<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - JA4</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/ja4.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-09-06T09:00:00+10:00</updated><entry><title>What an Open Network Fingerprint Database Should Publish</title><link href="https://www.peakhour.io/blog/open-network-fingerprint-database-schema/" rel="alternate"></link><published>2026-09-06T09:00:00+10:00</published><updated>2026-09-06T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-09-06:/blog/open-network-fingerprint-database-schema/</id><summary type="html">&lt;p&gt;A useful open fingerprint database needs provenance, competing labels, raw evidence, format versions and licences—not another unexplained hash list.&lt;/p&gt;</summary><content type="html">&lt;p&gt;An open fingerprint database should let another researcher disagree with it.&lt;/p&gt;
&lt;p&gt;That requires more than a hash and an application name. The row needs to show which bytes produced the fingerprint, how the label was established, where the traffic was observed, which software generated the value and what competing explanations remain plausible.&lt;/p&gt;
&lt;p&gt;Most public databases were built for a narrower purpose. Historical JA3 lists made values easy to share. Threat feeds made malware observations easy to match. Nmap and p0f made signature rules executable. TLS observatories count what appears at their vantage points. Those are sensible designs for their jobs.&lt;/p&gt;
&lt;p&gt;They do not yet add up to a reusable open ground-truth corpus.&lt;/p&gt;
&lt;h2&gt;Start with observations, not verdicts&lt;/h2&gt;
&lt;p&gt;The fundamental database object should be an observation:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;observation_id&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;observed_at&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;2026-07-12T00:00:00Z&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;capture&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;position&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;client-facing edge&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;collector&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;mercury&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;collector_revision&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;3172786...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;controlled-client-run&amp;quot;&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;fingerprints&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[],&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;labels&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[],&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;evidence&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[],&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;licence&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The observation can then carry several fingerprint methods and several candidate labels. This is safer than making the hash the primary truth and forcing one application name into the same row.&lt;/p&gt;
&lt;h2&gt;Store the reversible material&lt;/h2&gt;
&lt;p&gt;Each fingerprint entry should contain the published identifier and the material used to derive it:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;method&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;ja4&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;implementation&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;FoxIO Python&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;implementation_revision&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;value&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;t12d2709h2_..._...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;raw_value&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;t12d2709h2_002f,...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source_message_digest&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;sha256:...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;truncated&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;For JA3, retain the five-part source string beside the MD5. For JA4, retain &lt;code&gt;JA4_r&lt;/code&gt; where collection policy permits it. For Mercury, retain the complete versioned NPF string rather than only its hash nickname. For HASSH, retain the algorithm lists. For a matcher rule, retain the response bytes or sanitised fixture that satisfied it.&lt;/p&gt;
&lt;p&gt;This permits field-level comparison, implementation testing and migration when a definition changes. It also exposes incompatible values hidden behind a common field name.&lt;/p&gt;
&lt;h2&gt;Make labels many-to-many&lt;/h2&gt;
&lt;p&gt;Labels should be separate evidence-backed assertions:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;type&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;process&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;value&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;example-client&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;version&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;1.2.3&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;endpoint-telemetry-join&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;review_state&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;reviewed&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;confidence&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;0.94&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;first_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;last_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;One fingerprint can have several process labels because applications share libraries. One process can have several fingerprints because versions, platforms and configurations differ. The schema should preserve counts and conflict instead of selecting one winner during ingestion.&lt;/p&gt;
&lt;p&gt;Cisco Mercury's public &lt;a href="https://github.com/cisco/mercury/blob/main/doc/resources.md"&gt;resource schema&lt;/a&gt; points in this direction: fingerprint entries contain candidate processes, observation counts, operating systems and destinations. The production database is private, but the many-to-many model is the right starting point.&lt;/p&gt;
&lt;h2&gt;Describe how ground truth was produced&lt;/h2&gt;
&lt;p&gt;Use a controlled vocabulary for evidence sources:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;controlled_capture
endpoint_process_join
malware_sandbox
reviewed_pcap
active_probe_match
passive_observation
community_submission
derived_from_external_database
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Each type needs its own metadata. An endpoint join should record the join window and ambiguity rules. A controlled capture should name the client build, operating system and generation script. A malware sandbox label should identify the sample and distinguish the sandbox process from the malware process. A community submission should identify what a reviewer actually checked.&lt;/p&gt;
&lt;p&gt;Derived labels should never masquerade as independent evidence. If a mapping was imported from an older JA3 list, cite that row and keep its original uncertainty.&lt;/p&gt;
&lt;h2&gt;Separate prevalence from classification&lt;/h2&gt;
&lt;p&gt;Prevalence belongs in observation aggregates:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;source&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;university-vantage-a&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;first_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;last_seen&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;count&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;184233&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;It should not silently increase application-label confidence. A common fingerprint is not necessarily well-labelled; a rare fingerprint is not necessarily suspicious.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://tlsfingerprint.io/"&gt;TLS Fingerprint Observatory&lt;/a&gt; demonstrates the value of publishing counts even when labels are missing. Its large unlabelled TLS corpus is more useful for prevalence research than a catalogue filled with guesses.&lt;/p&gt;
&lt;h2&gt;Represent threat observations explicitly&lt;/h2&gt;
&lt;p&gt;A malware feed should attach an observation, not overwrite the fingerprint's identity:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;type&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;malware-sandbox-observation&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;family&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;example-family&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;sample_sha256&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;observed_at&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;...&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;&amp;quot;known_good_evaluation&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;not-performed&amp;quot;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This retains the warning published by sources such as &lt;a href="https://sslbl.abuse.ch/blacklist/"&gt;SSLBL&lt;/a&gt;. It allows a consumer to ask whether a fingerprint was seen in malware without treating every matching benign process as infected.&lt;/p&gt;
&lt;h2&gt;Publish validation sets and negative evidence&lt;/h2&gt;
&lt;p&gt;A useful database should include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;controlled positive captures;&lt;/li&gt;
&lt;li&gt;known-good observations that share supposedly malicious fingerprints;&lt;/li&gt;
&lt;li&gt;deliberately conflicting labels;&lt;/li&gt;
&lt;li&gt;client upgrades that changed fingerprints;&lt;/li&gt;
&lt;li&gt;malformed and truncated handshakes;&lt;/li&gt;
