<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - FingerprinTLS</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/fingerprintls.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-07-19T09:00:00+10:00</updated><entry><title>Before JA3: How TLS Handshakes Became Fingerprints</title><link href="https://www.peakhour.io/blog/before-ja3-tls-fingerprinting-history/" rel="alternate"></link><published>2026-07-19T09:00:00+10:00</published><updated>2026-07-19T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-07-19:/blog/before-ja3-tls-fingerprinting-history/</id><summary type="html">&lt;p&gt;JA3 made TLS fingerprints easy to log and share, but the technical ideas behind it had already been tested in SSL Labs experiments, a p0f patch and FingerprinTLS.&lt;/p&gt;</summary><content type="html">&lt;p&gt;JA3 is often treated as the beginning of TLS fingerprinting. It was not. Its real contribution was narrower and, operationally, just as important: JA3 took a set of ideas that had been explored for years and turned them into a small identifier that ordinary security tools could carry.&lt;/p&gt;
&lt;p&gt;The path to that format runs through an SSL Labs experiment in 2009, an experimental p0f extension in 2012 and Lee Brotherston's FingerprinTLS work in 2015. Each step answered a different question. What can the cleartext handshake reveal? Which details survive often enough to identify a client? How do you turn those details into something an analyst can match? And, finally, how do you make the result portable?&lt;/p&gt;
&lt;p&gt;This is a documented lineage where the authors themselves cite the earlier work. The claim that JA3's decisive move was simplification is our interpretation of those sources, not a claim that every project shared one design plan.&lt;/p&gt;
&lt;h2&gt;2009: the cipher list as a client signature&lt;/h2&gt;
&lt;p&gt;In June 2009, Ivan Ristić described an experiment in &lt;a href="https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html"&gt;HTTP client fingerprinting using SSL handshake analysis&lt;/a&gt;. He was working on SSL Labs and noticed a useful property of the initial handshake: clients sent different lists of supported cipher suites, and those lists were visible before encryption began.&lt;/p&gt;
&lt;p&gt;The important observation was not that any one cipher identified a browser. It was the combination of ciphers a client offered. Ristić recorded the entire list as a signature and compared it with the HTTP User-Agent seen after the connection was established. He then published &lt;a href="https://blog.ivanristic.com/2009/07/examples-of-the-information-collected-from-ssl-handshakes.html"&gt;examples collected from real SSL handshakes&lt;/a&gt;, showing that the approach could separate a range of browsers, command-line clients and crawlers.&lt;/p&gt;
&lt;p&gt;This early method was deliberately modest. It concentrated on the cipher-suite list. It did not define a general-purpose fingerprint containing every useful ClientHello feature, and it did not claim that a signature proved the identity of a process.&lt;/p&gt;
&lt;p&gt;Even so, the core technical idea was in place:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;unencrypted ClientHello
  -&amp;gt; implementation-dependent choices
  -&amp;gt; repeatable signature
  -&amp;gt; comparison with previously observed clients
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The handshake was no longer just cryptographic setup. It was passive metadata about the software constructing it.&lt;/p&gt;
&lt;h2&gt;2012: p0f adds order, extensions and matching rules&lt;/h2&gt;
&lt;p&gt;Marek Majkowski pushed the idea further in his 2012 &lt;a href="https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/"&gt;SSL fingerprinting patch for p0f&lt;/a&gt;. p0f was already known for passive operating-system fingerprinting at lower layers. Majkowski applied a similar signature-and-database model to SSL and TLS ClientHello messages.&lt;/p&gt;
&lt;p&gt;His post explicitly credits Ristić's 2009 work, then points to two details he believed deserved more attention: ordering and TLS extensions. The patch represented a fingerprint as four fields:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;requested version : ordered ciphers : ordered extensions : flags
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;That is a meaningful technical step. Cipher suites are normally sent in preference order, and extension order can differ between implementations. Retaining those sequences gives the signature more discriminatory power than an unordered inventory. The flags recorded other behaviours, such as compression support or an unusual relationship between record and handshake versions.&lt;/p&gt;
&lt;p&gt;The implementation did more than print a string. It matched the result against a database of signatures that could contain wildcards and return a browser family, possible versions and sometimes a platform. The &lt;a href="https://gist.github.com/majek/2721464"&gt;original p0f patch and notes&lt;/a&gt; are still useful because they expose the boundary between observation and label: one part generates the raw signature; another compares it with knowledge gathered elsewhere.&lt;/p&gt;
&lt;p&gt;Majkowski also wrote with appropriate caution. His notes say that a ClientHello can sometimes identify the underlying SSL library and, for software with a custom build or distinctive feature set, may narrow the application version. "Sometimes" matters. Two applications using the same TLS stack can look alike, while one application can change its handshake when its library, configuration or build changes.&lt;/p&gt;
&lt;p&gt;The p0f work did not become the universal exchange format for TLS fingerprints. It did, however, demonstrate most of the ingredients that later systems would reuse: selected fields, preserved order, a serialised signature and a separate matching database.&lt;/p&gt;
&lt;h2&gt;2015: FingerprinTLS turns a method into a toolset&lt;/h2&gt;
