What is an Account-Control Surface?
Understand the account-control surface and why account protection has to cover more than the login form.
Support FAQ
JA3 and JA4 do not hash the same material in the same way. JA3 applies MD5 to one serialised string and normally publishes only the resulting 32-character identifier. JA4 keeps a readable first section, then uses two 12-character truncated SHA-256 values for its normalised cipher and extension material.
That distinction matters: the published formats preserve and discard different information.
Compact identifiers are convenient for high-volume logs, database indexes and exact comparisons. They are also easy to exchange: two systems implementing the same version of the method can compare a short value without moving full packet data.
Hashing also sets a clear equality rule. If the inputs selected by the method are identical after its normalisation, the identifier is identical. If a hashed input changes, the output will usually be completely different.
a section is readable, but its b and c sections still hide their lists.JA4_r form does not restore the packet's original order.The short hashes also have a finite collision space. Truncating SHA-256 to 12 hexadecimal characters gives JA4 a 48-bit section, while JA3's MD5 output is 128 bits. That arithmetic does not make JA3 more descriptive: semantic collisions—different clients producing the same selected inputs—are usually the more immediate attribution problem.
For routine grouping, compact JA3 or JA4 values may be enough. For investigations and detector development, retain more:
ClientHello, where policy permits;JA4_r normalised raw output;FoxIO documents JA4_r and original-order output in the JA4 technical specification. The JA3 repository documents its source string and MD5 calculation.
Keeping raw material costs more storage and may carry more sensitive metadata, so retention should be deliberate. A useful compromise is to log the compact identifier broadly and preserve richer material for sampled traffic, investigations or short retention windows.
Understand the account-control surface and why account protection has to cover more than the login form.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.