&lt;li&gt;captures before and after a TLS-terminating proxy;&lt;/li&gt;
&lt;li&gt;implementation conformance cases.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Negative and conflicting evidence is not database dirt. It tells consumers where a label stops working.&lt;/p&gt;
&lt;h2&gt;Version the data and the interpretation&lt;/h2&gt;
&lt;p&gt;Every release should state:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;schema version;&lt;/li&gt;
&lt;li&gt;database snapshot identifier;&lt;/li&gt;
&lt;li&gt;fingerprint implementation revisions;&lt;/li&gt;
&lt;li&gt;collection time range;&lt;/li&gt;
&lt;li&gt;label additions, removals and merges;&lt;/li&gt;
&lt;li&gt;retired mappings;&lt;/li&gt;
&lt;li&gt;licence changes;&lt;/li&gt;
&lt;li&gt;reproducible validation results.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Consumers should be able to pin a snapshot and explain which database caused a decision. A live service may remain convenient, but an incident review needs the state that existed when the event was classified.&lt;/p&gt;
&lt;h2&gt;Make licensing part of the schema&lt;/h2&gt;
&lt;p&gt;Fingerprint method, implementation and dataset rights are separate.&lt;/p&gt;
&lt;p&gt;Core JA4 is BSD-licensed. Other JA4+ methods use different FoxIO terms. Nmap's data files use the Nmap Public Source License. A combined historical repository may contain rows imported under different licences. An API may permit lookup but prohibit bulk redistribution.&lt;/p&gt;
&lt;p&gt;Store a licence or source-rights reference for each imported dataset and, where necessary, each record. If the rights are unclear, publish a pointer and transformation recipe rather than republishing the row.&lt;/p&gt;
&lt;h2&gt;Provide a confidence model that can be audited&lt;/h2&gt;
&lt;p&gt;A score without calibration is decoration. For each label type, document:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;what the score estimates;&lt;/li&gt;
&lt;li&gt;the labelled validation set;&lt;/li&gt;
&lt;li&gt;true-positive and false-positive definitions;&lt;/li&gt;
&lt;li&gt;treatment of unseen applications;&lt;/li&gt;
&lt;li&gt;time and environment holdouts;&lt;/li&gt;
&lt;li&gt;how conflicts and stale observations affect the score.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Where calibration is unavailable, use review states such as &lt;code&gt;submitted&lt;/code&gt;, &lt;code&gt;reproduced&lt;/code&gt;, &lt;code&gt;reviewed&lt;/code&gt; and &lt;code&gt;contested&lt;/code&gt; instead of inventing numeric precision.&lt;/p&gt;
&lt;h2&gt;The minimum viable open record&lt;/h2&gt;
&lt;p&gt;If full packet evidence cannot be published, a useful minimum is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;method and rule version
implementation revision
compact and raw fingerprint
candidate label, including version/platform
ground-truth method
capture position
first and last seen
observation count
confidence or review state
evidence reference
licence
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;That is more expensive than a CSV containing &lt;code&gt;hash,name&lt;/code&gt;. It is also what makes the mapping useful outside the environment and assumptions of its original collector.&lt;/p&gt;
&lt;p&gt;The public ecosystem already contains most of the parts: JA4DB's cross-method model, the TLS observatory's prevalence data, Mercury's candidate-process and destination schema, FingerprinTLS's retained ClientHello fields, and executable fixtures in matcher projects such as Rapid7 Recog. The missing step is to combine those strengths without erasing provenance.&lt;/p&gt;
&lt;p&gt;For the current resource landscape, see &lt;a href="/learning/fingerprinting/public-network-fingerprint-databases/"&gt;Public Network Fingerprint Databases and What They Cover&lt;/a&gt;. For the import checklist, see &lt;a href="/learning/fingerprinting/how-to-evaluate-a-fingerprint-database/"&gt;How to Evaluate a Network Fingerprint Database&lt;/a&gt;.&lt;/p&gt;</content><category term="Security"></category><category term="Network Fingerprinting"></category><category term="TLS Fingerprinting"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Security Research"></category></entry><entry><title>Public Fingerprint Databases Are Not Ground Truth</title><link href="https://www.peakhour.io/blog/public-fingerprint-databases-are-not-ground-truth/" rel="alternate"></link><published>2026-08-30T09:00:00+10:00</published><updated>2026-08-30T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-30:/blog/public-fingerprint-databases-are-not-ground-truth/</id><summary type="html">&lt;p&gt;We reviewed the main public fingerprint resources. The formats are open, but current application labels and auditable ground truth remain scarce.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Network fingerprint formats are public. Reliable labels are not.&lt;/p&gt;
&lt;p&gt;We reviewed the main public JA3, JA4, TLS, TCP, HTTP, SSH, JARM, DHCP, operating-system and service-fingerprint resources. The result was not one large ecosystem of interchangeable databases. It was a set of much narrower things: small mapping samples, old signature lists, active-probe rules, malware feeds, account services and a large observatory whose TLS records are almost entirely unlabelled.&lt;/p&gt;
&lt;p&gt;That is not a criticism of the maintainers. It is a warning about what happens after a fingerprint field reaches a dashboard. A precise-looking value invites a precise-looking name. The evidence behind that name may be a controlled capture, a best guess from 2018, a community submission or a malware sandbox observation that was never compared with benign traffic.&lt;/p&gt;
&lt;p&gt;Those labels should not produce the same decision.&lt;/p&gt;
&lt;h2&gt;The largest public TLS database has almost no TLS labels&lt;/h2&gt;
&lt;p&gt;The relaunched &lt;a href="https://tlsfingerprint.io/"&gt;TLS Fingerprint Observatory&lt;/a&gt; is an unusually valuable public resource. It exposes more than a million distinct TLS fingerprints and billions of passive observations from the University of Colorado Boulder and Merit Network. Records can include first and last seen, counts by source, cipher suites, extensions, groups, signature algorithms, ALPN and other parsed fields.&lt;/p&gt;
&lt;p&gt;At the time of our review, essentially none of the TLS fingerprints had implementation labels.&lt;/p&gt;
&lt;p&gt;That fact makes the observatory more credible, not less. The collection can answer prevalence and protocol-evolution questions without pretending it knows which application created every handshake. Its smaller QUIC corpus has several hundred controlled labels, often tied to generated capture files.&lt;/p&gt;
&lt;p&gt;The limitation is equally clear. A prevalence database cannot become a browser or malware classifier merely because its records are detailed. The labels require another source of truth.&lt;/p&gt;
&lt;h2&gt;The public JA4 database is a sample, not JA4DB&lt;/h2&gt;
&lt;p&gt;FoxIO maintains &lt;a href="https://ja4db.foxio.io/"&gt;JA4DB&lt;/a&gt;, a hosted service covering several JA4-family methods, applications and detection guidance. It is the closest current service to a multi-surface mapping database.&lt;/p&gt;
&lt;p&gt;The public file most people can inspect is different. FoxIO's &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/ja4plus-mapping.csv"&gt;&lt;code&gt;ja4plus-mapping.csv&lt;/code&gt;&lt;/a&gt; contains 66 data rows. Only 35 carry a core JA4 value; the other JA4+ columns are sparser.&lt;/p&gt;
&lt;p&gt;That file is useful documentation. It shows how an application, library, device, operating system and several network observations can sit in one row. It is not broad enough to serve as a general browser, bot or malware catalogue.&lt;/p&gt;
&lt;p&gt;The hosted service is now account-oriented. Its bulk-data licence and per-record provenance are not publicly clear enough to call it an open database. Core JA4's BSD licence does not automatically cover the hosted labels, and it does not cover all other JA4+ methods under the same terms.&lt;/p&gt;
&lt;h2&gt;The open JA3 mappings are mostly historical&lt;/h2&gt;
&lt;p&gt;Salesforce's archived &lt;a href="https://github.com/salesforce/ja3/tree/master/lists"&gt;JA3 lists&lt;/a&gt; contain roughly 159 application mappings for macOS and Linux. The repository describes them as example or best-guess material. They have no per-row capture date, client version, source PCAP or confidence.&lt;/p&gt;
&lt;p&gt;Trisul's &lt;a href="https://github.com/trisulnsm/ja3prints"&gt;ja3prints&lt;/a&gt; is larger: 626 JSONL mappings assembled from Salesforce examples, malware-traffic-analysis captures, FingerprinTLS and browser additions. Its last update was in 2018, and the combined dataset does not have a clear repository-wide licence.&lt;/p&gt;
&lt;p&gt;The historical &lt;a href="https://github.com/LeeBrotherston/tls-fingerprinting"&gt;FingerprinTLS&lt;/a&gt; database preserves richer ClientHello fields than JA3, which makes it valuable for research. It is now archived, and many records lack consistent capture dates, operating-system evidence and confidence.&lt;/p&gt;
&lt;p&gt;These sources still matter. They document the lineage and can help with an older incident. They should not silently become current application ground truth.&lt;/p&gt;
&lt;h2&gt;Rules are not observations&lt;/h2&gt;
&lt;p&gt;Some of the strongest public databases are actually matcher corpora.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://github.com/nmap/nmap/blob/master/nmap-os-db"&gt;Nmap's OS database&lt;/a&gt; contains actively maintained probe-response signatures. &lt;a href="https://github.com/nmap/nmap/blob/master/nmap-service-probes"&gt;Nmap service probes&lt;/a&gt; combine test payloads with regular expressions that extract products and versions. &lt;a href="https://github.com/rapid7/recog"&gt;Rapid7 Recog&lt;/a&gt; maintains XML signatures for SSH, HTTP, SNMP, favicons, JARM and other surfaces. p0f's &lt;code&gt;p0f.fp&lt;/code&gt; contains passive TCP and HTTP traits, although its upstream corpus is now dated.&lt;/p&gt;