&lt;p&gt;Lee Brotherston's 2015 work expanded the practical surface again. His DerbyCon and SecTor presentation, &lt;a href="https://archives.sector.ca/presentations15/BrotherstonTLS%20Fingerprinting%20SecTor.pdf"&gt;Stealthier Attacks and Smarter Defending with TLS Fingerprinting&lt;/a&gt;, examined TLS fingerprinting from both sides: defenders could recognise unexpected software, while an operator could alter a client's handshake to blend in or evade a simplistic rule.&lt;/p&gt;
&lt;p&gt;The associated &lt;a href="https://github.com/LeeBrotherston/tls-fingerprinting"&gt;FingerprinTLS repository&lt;/a&gt; packaged the approach into several working parts:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;FingerprinTLS&lt;/code&gt; detected TLS sessions on a live interface or in a PCAP, created fingerprints and matched them;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;fingerprints.json&lt;/code&gt; stored the known fingerprint database;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Fingerprintout&lt;/code&gt; exported observations into other forms, including Snort and Suricata rules.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This was broader than calculating a digest. It was a workflow for capturing a handshake, retaining many of its characteristics, associating that observation with known software and moving the result into operational tools.&lt;/p&gt;
&lt;p&gt;The project also made an awkward truth visible: rich fingerprints are not especially convenient interchange formats. FingerprinTLS could inspect more detail, but exporting that detail into a rule language could lose accuracy. Its README warned that Snort and Suricata exports might require tuning because their rule syntax could not express the full matching logic.&lt;/p&gt;
&lt;p&gt;That trade-off set the stage for JA3. A detailed signature helps an analyst explain why two handshakes differ. A compact value is easier to add to a connection log, compare across sensors and share with another team. It is difficult to optimise one representation for both jobs.&lt;/p&gt;
&lt;h2&gt;2017: JA3 chooses portability&lt;/h2&gt;
&lt;p&gt;Salesforce open-sourced JA3 in 2017. John Althouse's original &lt;a href="https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41/"&gt;JA3 announcement&lt;/a&gt; directly cites Ristić's 2009 post and Brotherston's 2015 research. It also states the team's design requirement plainly: the result had to work with existing monitoring systems and load balancers, be independent of the destination, and be easy for other tools to consume.&lt;/p&gt;
&lt;p&gt;JA3 selected five ordered ClientHello feature groups:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;TLS version,
cipher suites,
extension types,
supported groups,
elliptic-curve point formats
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;It rendered their numeric values into a comma-separated string, removed GREASE values, then calculated an MD5 digest. A long handshake description became a 32-character identifier.&lt;/p&gt;
&lt;p&gt;MD5 was not being used here to protect a password or prove integrity. It was a compact naming function. The security weakness of MD5 still means a JA3 value should not be treated as proof, but changing to a stronger digest would not solve the more common identification problem: unrelated software can naturally produce the same selected features, and software can deliberately copy another client's ClientHello.&lt;/p&gt;
&lt;p&gt;The simplification was substantial. Compared with FingerprinTLS, JA3 retained fewer fields and discarded the explanatory structure once the string was hashed. Compared with the p0f patch, it did not carry matching wildcards or classification rules in the fingerprint. What it gained was a common unit that could fit almost anywhere an operator could put a string.&lt;/p&gt;
&lt;p&gt;That was why JA3 travelled. A sensor could calculate the value, a SIEM could index it, an intelligence report could publish it and a rule could match it without every participant adopting the same fingerprint database or packet parser.&lt;/p&gt;
&lt;h2&gt;What JA3 inherited, and what it left behind&lt;/h2&gt;
&lt;p&gt;The documented history supports a few specific claims:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Ristić showed in 2009 that an unencrypted SSL handshake, particularly its cipher list, could distinguish HTTP clients.&lt;/li&gt;
&lt;li&gt;Majkowski's 2012 p0f work explicitly built on that experiment and added ordered extensions, behavioural flags and database matching.&lt;/li&gt;
&lt;li&gt;Brotherston's 2015 research and FingerprinTLS made detailed capture, matching, creation and export available as a standalone toolset.&lt;/li&gt;
&lt;li&gt;Salesforce cited the earlier work when it released JA3 and designed a smaller representation for existing operational systems.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;It does not support treating a fingerprint as an application identity. Every stage depended on a set of observed features and, when a software name was returned, knowledge collected outside the handshake itself. The label could be useful without being certain.&lt;/p&gt;
&lt;p&gt;That distinction is easier to see when the formats are run side by side. Our reproducible lab feeds &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;one ClientHello to JA3, JA4 and Cisco Mercury&lt;/a&gt; and records both the compact outputs and the detail each format preserves.&lt;/p&gt;
&lt;p&gt;JA3 was not the final step either. JA4 later changed the normalisation and output structure to cope with modern sources of instability, while Cisco's research followed a more structured, context-aware path. Those are separate branches, not one straight succession. We trace them in &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;Two Lineages of TLS Fingerprinting&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The useful lesson from the early history is not who coined the first fingerprint. It is that the representation determines the work you can do with it. Rich detail helps investigation. Compact identifiers help distribution. Neither turns a handshake into an identity document.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="FingerprinTLS"></category><category term="p0f"></category><category term="Network Fingerprinting"></category><category term="Security Research"></category></entry></feed>