TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients

Contents

1. TLS fingerprinting: methods for identifying client and server software

2. TLS fingerprinting of clients: hash types, utilities for displaying TLS fingerprints of clients

2.1 Client TLS fingerprinting hash types

2.2 Tools for TLS fingerprinting of clients

2.2.1 Wireshark

2.2.2 TShark

2.2.3 JA4+

2.2.4 JA3-JA4-scanner

2.2.5 Online service for displaying JA3 and JA4 fingerprints

2.3 Weaknesses of TLS fingerprints of clients.

2.4 JA3, JA3N and JA4 hash databases

2.5 Client TLS fingerprints may change in new software versions

2.6 TLS fingerprinting of QUIC clients

3. TLS fingerprinting of servers: hash types, utilities for displaying TLS fingerprints of servers

4. How to change TLS fingerprints and impersonate other applications. How to bypass filtering based on TLS fingerprinting


2.1 Client TLS fingerprinting hash types

JA3 is the original version of the client TLS fingerprint. Currently, the Google Chrome web browser actively resists obtaining this TLS fingerprint – as a result, for the Google Chrome web browser, this value is different every time.

JA3_FULL is the raw data used to obtain the JA3 hash.

JA3N is an improved version of JA3 – it sorts the part of the data whose order is randomized in Google Chrome, due to which the hash becomes the same for all Google Chrome requests (and other applications that use this method of preventing TLS fingerprinting).

JA3N_FULL is the raw data used to obtain the JA3N hash.

Note: if you are wondering what part of the data is randomized in Google Chrome, it is the third part of the hash component, i.e. SSLExtension (List of SSL Extensions) – the list of extensions in one version of Google Chrome remains unchanged, but the order in which they are listed changes with each request.

JA4 is the next version of the TLS client fingerprint. Currently, it gives the same results for the Google Chrome web browser. The JA4 TLS fingerprint is part of the JA4+ fingerprint group, their feature is that the fingerprints consist of several parts separated by the underscore character, for example:

t13d1516h2_8daaf6152771_02713d6af862

The first part encodes information and is not hashed, the second and third parts are truncated hashes.

Let's look at the structure of the first part of the hash (JA4_a): The first character (“t”) means the TCP protocol; There may also be a “q” character, which stands for the QUIC protocol. The next two characters stand for the TLS version: 1.2 = “12”, 1.3 = “13”. The next letter may be “d” or “i” – this is determined based on the Server Name Indication (SNI) TLS extension – if the extension is supported, that is, the TLS handshake contains the domain name for which it is intended, then the letter “d” is indicated, which means “domain”, if SNI is missing, then the letter “i” is indicated, which in this case means “IP”. Then comes a two-digit number – the number of cipher suites, excluding GREASE. Then another two-digit number – the number of extensions, excluding GREASE. Finally, the last two characters are taken from the Application-Layer Protocol Negotiation (ALPN) TLS extension value. If the ALPN extension is missing, then “00” is indicated.

The second part of the hash (JA4_b) is the truncated SHA256 hash: obtained by hashing the sorted Cipher Suite string.

The third part of the hash (JA4_c) is the truncated SHA256 hash: obtained by hashing the sorted Extensions + Signature Algorithms string in the order they appear.

More technical details about JA4 here: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md

JA4_R is the raw data used to derive the JA4 hash.

JA4_o and its corresponding raw data string JA4_ro: this is a modification of the JA4 hash, in this hash the letter “o” stands for “original” – meaning the original order of the ciphers, without their sorting (as is done in JA4), but minus GREASE. This means that SNI (0000) and ALPN (0010) are included.

TS1 – uses more data for TLS fingerprinting clients, but is not yet ready. Homepage: https://github.com/lwthiker/ts1.

2.2 Tools for TLS fingerprinting of clients

2.2.1 Wireshark

Currently, Wireshark has implemented the display of JA3 and JA4 hashes, the corresponding filters are:

tls.handshake.ja3
tls.handshake.ja4

For more details, see here: Wireshark filters for software type identification (TLS fingerprinting)

2.2.2 TShark

TShark (in some Linux distributions, the package is called wireshark-cli) is a console interface for Wireshark. With TShark, you can do everything that you can do with Wireshark, and when it comes to automation, TShark is unrivaled.