&lt;p&gt;These resources can be excellent at their stated job. A rule match means that a response satisfied the signature. It does not establish population prevalence, exclusivity or a particular process behind the connection.&lt;/p&gt;
&lt;p&gt;Flattening a matcher result into the same table as an observed application mapping discards that distinction.&lt;/p&gt;
&lt;h2&gt;Malware observation is not malware identity&lt;/h2&gt;
&lt;p&gt;SSLBL publishes a &lt;a href="https://sslbl.abuse.ch/blacklist/"&gt;JA3 blacklist&lt;/a&gt; under CC0. It records fingerprints observed while analysing more than 25 million malware PCAPs and offers both CSV and Suricata rules.&lt;/p&gt;
&lt;p&gt;SSLBL also says the values were not tested against known-good traffic and may cause substantial false positives.&lt;/p&gt;
&lt;p&gt;That warning is part of the data. A row supports this statement:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;malware samples assigned this family label produced this JA3
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;It does not support this statement:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;every connection with this JA3 is that malware
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Shared libraries make the second statement unsafe. Cisco's &lt;a href="https://arxiv.org/abs/2009.01939"&gt;destination-context research&lt;/a&gt; examined public malware JA3 indicators and found that many were more strongly associated with benign processes in its enterprise observations.&lt;/p&gt;
&lt;p&gt;VirusTotal's behavioural pivots have the same boundary. Files sharing a JA4 may be related malware, come from one developer or merely use the same TLS library. The pivot begins an investigation; it does not finish one.&lt;/p&gt;
&lt;h2&gt;Mercury publishes the schema, not the labels&lt;/h2&gt;
&lt;p&gt;Cisco Mercury offers one of the clearest public designs for a fingerprint knowledge base. Its &lt;a href="https://github.com/cisco/mercury/blob/main/doc/resources.md"&gt;resource documentation&lt;/a&gt; describes mappings from fingerprints to candidate processes, process counts, operating-system observations and destinations. The classifier can use destination address, port and server name to rank those candidates.&lt;/p&gt;
&lt;p&gt;The current Cisco-labelled resource database is not in the public repository.&lt;/p&gt;
&lt;p&gt;This is an honest architectural boundary. The NPF format, collector and database contract are inspectable. The production labels depend on continuously collected endpoint, network and malware-analysis data that Cisco does not publish as an open corpus.&lt;/p&gt;
&lt;h2&gt;What is actually missing&lt;/h2&gt;
&lt;p&gt;The public ecosystem does not mainly need another hash list. It needs evidence attached to each mapping:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;the raw or reversible fingerprint;&lt;/li&gt;
&lt;li&gt;the method and implementation version;&lt;/li&gt;
&lt;li&gt;an independent label source;&lt;/li&gt;
&lt;li&gt;capture position and environment;&lt;/li&gt;
&lt;li&gt;first and last seen;&lt;/li&gt;
&lt;li&gt;observation count;&lt;/li&gt;
&lt;li&gt;competing labels;&lt;/li&gt;
&lt;li&gt;confidence and review state;&lt;/li&gt;
&lt;li&gt;a usable dataset licence.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Almost none of the public resources supplies all of these. Some optimise for scale, some for current labels, some for inspectability and some for rules that can run in an existing scanner.&lt;/p&gt;
&lt;p&gt;The practical response is to preserve those categories. Use an observatory for prevalence, a matcher corpus for response signatures, a threat feed for malware observations, and a mapping database for candidate labels. Then validate the result against local evidence before it reaches enforcement.&lt;/p&gt;
&lt;p&gt;The full directory is in &lt;a href="/learning/fingerprinting/public-network-fingerprint-databases/"&gt;Public Network Fingerprint Databases and What They Cover&lt;/a&gt;. The evaluation checklist is in &lt;a href="/learning/fingerprinting/how-to-evaluate-a-fingerprint-database/"&gt;How to Evaluate a Network Fingerprint Database&lt;/a&gt;.&lt;/p&gt;</content><category term="Security"></category><category term="Network Fingerprinting"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="JA4"></category><category term="Threat Intelligence"></category></entry><entry><title>Using Network Fingerprints in Bot and Rate-Limit Decisions</title><link href="https://www.peakhour.io/blog/using-network-fingerprints-in-bot-and-rate-limit-decisions/" rel="alternate"></link><published>2026-08-23T09:00:00+10:00</published><updated>2026-08-23T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-23:/blog/using-network-fingerprints-in-bot-and-rate-limit-decisions/</id><summary type="html">&lt;p&gt;A practical way to use network fingerprints for bot and rate-limit decisions without mistaking a shared client cohort for identity.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A network fingerprint is a useful rate-limit key. It is a poor verdict.&lt;/p&gt;
&lt;p&gt;That sounds like a small distinction, but it changes how a control behaves. A limit keyed only by source IP can miss a distributed scraper moving through thousands of addresses. Add a TLS or HTTP fingerprint and the requests may fall into a recognisable cohort. The operator can count and compare them even while the IPs rotate.&lt;/p&gt;
&lt;p&gt;The same key can also group thousands of ordinary users running the same browser release. If the control reads “this fingerprint is a bot” and blocks it everywhere, the grouping feature has become a false-positive multiplier.&lt;/p&gt;
&lt;p&gt;The practical job is to use the fingerprint where grouping helps, then make the decision from the route, behaviour and consequence. This article sets out one way to do that.&lt;/p&gt;
&lt;h2&gt;Start with the route, not the fingerprint&lt;/h2&gt;
&lt;p&gt;A request for a cached image and a request to submit a password do not deserve the same policy. Neither do a search request and an export that starts an expensive database job.&lt;/p&gt;
&lt;p&gt;Before adding fingerprint data, classify the routes that matter:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;what the request can change or disclose;&lt;/li&gt;
&lt;li&gt;whether it consumes scarce application or origin capacity;&lt;/li&gt;
&lt;li&gt;whether a legitimate user can retry safely;&lt;/li&gt;
&lt;li&gt;whether the client can complete a challenge;&lt;/li&gt;
&lt;li&gt;which identity is available, such as an account, session, API key or no identity at all;&lt;/li&gt;
&lt;li&gt;what an incorrect block would cost.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This route map sets the response. An unfamiliar cohort fetching public content might only be worth observing. The same cohort attempting passwords across many accounts may justify a tight shared limit. A fingerprint mismatch on an authenticated payment action may call for step-up verification rather than a network block.&lt;/p&gt;
&lt;p&gt;Route sensitivity also prevents a common emergency mistake: applying a site-wide rule because an attack was visible on one endpoint. Narrow rules are easier to explain, test and remove.&lt;/p&gt;
&lt;h2&gt;Use the fingerprint as a cohort key&lt;/h2&gt;
&lt;p&gt;JA3, JA4 and Cisco Mercury do not identify a person or device. Each method selects and normalises protocol fields, then groups connections that look equivalent under those rules. Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;same-ClientHello lab&lt;/a&gt; shows how three methods produce three different representations from one handshake.&lt;/p&gt;
&lt;p&gt;That makes the fingerprint useful for questions such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Are login failures arriving from many IP addresses but one narrow set of client stacks?&lt;/li&gt;
&lt;li&gt;Did an expensive API route suddenly attract a new protocol cohort?&lt;/li&gt;
&lt;li&gt;Does traffic claiming to be a browser have a consistent TLS, HTTP and header shape?&lt;/li&gt;
&lt;li&gt;Did a cohort disappear after an abusive tool changed version, or did the fingerprinting rules change underneath us?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The key should be composite. A workable rate counter might resemble:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;route_class + fingerprint_method + fingerprint_version + fingerprint_value
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Depending on the abuse case, add an account, tenant, API credential, ASN or country. Do not throw every field into every key. An over-specific key divides a distributed campaign into buckets too small to see; an over-broad key combines unrelated users.&lt;/p&gt;
&lt;p&gt;Run a few candidate keys in observation mode and measure their bucket sizes. Look at both tails. A key that places half the site's users in one bucket is too blunt for direct enforcement, however suspicious that bucket looked during one incident.&lt;/p&gt;
&lt;h2&gt;Record where the value came from&lt;/h2&gt;
&lt;p&gt;Fingerprint provenance is operational data, not documentation trivia.&lt;/p&gt;
&lt;p&gt;At an origin behind a CDN or reverse proxy, the visible TLS connection may belong to that intermediary. A fingerprint forwarded in a header might describe the original client-facing connection, or it might describe a later hop. The receiving service cannot tell from the hash alone.&lt;/p&gt;
&lt;p&gt;For each event, keep at least:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;method:       ja4
version:      pinned implementation or rule version
value:        t13d..._..._...
