017 JA3 standard for TLS fingerprinting, refining and extending the model from a single method into a broader toolset for network fingerprinting.
The Essence of JA4+
JA4+ provides a set of fingerprints for multiple protocols. Each component of a signature—expressed in an a_b_c format—stands alone for more granular inspection. That structure lets you focus on targeted parts of the fingerprint while keeping the design simple enough to extend.
JA4+ consists of various components:
- JA4: TLS Client
- JA4S: TLS Server Response
- JA4H: HTTP Client
- JA4L: Light Distance/Location
- JA4X: X509 TLS Certificate
- JA4SSH: SSH Traffic
For a more thorough breakdown, the JA4 blog provides the announcement and describes the fingerprints.
JA4+ brings useful improvements, but a few aspects and quirks deserve closer attention.
The Quest for Fidelity: A Peakhour Experiment
JA4+ brings a useful change in the sorting of TLS cipher extensions, especially because cipher suites often appear in random order. Peakhour's experiments, however, highlight the need for caution with TLS cipher ordering in the signature, which was implemented to reduce the impact of cipher stunting. Our tests showed a loss of fidelity. This is why logging raw signatures remains important. It preserves the flexibility needed for detailed post-analysis, including fidelity loss and implementation variations.
The overview of TLS fingerprinting provides a more in-depth explanation of how a TLS signature is formed.
Google Chrome's recent initiative to randomise a portion of the TLS fingerprint highlights the need for sorting. While this move aimed to stop server implementers fixating on Chrome's fingerprint, the outcome was not fully anticipated. Peakhour's data suggests that the number of unique fingerprints soared after the Chrome update, making it almost impossible to identify the Chrome network stack through TLS fingerprint alone. Sort normalisation of the TLS Extensions solves this problem whilst maintaining almost 99% signature fidelity.
The H2 Signature Choice
Peakhour opts for the H2 signature over the HTTP signature to enhance fidelity. JA4+ does not include an H2 signature, which is a detail worth noting.
Nod to the Pioneers
Before digging further into JA4+'s features and limitations, it's worth acknowledging its predecessors. The Cisco Mercury format has significantly shaped network fingerprinting. Its preference for raw signatures aligns with JA4+ and offers a proven method for handling diverse signature production. The original JA3 also laid important groundwork (by the same author as JA3).
Trade-offs and Future Avenues
While sharing signatures through SHA is appealing, it has limits, most notably potential compatibility issues. As Fastly noted, differences in the implementation can be hidden behind the SHA hash, causing issues when searching for and correlating signatures between different services. JA4 tries to address this with open-source app support.
A New Chapter in Network Fingerprinting?
JA4+ is a notable development in network fingerprinting. Its applicability, modularity, and extensibility make it useful for threat-hunting and advanced security analysis. As the method continues to evolve, future enhancements and applications are worth watching.
For contribution and discussion, the official JA4+ repository is available. It is an open platform for the community to discuss, develop, and refine the toolset.
We welcome the overall initiative and the renewed interest in fingerprinting that JA4+ has sparked. It is a practical next step in network security.