The following command will capture traffic and output JA4 hashes:

sudo tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja4

Note: you may notice that the display filter specifies ja3, and the output field specifies ja4 – there is no error here, all packets for which ja3 is calculated also necessarily contain ja4, since the same data type is used to calculate them. That is, -Y "tls.handshake.ja3" can be replaced with -Y "tls.handshake.ja4" and absolutely nothing will change – you can choose either of these values.

The fields that will be displayed will be:

  • IP ​​or IPv6 address of the client
  • IP or IPv6 address of the server
  • Domain to which the request was sent
  • JA4 hash

If you are not connected to an IPv6 network, you can remove the following options from the command:

-e ipv6.src
-e ipv6.dst

A single command can display both JA3 and JA4 hashes:

sudo tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4

The following command analyzes a file with captured network traffic (the path to the file is specified after the -r option):

tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/ssl_443.pcapng

If you want to get JA3 and JA4 hashes for a specific program that made the request, you need to combine the command with one or more of the following filters:

IP ​​or IPv6 address of the request source:

ip.src
ipv6.src

IP or IPv6 address of the server to which the request was sent request:

ip.dst
ipv6.dst

Moreover, you need to understand that for all applications on your computer the IP or IPv6 address is the same, therefore, to obtain the desired result, you need to do the following:

1) make a request with the client for which you want to receive JA3 and JA4 fingerprints to a specific web server on the Internet

2) filter in TShark the values ​​in which the IP or IPv6 address of the server is specified as the destination IP.

For example, the following command will show JA3 and JA4 fingerprints for a client that sent a request to a server with IPv6 2604:a880:800:c1::2ae:d001:

tshark -Y "tls.handshake.ja3 and ipv6.dst == 2604:a880:800:c1::2ae:d001" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/just-test.pcapng

You can specify headers for the output and choose a different separator for the data fields (the default is a tab character). If you select a comma as a separator, such data can be saved to a .csv file and opened by a program that supports this format (for example, LibreOffice Calc or MS Excel).

tshark -E separator=',' -E header=y -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/just-test.pcapng > test.csv

If you want to see the full lines from which the JA3 and JA4 hashes are calculated, add the following options to your command:

-e tls.handshake.ja3_full
-e tls.handshake.ja4_r

For example:

tshark -Y "tls.handshake.ja3" -T fields -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja3_full -e tls.handshake.ja4 -e tls.handshake.ja4_r -r /mnt/disk_d/Share/Captures/just-test.pcapng

If you prefer the JSON format, then instead of -T fields specify -T json, for example:

sudo tshark -E header=y -Y "tls.handshake.ja3" -T json -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4

Similarly, JSON output can be obtained by parsing capture files:

tshark -T json -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e tls.handshake.extensions_server_name -e tls.handshake.ja3 -e tls.handshake.ja4 -r /mnt/disk_d/Share/Captures/ssl_443.pcapng

2.2.3 JA4+

The JA4+ repository contains various files, including a Python script that extracts JA4, JA4S, JA4H, JA4L, JA4LS, JA4X, JA4SSH, JA4T, JA4TS fingerprints from PCAP files.

For information on how to install this script from JA4+, see here: https://en.kali.tools/?p=1895 (section “How to install JA4+”).

Let's look at a few examples of using ja4.py from the JA4+ repository.

To print only JA4 hashes found in /mnt/disk_d/Share/Captures/ssl_443.pcapng:

python ja4.py --ja4 /mnt/disk_d/Share/Captures/ssl_443.pcapng

Sample output:

Print all TLS fingerprint hash types found in /mnt/disk_d/Share/Captures/ssl_443.pcapng, using JSON format:

python ja4.py --json /mnt/disk_d/Share/Captures/ssl_443.pcapng

Sample output:

Print all TLS fingerprint hash types found in /mnt/disk_d/Share/Captures/ssl_443.pcapng, plus print raw strings used to calculate hashes (-r), display the result on the screen in JSON format (--json):

python ja4.py -r --json /mnt/disk_d/Share/Captures/ssl_443.pcapng

Sample output:

Print all TLS fingerprint hash types found in the file /mnt/disk_d/Share/Captures/just-test.pcapng only for packets where the target domain is suip.biz:

python ja4.py /mnt/disk_d/Share/Captures/just-test.pcapng | grep "'domain': 'suip.biz'"

Example output:

2.2.4 JA3-JA4-scanner

All the previous tools do not have the ability to filter, for example, by User Agent (and this is normal, since the User Agent is transmitted encrypted and we cannot access it without decrypting the traffic). Therefore, to determine JA3 and JA4 for a specific program, you need to filter by IP where the packet was sent and hope that no other applications made a request to this server at that moment.