capture:      client-facing edge
source:       named collector or trusted forwarding hop
observed_at:  timestamp
policy:       policy identifier and revision
action:       observe, challenge, rate-limit or block
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Where the format permits it, retaining the selected raw fields or unhashed representation makes later comparison much easier. Cisco Mercury's full Network Protocol Fingerprint is structured and versioned; its optional hash is a compact nickname that discards that structure. JA4 publishes both a canonical hashed form and a raw &lt;code&gt;JA4_r&lt;/code&gt; form. The details are in the &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;Mercury NPF specification&lt;/a&gt; and &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md"&gt;JA4 technical specification&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Trust the forwarding path as deliberately as any other security metadata. Strip client-supplied copies at the boundary, set the authoritative value there, and record the hop that produced it. Otherwise an attacker may be able to choose the value used by the policy.&lt;/p&gt;
&lt;h2&gt;Use an action ladder&lt;/h2&gt;
&lt;p&gt;Bot controls work better with space between “allow” and “block”. A simple ladder is observe, challenge, rate limit, then block. It is not a mandatory sequence for every request; it is a way to match disruption to confidence.&lt;/p&gt;
&lt;h3&gt;Observe&lt;/h3&gt;
&lt;p&gt;Observation is the right first action for a new cohort, a changed implementation or a weak hypothesis. Record volume, routes, account outcomes, response codes, request cost and how the cohort overlaps with known legitimate clients.&lt;/p&gt;
&lt;p&gt;Set an end date before starting. “Log this for seven days and review on Monday” produces a decision. “Log this” often produces another permanent stream nobody owns.&lt;/p&gt;
&lt;h3&gt;Challenge&lt;/h3&gt;
&lt;p&gt;A challenge asks the client for more evidence. It can separate some interactive browsers from simple automation, but it is not a universal test of humanity. Browser automation can complete challenges; privacy software, accessibility tools and broken JavaScript can make legitimate users fail them.&lt;/p&gt;
&lt;p&gt;Use challenges where the client can reasonably complete one and where failure has a safe recovery path. They are a poor fit for machine-to-machine APIs unless the protocol already defines an authentication or proof step.&lt;/p&gt;
&lt;h3&gt;Rate limit&lt;/h3&gt;
&lt;p&gt;Rate limiting fits repeated or costly behaviour. Count a cohort against the route it is affecting, then layer in the identities that make sense for that route. For example:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;login:  fingerprint + account + failed outcome
search: fingerprint + route + request cost
API:    fingerprint + tenant or credential + operation
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;A limit should say what it protects. Requests per minute is sometimes enough. Expensive operations may need a cost-weighted budget. Login protection may count failed attempts while allowing successful account recovery to proceed. Distributed abuse may need a cohort-wide ceiling plus per-account and per-IP limits so that no single key carries the whole policy.&lt;/p&gt;
&lt;p&gt;Return an explicit response and keep the retry behaviour predictable. The HTTP &lt;code&gt;429 Too Many Requests&lt;/code&gt; status was defined for rate limiting in &lt;a href="https://www.rfc-editor.org/rfc/rfc6585.html#section-4"&gt;RFC 6585&lt;/a&gt;, including the option to send &lt;code&gt;Retry-After&lt;/code&gt;. Clients still need sensible backoff, and operators need to watch whether retries are making origin pressure worse.&lt;/p&gt;
&lt;h3&gt;Block&lt;/h3&gt;
&lt;p&gt;Block when the evidence is strong, the harm is current, and a less disruptive action cannot protect the route. Good candidates include a confirmed exploit tool hitting the vulnerable route, a cohort causing active availability loss, or repeated abuse that has failed narrower controls.&lt;/p&gt;
&lt;p&gt;Keep the scope bounded: fingerprint method and version, affected route, relevant behaviour, start time, owner and expiry. A bare fingerprint deny-list with no incident context is hard to audit and tends to outlive its evidence.&lt;/p&gt;
&lt;p&gt;For a broader mapping of actions to evidence, see &lt;a href="/learning/fingerprinting/network-fingerprint-signals-and-security-decisions/"&gt;Network Fingerprint Signals and Security Decisions&lt;/a&gt; and &lt;a href="/learning/fingerprinting/network-fingerprinting-for-rate-limiting/"&gt;Network Fingerprinting for Rate Limiting&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Combine evidence before increasing friction&lt;/h2&gt;
&lt;p&gt;The most useful policy does not ask whether a fingerprint is good or bad. It asks whether several observations agree.&lt;/p&gt;
&lt;p&gt;Consider a login campaign. The source addresses rotate through residential networks. The TLS cohort is common because the tool drives a real browser. The fingerprint alone is weak. But the same traffic may attempt many accounts, reuse a route sequence, fail at a high rate, omit normal session history and arrive at a cadence unlike ordinary users. Together those observations justify a shared limit or challenge.&lt;/p&gt;
&lt;p&gt;Now reverse the example. A rare TLS cohort signs in successfully to one account from its usual region, follows a normal route sequence and maintains an established session. Rarity does not add much. Blocking it would mostly punish an unusual client.&lt;/p&gt;
&lt;p&gt;This is also the line between a format and a detection system. JA4 defines a fingerprint. Mercury defines fingerprint representations and includes separate analysis components. Any claim such as “this is Chrome”, “this is a scraper” or “this is malicious” comes from surrounding data and inference, not from the fingerprint characters themselves. &lt;a href="/blog/fingerprint-is-a-cohort-not-a-client/"&gt;A Network Fingerprint Is a Cohort, Not a Client&lt;/a&gt; explains that boundary in more detail. &lt;a href="/blog/fingerprints-are-evidence-not-identity/"&gt;Fingerprints Are Evidence, Not Identity&lt;/a&gt; covers the same problem across browser, network and behavioural fingerprints.&lt;/p&gt;
&lt;h2&gt;Expect versions and populations to drift&lt;/h2&gt;
&lt;p&gt;Browsers ship, TLS libraries change defaults, mobile applications update unevenly and attack tools copy popular handshakes. Fingerprint implementations also change their parsing rules. Store the method and implementation version so client drift can be separated from detector drift.&lt;/p&gt;
&lt;p&gt;Before changing an implementation, calculate old and new values side by side on a sample. Compare cohort sizes and known-good traffic by route. A partner API, mobile application and public website have different expected populations; a global label may be irrelevant to the local control.&lt;/p&gt;
&lt;h2&gt;Put expiry and rollback in the policy&lt;/h2&gt;
&lt;p&gt;Every enforcement rule needs an owner, reason, expiry and removal condition. Before enabling it, record request volume, successful transactions, challenges, &lt;code&gt;429&lt;/code&gt; responses and origin health. Compare the same measures afterwards. A falling attack rate is not success if legitimate completion falls with it.&lt;/p&gt;
&lt;p&gt;When a false positive appears, retain the fingerprint version, capture point, contributing evidence, route, identity, policy revision and rollback result. That record shows whether to change a threshold, split a route class, add an exception, demote the action or remove the fingerprint from the key.&lt;/p&gt;
&lt;h2&gt;A deployable first policy&lt;/h2&gt;
&lt;p&gt;For a first production use, choose one abused route. Generate a versioned fingerprint at a trusted capture point, log it beside the route and outcome, and observe cohort sizes long enough to include normal variation. Then choose one reversible action with success measures, rollback and an expiry.&lt;/p&gt;
&lt;p&gt;The fingerprint has done its job when it helps a team see and control a group of requests that an IP-only rule would miss. It has exceeded its job when the group is treated as proof of a client, person or intent.&lt;/p&gt;</content><category term="Security"></category><category term="Network Fingerprinting"></category><category term="TLS Fingerprinting"></category><category term="JA4"></category><category term="Bot Management"></category><category term="Rate Limiting"></category></entry><entry><title>Does TLS Fingerprint Canonicalisation Hide Attacker Variation? How to Test It</title><link href="https://www.peakhour.io/blog/tls-fingerprint-canonicalisation-attacker-variation/" rel="alternate"></link><published>2026-08-16T09:00:00+10:00</published><updated>2026-08-16T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-16:/blog/tls-fingerprint-canonicalisation-attacker-variation/</id><summary type="html">&lt;p&gt;Sorting makes TLS fingerprints more stable, but it also removes ordering evidence. Here is how to test whether the discarded variation matters.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Canonicalisation solves a real problem in TLS fingerprinting. If two ClientHello messages differ only because a client shuffled its extensions, treating them as unrelated fingerprints creates noise. Sorting those extensions puts the messages back into one cohort.&lt;/p&gt;