Let's formulate the problem: collect JA3 and JA4 fingerprints for various applications.

To solve this problem, you can use the following algorithm:

  1. Run TShark for a short time, and set up filters to display information about a single IP – and choose the one to which applications do not send data without the user's knowledge
  2. Make a request to the selected server with the program for which you need to get JA3 and JA4

You probably thought that it would be nice to write a small script that would automate this process. You just thought about it, and I already did it!

JA3-JA4-scanner is a utility that will show JA3 and JA4 fingerprints for a program on your computer (a web browser, a command line utility, or any other application that can make requests via HTTPS protocol).

The script only requires TShark – if your system does not have this program, then install it as shown in the section “How to install JA3-JA4-scanner”.

Then download the script itself:

wget https://kali.tools/files/scripts/ja3-ja4-scanner.sh

And run:

sudo bash ja3-ja4-scanner.sh

Now just open the address shown on the screen for which you want to find out the JA3 and JA4 hashes – as soon as the data is received, the program will display the results on the screen and exit. It couldn't be simpler – and you can determine JA3 and JA4 hashes for any application – from a web browser to a PHP script.

2.2.5 Online service for displaying JA3 and JA4 fingerprints

Finally, the simplest option is online services for scanning JA3 and JA4 fingerprints. I uploaded the ja3-ja4-scanner.sh script to my servers (it took a little modification) and now you can check JA3 and JA4 hashes online – just open the page with the program you want to find out JA3 and JA4 fingerprints for:

This online service has a version for console utilities, its address is https://suip.biz/?act=ja4, example of use:

curl -A 'Chrome' 'https://suip.biz/?act=ja4'

2.3 Weaknesses of TLS fingerprints of clients. What you need to know about TLS fingerprinting

1) For some applications, the hash may differ during the initial connection and during reconnection. This is due to the use of TLS session resumption. This technology must be supported by both the client application and the web server. This is usually typical for web browsers.

Despite all its advantages, TLS has quite a lot of “overhead” during the first connection: before the exchange of significant data, the client and server agree on protocol versions, cipher suites, send and verify the site certificate, send the encryption key, and double-check that everything has arrived without forgery and distortion in several cycles of mutual data exchange. TLS session resumption serves precisely to reduce the overhead during the second and all subsequent connections (usually this option remains until the web browser is closed).

But when using TLS session resumption, the TLS handshake during the second and all subsequent connections begins to differ. This results in one client being characterized by two hash values:

  • initial connection
  • all subsequent reconnections

Example of JA3N and JA4 hashes, as well as full strings used to calculate hashes obtained for the Google Chrome 130.0 web browser during the first connection:

JA3N: 4c9ce26028c11d7544da00d3f7e4f45c
JA3N_FULL: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0
JA4: t13d1516h2_8daaf6152771_02713d6af862
JA4_R: t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601

The same data for the same browser upon reconnection (as well as all subsequent reconnections, up to closing the web browser):

JA3N: 0a84b1bbbb8d2d6094a8d8218d6d69bc
JA3N_FULL: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0
JA4: t13d1517h2_8daaf6152771_b0da82dd1658
JA4_R: t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601

As you can see, the first two parts of the JA4 hash remain unchanged, but the last part changes. The JA3N hash changes completely. If you start delving into the full (raw) strings from which the hashes are calculated, you will notice that they are almost identical – only some values ​​differ.

But (maximum) two values ​​are not so bad – server TLS hashes are even worse 😄

2) Different groups of applications – malicious and harmless – can have the same hashes. For example, client applications using popular libraries or operating system sockets (such as Python, PowerShell, PHP, Windows Socket) will have the same hashes.

That is, if a virus is written in Python, PowerShell, PHP, it will have the same TLS fingerprints as other scripts in these programming languages ​​and it will not be possible to distinguish it from useful programs. Or will it?

The authors of JA3 showed examples that a combination of client and server TLS fingerprints allows (in some cases) to clearly distinguish malware and even instantly track the movement of servers controlling botnets – regardless of changes in IP and domain names (details here: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/).