&lt;p&gt;It also destroys the original order.&lt;/p&gt;
&lt;p&gt;That is not automatically a mistake. A fingerprint is useful partly because it ignores variation that does not help with the job at hand. The unanswered question is whether some of the discarded variation separates ordinary client behaviour from automation, scanners or deliberate evasion.&lt;/p&gt;
&lt;p&gt;Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;one-ClientHello lab&lt;/a&gt; cannot answer that. It proves that three pinned implementations produce recorded representations from the same bytes. It says nothing about a population of clients or attackers. Answering the canonicalisation question needs a corpus and a labelled experiment.&lt;/p&gt;
&lt;h2&gt;What gets collapsed?&lt;/h2&gt;
&lt;p&gt;JA3 removes GREASE values but otherwise preserves the order of the selected cipher, extension, supported-group and point-format lists. Change one of those ordered inputs and the MD5 digest changes.&lt;/p&gt;
&lt;p&gt;JA4 deliberately defines a broader equivalence class. Its canonical &lt;code&gt;b&lt;/code&gt; section hashes sorted cipher identifiers. Its &lt;code&gt;c&lt;/code&gt; section hashes sorted extension identifiers followed by signature algorithms in their advertised order. SNI and ALPN extension codes are omitted from that list because related information is represented in the readable &lt;code&gt;a&lt;/code&gt; section. FoxIO's &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md"&gt;JA4 specification&lt;/a&gt; documents those choices.&lt;/p&gt;
&lt;p&gt;Cisco Mercury makes the rule version visible. In the current &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt;, the older unversioned TLS format retains extension order, &lt;code&gt;tls/1&lt;/code&gt; sorts all represented extensions, and &lt;code&gt;tls/2&lt;/code&gt; sorts selected extensions while applying more specific inclusion and normalisation rules.&lt;/p&gt;
&lt;p&gt;These methods do not merely encode the same fingerprint differently. They define different ideas of “the same”.&lt;/p&gt;
&lt;h2&gt;Why Chrome forced the issue&lt;/h2&gt;
&lt;p&gt;Chrome's extension permutation rollout showed why order-sensitive identifiers can become operationally brittle. Peakhour's &lt;a href="/blog/tls-extension-randomisation/"&gt;2023 analysis&lt;/a&gt; recorded a sharp rise in unique order-sensitive signatures after the change. The browser family had not suddenly split into thousands of independent TLS implementations. Much of the new variation came from ordering.&lt;/p&gt;
&lt;p&gt;Sorting is an effective response if the goal is to recover the implementation cohort. It is also consistent with &lt;a href="https://chromestatus.com/feature/5124606246518784"&gt;Chrome's stated reason for making the change&lt;/a&gt;: servers and middleboxes should not depend on one fixed extension order.&lt;/p&gt;
&lt;p&gt;But an analyst may have another question. Does a tool permute extensions using the same mechanism and constraints as the browser it imitates? Does a scanner generate an ordering distribution that differs from Chrome's? Does malware preserve the static order supplied by its TLS library while claiming a Chrome user agent?&lt;/p&gt;
&lt;p&gt;A canonical JA4 can group those handshakes even when their ordering behaviour differs. That is expected. JA4 answered the cohort question, not every possible behavioural question.&lt;/p&gt;
&lt;h2&gt;The wrong experiment&lt;/h2&gt;
&lt;p&gt;Counting how many unique raw fingerprints map to one canonical fingerprint is a useful descriptive statistic. It is not, by itself, evidence that canonicalisation weakened detection.&lt;/p&gt;
&lt;p&gt;A common browser with extension permutation should produce many raw orders. A large raw-to-canonical ratio may therefore be evidence of normal deployment scale. Calling every collapsed value a loss of “fidelity” assumes that all variation was useful before the test has measured its relationship with any outcome.&lt;/p&gt;
&lt;p&gt;The reverse shortcut is also wrong. Stable canonical values do not prove that sorting is harmless for every detector. A field can be poor for application identification but useful for distinguishing one implementation path, library version or evasion technique.&lt;/p&gt;
&lt;p&gt;The experiment needs labels and a defined decision.&lt;/p&gt;
&lt;h2&gt;A testable study design&lt;/h2&gt;
&lt;p&gt;We would structure the study around observations, transformations and outcomes.&lt;/p&gt;
&lt;h3&gt;1. Preserve the original ClientHello&lt;/h3&gt;
&lt;p&gt;Store the permitted raw handshake metadata or a reversible representation alongside derived identifiers. Record:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;capture point and TLS termination path;&lt;/li&gt;
&lt;li&gt;sensor implementation and revision;&lt;/li&gt;
&lt;li&gt;timestamp and software-release period;&lt;/li&gt;
&lt;li&gt;JA3 source string and digest;&lt;/li&gt;
&lt;li&gt;JA4, &lt;code&gt;JA4_r&lt;/code&gt;, &lt;code&gt;JA4_o&lt;/code&gt; and &lt;code&gt;JA4_ro&lt;/code&gt; where the implementation provides them;&lt;/li&gt;
&lt;li&gt;a full, versioned Mercury NPF string;&lt;/li&gt;
&lt;li&gt;HTTP and browser claims kept separate from the TLS representation.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Without the raw or reversible material, a later study cannot recover the ordering that canonicalisation removed.&lt;/p&gt;
&lt;h3&gt;2. Define labels that do not come from the fingerprint&lt;/h3&gt;
&lt;p&gt;Labels need an independent source. Depending on the environment, that could include controlled browser runs, endpoint process telemetry, sandbox execution, signed test clients or reviewed incident cases.&lt;/p&gt;
&lt;p&gt;Do not label traffic as Chrome because its JA4 resembles Chrome and then report that JA4 identifies Chrome. That is circular evaluation.&lt;/p&gt;
&lt;p&gt;Cisco's destination-context research used joined endpoint and network observations to build process labels. The paper also discusses how sandbox and environment choices affect the resulting knowledge base. &lt;a href="https://arxiv.org/abs/2009.01939"&gt;Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases&lt;/a&gt; is useful here because it treats ground truth as a system component rather than a list of famous hashes.&lt;/p&gt;
&lt;h3&gt;3. Compare representations at the same grouping level&lt;/h3&gt;
&lt;p&gt;Measure at least:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;raw ordered representation;&lt;/li&gt;
&lt;li&gt;canonical JA4;&lt;/li&gt;
&lt;li&gt;useful JA4 component combinations such as &lt;code&gt;JA4_ac&lt;/code&gt;;&lt;/li&gt;
&lt;li&gt;Mercury rule versions that preserve or sort different structures;&lt;/li&gt;
&lt;li&gt;raw ordering features added beside the canonical value.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The comparison should use the same captures, time split and labels. Otherwise a newer fingerprint method can appear better simply because it was evaluated on newer or cleaner data.&lt;/p&gt;
&lt;h3&gt;4. Use time and environment holdouts&lt;/h3&gt;
&lt;p&gt;Randomly splitting individual connections leaks near-duplicates between training and test data. Prefer a forward time split and, where possible, a separate network or capture environment.&lt;/p&gt;
&lt;p&gt;That exposes two operational questions: does the result survive a browser or library update, and does it survive outside the environment where the labels were collected?&lt;/p&gt;
&lt;h3&gt;5. Measure decisions, not just uniqueness&lt;/h3&gt;
&lt;p&gt;Useful measurements include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;collision and fragmentation rates by independently labelled client;&lt;/li&gt;
&lt;li&gt;precision and recall for a stated classification or detection task;&lt;/li&gt;
&lt;li&gt;false-positive rates on high-volume legitimate cohorts;&lt;/li&gt;
&lt;li&gt;stability across software releases;&lt;/li&gt;
&lt;li&gt;the incremental value of raw order after canonical identifiers and context are already present;&lt;/li&gt;
&lt;li&gt;review volume at an actual alert or policy threshold.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If adding original order improves a classifier by a tiny amount but creates millions of unstable keys, the operational cost may outweigh the gain. If it separates a specific impersonation technique with few false positives, keeping it as a secondary feature may be worthwhile.&lt;/p&gt;
&lt;h2&gt;Keep both when the questions differ&lt;/h2&gt;
&lt;p&gt;The design choice does not have to be raw or canonical.&lt;/p&gt;
&lt;p&gt;A compact canonical identifier is useful for grouping, counters, joins and rules. A raw or reversible representation is useful for investigation, feature research and migration when the canonical rules change. Storage policy can keep the compact value broadly and retain detailed material for a bounded sample, selected security events or an approved research window.&lt;/p&gt;
&lt;p&gt;That split also makes detector claims easier to audit. The rule can say it grouped on JA4 while the event retains enough source material to explain which handshake produced the value.&lt;/p&gt;
&lt;h2&gt;What we can say now&lt;/h2&gt;
&lt;p&gt;Sorting removes ordering information. It reduces fragmentation caused by clients that permute their lists. Both statements follow from the format definitions and can be demonstrated with controlled captures.&lt;/p&gt;
&lt;p&gt;Whether the removed order contains useful attacker variation is an empirical question tied to a dataset, capture point, label source and decision. Until that study is run, the honest position is to preserve the evidence needed to test it and avoid turning either uniqueness or stability into a claim of detection accuracy.&lt;/p&gt;
&lt;p&gt;For the wider format comparison, see &lt;a href="/learning/fingerprinting/mercury-vs-ja4-vs-ja3/"&gt;Mercury vs JA4 vs JA3&lt;/a&gt;. For the identity boundary that applies to every result, read &lt;a href="/blog/fingerprint-is-a-cohort-not-a-client/"&gt;A network fingerprint is a cohort, not a client&lt;/a&gt;.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Security Research"></category></entry><entry><title>A Network Fingerprint Is a Cohort, Not a Client</title><link href="https://www.peakhour.io/blog/fingerprint-is-a-cohort-not-a-client/" rel="alternate"></link><published>2026-08-09T09:00:00+10:00</published><updated>2026-08-09T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-08-09:/blog/fingerprint-is-a-cohort-not-a-client/</id><summary type="html">&lt;p&gt;TLS fingerprints group similar protocol implementations. They do not prove which application, device or person made a request.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A TLS fingerprint usually tells you that two connections look alike under a particular set of rules. That is useful. It is not the same as showing that they came from the same client.&lt;/p&gt;
&lt;p&gt;The distinction becomes obvious when a common TLS library sits underneath many programs. Those programs can offer the same protocol version, cipher suites, extensions and signature algorithms. A fingerprint built from those fields groups them together even though their purpose, owner and risk are different.&lt;/p&gt;
&lt;p&gt;The reverse also happens. One application can generate several fingerprints after a browser update, operating-system change, feature rollout or configuration difference. A fixed application name does not imply a fixed ClientHello.&lt;/p&gt;
&lt;p&gt;The safest mental model is a cohort: traffic that looks the same after a fingerprint method has selected and normalised its inputs.&lt;/p&gt;
&lt;h2&gt;The method defines the cohort&lt;/h2&gt;
&lt;p&gt;JA3 preserves the order of its selected ClientHello feature lists. Change the order and the MD5 value changes. JA4 sorts selected identifiers before calculating two of its components, so permutations that split a JA3 cohort may remain grouped under JA4.&lt;/p&gt;
&lt;p&gt;Cisco Mercury can preserve more packet-derived structure in its full Network Protocol Fingerprint. Different Mercury rule versions also make different normalisation choices. A &lt;code&gt;tls/2&lt;/code&gt; value is therefore not just a longer spelling of JA4. It is the result of another feature-selection contract.&lt;/p&gt;
&lt;p&gt;This means there is no format-independent "real fingerprint" hiding underneath the tools. Each method answers its own equivalence question: which differences count, and which should be ignored?&lt;/p&gt;
&lt;p&gt;Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;same-PCAP lab&lt;/a&gt; demonstrates that point without relying on a hypothetical browser. The three tools inspect the same ClientHello and produce representations with different retained detail.&lt;/p&gt;
&lt;h2&gt;Common does not mean safe&lt;/h2&gt;
&lt;p&gt;A popular browser fingerprint will naturally appear in a great deal of legitimate traffic. An attacker can also use a browser, drive one through automation, or imitate its TLS stack. Matching a common browser value therefore says little about intent by itself.&lt;/p&gt;
&lt;p&gt;The opposite shortcut is just as risky. An uncommon fingerprint is not proof of malware. Internal tools, older mobile applications, embedded devices, accessibility software and regional client variants can all be rare in one dataset.&lt;/p&gt;
&lt;p&gt;Rarity is relative to the observation point. A fingerprint that is common across a public content site may be unusual on an administrative API. A value common in one country, network or month may be rare in another.&lt;/p&gt;
&lt;h2&gt;Capture point changes what you see&lt;/h2&gt;
&lt;p&gt;TLS fingerprinting only works where the relevant handshake is visible. At an origin behind a CDN or reverse proxy, the TLS connection may have been terminated and replaced upstream. The origin can then observe the proxy's connection rather than the end user's ClientHello unless the edge explicitly forwards a derived fingerprint.&lt;/p&gt;
&lt;p&gt;That forwarded value also needs provenance. Operators should know which implementation and format version produced it, whether it came from the client-facing connection, and whether middleware transformed or sampled the traffic.&lt;/p&gt;
&lt;p&gt;Without that information, two values that look compatible may have been generated under different rules. Fastly has documented how implementation differences can undermine the portability promised by a shared hash in &lt;a href="https://www.fastly.com/blog/the-state-of-tls-fingerprinting-whats-working-what-isnt-and-whats-next"&gt;The State of TLS Fingerprinting&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Context can improve an inference&lt;/h2&gt;
&lt;p&gt;Cisco's Mercury research is helpful because it does not hide the ambiguity. The 2020 destination-context paper reports that one TLS fingerprint often maps to tens or hundreds of process names. Its classifier adds destination IP address, port and server name, backed by a labelled knowledge base, to rank the possible processes.&lt;/p&gt;
&lt;p&gt;That is stronger than treating a bare fingerprint as an application name. It is still conditional. Change the environment, the age of the knowledge base, the available destination fields or the software population and the probabilities can change. The paper's reported accuracy belongs to its datasets and experimental design, not to every network that runs Mercury.&lt;/p&gt;
&lt;p&gt;JA4 deployments often add context too. A security platform might combine the JA4 value with request rate, geography, path, account state or observations from other customers. Those extra fields are not secretly part of JA4. They are features in the surrounding detection system.&lt;/p&gt;
&lt;h2&gt;Use fingerprints where grouping helps&lt;/h2&gt;
&lt;p&gt;Fingerprints earn their place when grouping similar connections improves an investigation or control. Examples include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;counting login failures across rotating IP addresses;&lt;/li&gt;
&lt;li&gt;finding a TLS stack that appeared at the start of an incident;&lt;/li&gt;
&lt;li&gt;comparing a claimed browser with HTTP and browser-side evidence;&lt;/li&gt;
&lt;li&gt;monitoring drift after a client or library release;&lt;/li&gt;
&lt;li&gt;selecting traffic for review before writing a narrower rule.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For the decision and enforcement consequences, see &lt;a href="/blog/fingerprints-are-evidence-not-identity/"&gt;Fingerprints are evidence, not identity&lt;/a&gt;. The protocol-specific conclusion here is narrower: a matching TLS fingerprint places connections in a cohort defined by one method. It cannot tell you, on its own, who is on the other end.&lt;/p&gt;
&lt;p&gt;The practitioner follow-up, &lt;a href="/blog/using-network-fingerprints-in-bot-and-rate-limit-decisions/"&gt;Using network fingerprints in bot and rate-limit decisions&lt;/a&gt;, turns that boundary into a route-scoped policy and rollback model.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Bot Management"></category></entry><entry><title>Two Lineages of TLS Fingerprinting: JA3, JA4 and Cisco Mercury</title><link href="https://www.peakhour.io/blog/two-lineages-tls-fingerprinting/" rel="alternate"></link><published>2026-07-26T09:00:00+10:00</published><updated>2026-07-26T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-07-26:/blog/two-lineages-tls-fingerprinting/</id><summary type="html">&lt;p&gt;JA4 did not descend from Cisco Mercury. The two projects come from different strands of TLS fingerprinting research and solve different operational problems.&lt;/p&gt;</summary><content type="html">&lt;p&gt;It is tempting to draw the history of TLS fingerprinting as a single line: JA3, then JA4, with Cisco Mercury somewhere nearby. That version is tidy. It is also wrong.&lt;/p&gt;
&lt;p&gt;Two strands of work developed around the same observation: a TLS ClientHello exposes enough information to say something useful about the software that created it. One strand concentrated on portable identifiers that could be logged and exchanged. The other concentrated on retaining protocol structure and combining it with evidence that could improve classification.&lt;/p&gt;
&lt;p&gt;JA3 and JA4 belong mainly to the first strand. Cisco Mercury belongs mainly to the second. For the technical work that preceded JA3, see &lt;a href="/blog/before-ja3-tls-fingerprinting-history/"&gt;how TLS handshakes became fingerprints&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Before JA3&lt;/h2&gt;
&lt;p&gt;Passive fingerprinting predates TLS. Tools such as p0f identified operating-system characteristics from TCP/IP behaviour without sending probes to the target. Researchers later applied the same instinct to fields exposed during SSL and TLS negotiation.&lt;/p&gt;
&lt;p&gt;In 2009, Ivan Ristić published an &lt;a href="https://blog.ivanristic.com/2009/06/http-client-fingerprinting-using-ssl-handshake-analysis.html"&gt;SSL handshake fingerprinting experiment&lt;/a&gt; that compared ClientHello messages from web clients. Marek Majkowski followed with a &lt;a href="https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/"&gt;TLS fingerprinting patch for p0f&lt;/a&gt; in 2012. Lee Brotherston's &lt;a href="https://github.com/LeeBrotherston/tls-fingerprinting"&gt;FingerprinTLS&lt;/a&gt; later provided tools and a database for creating and matching TLS fingerprints.&lt;/p&gt;
&lt;p&gt;Salesforce's JA3 project drew directly on that work. JA3 serialised five ordered ClientHello feature groups, removed GREASE values and calculated an MD5 digest. The result was compact enough to put in a log, share in threat intelligence or match in a rule. The &lt;a href="https://github.com/salesforce/ja3"&gt;archived JA3 repository&lt;/a&gt; documents both the format and its debt to FingerprinTLS.&lt;/p&gt;
&lt;p&gt;JA3's compactness came with a cost. A digest does not explain why two clients differ. Ordered inputs also meant that harmless permutation could produce a different value. Most importantly, a matching digest did not prove that the traffic came from one application. Programs built on a shared TLS library could produce the same ClientHello.&lt;/p&gt;
&lt;h2&gt;The JA4 branch&lt;/h2&gt;
&lt;p&gt;FoxIO introduced JA4 in 2023 after Chrome began permuting TLS extension order. Peakhour saw the practical effect of that change in our &lt;a href="/blog/tls-extension-randomisation/"&gt;Chrome extension-randomisation analysis&lt;/a&gt;: a representation that preserved extension order split one common browser family into a large number of values.&lt;/p&gt;
&lt;p&gt;JA4 canonicalises selected ClientHello features before hashing them. Its &lt;code&gt;a_b_c&lt;/code&gt; structure keeps a readable summary in the first section, a digest of sorted cipher identifiers in the second, and a digest derived from extensions and signature algorithms in the third. This makes the components useful independently. An analyst can group on part of a JA4 value without pretending every field is identical.&lt;/p&gt;
&lt;p&gt;That is deliberate lossy compression. JA4 is useful because it throws away distinctions its designers judged unstable or unhelpful for this job. It is not a reversible rendering of the ClientHello, and its truncated SHA-256 sections do not provide a measure of semantic distance. The exact format is set out in the &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md"&gt;FoxIO JA4 technical specification&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;JA4 is one method. JA4+ is the name used for a wider family that includes server, HTTP, TCP, SSH, certificate and other fingerprints. Those methods do not all share JA4's licence, which matters if the fingerprints will be built into a commercial service.&lt;/p&gt;
&lt;h2&gt;The Cisco research branch&lt;/h2&gt;
&lt;p&gt;Cisco's work took a different route. In 2016, Blake Anderson, Subharthi Paul and David McGrew studied how observable TLS features could help distinguish malware from enterprise traffic without decrypting it. Their paper, &lt;a href="https://arxiv.org/abs/1607.01639"&gt;Deciphering Malware's Use of TLS&lt;/a&gt;, also dealt with an awkward issue that still matters: malware-sandbox data can bias a classifier.&lt;/p&gt;
&lt;p&gt;Anderson and McGrew's 2017 &lt;a href="https://arxiv.org/abs/1706.08003"&gt;operating-system fingerprinting research&lt;/a&gt; combined evidence from TCP/IP, TLS and HTTP across multiple sessions. The point was not to mint a universally portable hash. It was to ask whether several kinds of passive evidence, accumulated over time, reduced uncertainty about the endpoint.&lt;/p&gt;
&lt;p&gt;The same multi-protocol approach appears in Cisco's Joy and Mercury projects. Mercury's Network Protocol Fingerprinting format represents selected protocol features as a tree of hexadecimal byte strings. The full form retains structure. Its naming can state the protocol and fingerprint rule version. An optional compact hash can be used where a fixed-length value is more practical. Cisco's current &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt; defines fingerprints for TLS, QUIC, TCP, HTTP, SSH and other protocols.&lt;/p&gt;
&lt;p&gt;Mercury also keeps fingerprint generation separate from process classification. That distinction is easy to miss.&lt;/p&gt;
&lt;h2&gt;A fingerprint and a label are different things&lt;/h2&gt;
&lt;p&gt;In Cisco's 2020 paper, &lt;a href="https://arxiv.org/abs/2009.01939"&gt;Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases&lt;/a&gt;, the authors found that common TLS fingerprints mapped to many processes. For the 100 most prevalent fingerprints in their May 2020 data, the median was 24.5 process names per fingerprint.&lt;/p&gt;
&lt;p&gt;Their response was not a longer hash. They combined the fingerprint with destination address, port and server name, then used a weighted naïve Bayes classifier backed by a continually updated knowledge base.&lt;/p&gt;
&lt;p&gt;That produces an inference, not a property embedded in the fingerprint string. The result depends on labelled observations, their age, the monitored environment and the destination evidence available for the connection. The open Mercury repository can generate fingerprints without possessing Cisco's production knowledge base.&lt;/p&gt;
&lt;p&gt;This is the clearest difference between the two lineages:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;JA3 and JA4 define portable representations for selected TLS observations.&lt;/li&gt;
&lt;li&gt;Mercury NPF retains a richer, versioned representation that can be fed into a separate analysis system.&lt;/li&gt;
&lt;li&gt;Mercury's destination-context classifier is another layer again.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;None of these layers proves who made a request.&lt;/p&gt;
&lt;h2&gt;Where the lineages meet&lt;/h2&gt;
&lt;p&gt;The projects respond to many of the same protocol changes. Both JA4 and recent Mercury formats sort selected TLS fields to reduce instability caused by permutation. Both deal explicitly with GREASE. Both recognise that operators need compact values for logs as well as enough detail to investigate differences.&lt;/p&gt;
&lt;p&gt;They make different trade-offs. JA4 is convenient for grouping and interchange. Mercury's full NPF form is better suited to inspection and to analysis that benefits from retained structure. JA4's wider family adds fingerprints for other observations, while Mercury is also a packet metadata collector and protocol-analysis library. Comparing only the length of their hashes misses most of the design.&lt;/p&gt;
&lt;p&gt;The lab article makes that concrete. In &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;one ClientHello, three fingerprints&lt;/a&gt;, we run JA3, JA4 and Mercury against the same packet capture, record the exact tool versions and compare what each output preserves.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Threat Detection"></category></entry><entry><title>One ClientHello, Three Fingerprints: JA3, JA4 and Mercury</title><link href="https://www.peakhour.io/blog/one-clienthello-ja3-ja4-mercury-lab/" rel="alternate"></link><published>2026-07-12T09:00:00+10:00</published><updated>2026-07-12T09:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-07-12:/blog/one-clienthello-ja3-ja4-mercury-lab/</id><summary type="html">&lt;p&gt;A reproducible lab runs JA3, JA4 and Cisco Mercury against the same TLS ClientHello and compares what each fingerprint preserves.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The easiest way to misunderstand network fingerprints is to compare example strings taken from different clients. We wanted a cleaner test: one packet capture, one TLS ClientHello and three fingerprint formats.&lt;/p&gt;
&lt;p&gt;The complete lab is checked into this site's source under &lt;code&gt;labs/network-fingerprinting/&lt;/code&gt;, and the &lt;a href="/static/downloads/network-fingerprinting-lab.tar.gz"&gt;publication bundle is available here&lt;/a&gt;. It pins the tool revisions, reconstructs the fixture, verifies its checksum, runs the tools and checks that their outputs refer to the same connection. Nothing in the comparison depends on a vendor database or an application label.&lt;/p&gt;
&lt;h2&gt;The input&lt;/h2&gt;
&lt;p&gt;The fixture is a 329-byte Peakhour-generated capture containing a local OpenSSL 3.5.6 ClientHello wrapped in one synthetic Ethernet/IPv4/TCP packet:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;10.1.1.1:40000 -&amp;gt; 10.2.2.2:443
SNI: lab.peakhour.test
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The lab stores the small fixture as base64 under an adjacent BSD 3-Clause licence and verifies the decoded PCAP with SHA-256 before using it. The reserved SNI and private addresses did not cross a network. We select packet 1 and TCP stream 0. That selection matters: saying that several tools read the same PCAP is weaker than proving that their output describes the same flow and ClientHello.&lt;/p&gt;
&lt;p&gt;The pinned revisions for this run are:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;Cisco Mercury  3172786645f70e1a8347d8cf020b736e185651e5
FoxIO JA4      0e54bc8371de34df94a35f2442c05bda2e8b2034
Salesforce JA3 502cc6395811c54743b0561419d61900a6df3ff7
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;These pins are part of the result. Fingerprint implementations and specifications change. A value without its method and version is harder to reproduce than it first appears.&lt;/p&gt;
&lt;h2&gt;Running the lab&lt;/h2&gt;
&lt;p&gt;From the repository root:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;./labs/network-fingerprinting/run.sh
python&lt;span class="w"&gt; &lt;/span&gt;labs/network-fingerprinting/verify.py
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The runner fetches the pinned source archives, builds or invokes the implementations in a temporary work directory, and writes evidence to &lt;code&gt;labs/network-fingerprinting/results/&lt;/code&gt;. The verifier checks the fixture and output checksums, connection tuple, SNI and output shape. The pinned source URLs are enforced by the runner rather than inferred by the verifier.&lt;/p&gt;
&lt;p&gt;This is a fingerprint-format lab, not a speed test. Build time, runtime and memory use depend heavily on language, wrapper and capture path, so we do not compare them here.&lt;/p&gt;
&lt;h2&gt;JA3: a portable exact-match digest&lt;/h2&gt;
&lt;p&gt;For this ClientHello, the canonical JA3 feature string is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;771,49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,65281-0-11-10-35-16-22-23-13,29-23-30-24-25,0-1-2
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Its MD5 digest is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;e1934f32e97b0bd52227953ca7d30118
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The digest is convenient for logs and exact lookup. On its own it does not show which cipher, extension or group changed. The pre-hash string retains enough information to investigate that difference, which is why throwing it away too early can make later analysis harder.&lt;/p&gt;
&lt;p&gt;JA3 removes GREASE values but otherwise retains the order of its selected lists. A client that permutes extension order can therefore generate a new JA3 digest without changing its effective TLS capabilities. The &lt;a href="https://github.com/salesforce/ja3"&gt;archived Salesforce JA3 repository&lt;/a&gt; defines the input fields and GREASE handling.&lt;/p&gt;
&lt;h2&gt;JA4: canonicalised components&lt;/h2&gt;
&lt;p&gt;The same ClientHello produces this JA4:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;t12d2709h2_a2460661a67a_36cef8aed422
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Its first section is readable:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;t&lt;/code&gt; means TLS over TCP;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;12&lt;/code&gt; is the highest supported TLS version after ignoring GREASE;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d&lt;/code&gt; says a domain was present in SNI;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;27&lt;/code&gt; and &lt;code&gt;09&lt;/code&gt; are the cipher and extension counts after the format's exclusions;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;h2&lt;/code&gt; summarises the first ALPN value.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The second section is the first 12 hexadecimal characters of SHA-256 over sorted cipher identifiers. The third is a truncated SHA-256 value derived from sorted extension identifiers and the signature algorithms in their original order. The canonical &lt;a href="https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md"&gt;JA4 technical specification&lt;/a&gt; defines the exact exclusions and encodings.&lt;/p&gt;
&lt;p&gt;The lab also records &lt;code&gt;JA4_r&lt;/code&gt;, the raw form used by the FoxIO tooling:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;t12d2709h2_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0016,0017,0023,ff01_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;That makes the normalisation visible. It also shows why JA4 is not fuzzy hashing: sorting makes selected permutations equivalent, while the hashes still support equality matching rather than semantic distance.&lt;/p&gt;
&lt;h2&gt;Mercury NPF: a retained protocol tree&lt;/h2&gt;
&lt;p&gt;Cisco Mercury 2.18 emits this &lt;code&gt;tls/2&lt;/code&gt; fingerprint for the same ClientHello:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;tls/2/(0303)(c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f)[(0000)(000a000c000a001d0017001e00180019)(000b000403000102)(000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602)(0010000e000c02683208687474702f312e31)(0016)(0017)(ff01)]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The value is longer because it is doing another job. Parentheses and square brackets describe an ordered tree of selected byte strings. In the draft NPF notation, square brackets mark a lexicographically sorted list. The &lt;code&gt;tls/2&lt;/code&gt; prefix names the protocol and fingerprint rule version.&lt;/p&gt;
&lt;p&gt;An analyst can inspect the retained values rather than relying only on a digest. Mercury also defines a compact hash nickname when a fixed-length index is needed, but that nickname loses the structure used for inspection, prefix comparison or approximate matching. Cisco's &lt;a href="https://github.com/cisco/mercury/blob/main/doc/npf.md"&gt;draft NPF specification&lt;/a&gt; documents both representations.&lt;/p&gt;
&lt;p&gt;The Mercury JSON includes the same source and destination tuple and the same SNI as the JA3 and JA4 records. It does not identify the client application in this lab because we did not run a labelled fingerprint knowledge base or the destination-context classifier. A packet-derived NPF value and a process assessment are separate outputs.&lt;/p&gt;
&lt;h2&gt;What the comparison establishes&lt;/h2&gt;
&lt;p&gt;All three methods observe the same ClientHello, but they define similarity differently.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Question&lt;/th&gt;
&lt;th&gt;JA3&lt;/th&gt;
&lt;th&gt;JA4&lt;/th&gt;
&lt;th&gt;Mercury NPF &lt;code&gt;tls/2&lt;/code&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Compact default&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;No; optional hash available&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Inspectable selected inputs&lt;/td&gt;
&lt;td&gt;Only if the pre-hash string is retained&lt;/td&gt;
&lt;td&gt;Partly in &lt;code&gt;a&lt;/code&gt;; fully in the recorded raw form&lt;/td&gt;
&lt;td&gt;Yes in the full tree&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Selected list sorting&lt;/td&gt;
&lt;td&gt;No, after GREASE removal&lt;/td&gt;
&lt;td&gt;Ciphers and most extensions&lt;/td&gt;
&lt;td&gt;Rule-specific selected extensions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Explicit format version in value&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Encoded field semantics, but no separate rule number&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Semantic or approximate comparison&lt;/td&gt;
&lt;td&gt;Not from the digest&lt;/td&gt;
&lt;td&gt;Component grouping, not hash distance&lt;/td&gt;
&lt;td&gt;Full structure can support richer matching&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Application attribution in the format&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The table does not produce a universal winner. JA3 remains useful where historical compatibility matters. JA4 is compact and handles selected permutations cleanly. Mercury retains more material for inspection and for analysis systems that need structured features.&lt;/p&gt;
&lt;p&gt;It also shows what none of the values can establish. The capture does not prove which person, device or application created the connection. Shared libraries, browser impersonation and software updates all complicate that inference. See &lt;a href="/blog/fingerprint-is-a-cohort-not-a-client/"&gt;A network fingerprint is a cohort, not a client&lt;/a&gt; for the operational consequences.&lt;/p&gt;
&lt;p&gt;For the history behind these design choices, read &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;Two lineages of TLS fingerprinting&lt;/a&gt;. The durable format comparison is in &lt;a href="/learning/fingerprinting/mercury-vs-ja4-vs-ja3/"&gt;Mercury vs JA4 vs JA3&lt;/a&gt;.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="JA3"></category><category term="JA4"></category><category term="Cisco Mercury"></category><category term="Network Fingerprinting"></category><category term="Security Research"></category></entry></feed>