In addition, the network activity of Python and PowerShell scripts in a corporate environment of office workers is quite strange in itself and may be a signal that something is happening that should not happen.

3) TLS fingerprints can be spoofed, although this requires specialized software.

2.4 JA3, JA3N and JA4 hash databases

A brief summary of this section – I did not find anything comprehensive in open sources. But, of course, companies using TLS fingerprints have proprietary JA3, JA3N and JA4 databases. Let's look at what is freely available.

1) JA4 Database from the creators of JA4+

You can find the database from the creators of JA4+ on this page: https://ja4db.com/

You can even download it: https://ja4db.com/api/download/

To be honest, I was not impressed by this database – there is no PowerShell, no latest version of cURL, a lot of duplicates. It feels like this is just data extracted from captured traffic – I would like something better.

2) ja4plus-mapping.csv

I feel like I got more useful information than the first point from a small table located at this address (this table was also compiled by the authors of JA4+): https://github.com/FoxIO-LLC/ja4/blob/main/ja4plus-mapping.csv

3) Database of JA3, JA3N, and JA4 hashes for web browsers, programming languages, and utilities

Since I was not at all impressed by what I managed to find, I put together my own small database of JA3, JA3N, and JA4 hashes for the most popular (from my point of view) applications, utilities, and programming languages. The following table will help us evaluate how different or overlapping the hash values ​​are for different types of applications and programming languages.

Apps JA3 JA3_FULL JA3N JA3N_FULL JA4 JA4_R User Agent
Chrome / Chromium (Windows & Linux) (первое подключение) N/A N/A 4c9ce26028c11d7544da00d3f7e4f45c 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 t13d1516h2_8daaf6152771_02713d6af862 t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Chrome / Chromium (Windows & Linux) (переподключение) N/A N/A 0a84b1bbbb8d2d6094a8d8218d6d69bc 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0 t13d1517h2_8daaf6152771_b0da82dd1658 t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
FireFox (Windows & Linux) (первое подключение) 2d692a4485ca2f5f2b10ecb2d2909ad3 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-27-65037,4588-29-23-24-25-256-257,0 90634f51dcf65fc506946108904d6913 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-5-10-11-13-16-23-27-28-34-35-43-45-51-65037-65281,4588-29-23-24-25-256-257,0 t13d1716h2_5b57614c22b0_eeeea6562960 t13d1716h2_002f,0035,009c,009d,1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,001b,001c,0022,0023,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0
FireFox (Windows & Linux) (переподключение) 1bd037f4362e6fb24b2718009dd1049a 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-45-28-27-65037-41,4588-29-23-24-25-256-257,0 ae5a0020003003358112604746bcef16 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-5-10-11-13-16-23-27-28-34-41-43-45-51-65037-65281,4588-29-23-24-25-256-257,0 t13d1716h2_5b57614c22b0_bdfeeec9ffef t13d1716h2_002f,0035,009c,009d,1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,001b,001c,0022,0029,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0
Edge (Windows) (первое подключение) N/A N/A 4c9ce26028c11d7544da00d3f7e4f45c 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 t13d1516h2_8daaf6152771_02713d6af862 t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0
Edge (Windows) (переподключение) N/A N/A 0a84b1bbbb8d2d6094a8d8218d6d69bc 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0 t13d1517h2_8daaf6152771_b0da82dd1658 t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0
Opera (Windows) (первое подключение) N/A N/A 4c9ce26028c11d7544da00d3f7e4f45c 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 t13d1516h2_8daaf6152771_02713d6af862 t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0
Opera (Windows) (переподключение) N/A N/A 0a84b1bbbb8d2d6094a8d8218d6d69bc 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,25497-29-23-24,0 t13d1517h2_8daaf6152771_b0da82dd1658 t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0
Safari              
Android (Chrome) (Первое подключение) N/A N/A 4c9ce26028c11d7544da00d3f7e4f45c 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-43-45-51-17513-65037-65281,25497-29-23-24,0 t13d1516h2_8daaf6152771_02713d6af862 t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36
Android (Chrome) (Переподключение) N/A N/A 74bbdbde1033b2f56a57e7ccc97d13fe 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-23-27-35-41-43-45-51-17513-65037-65281,29-23-24,0 t13d1517h2_8daaf6152771_b0da82dd1658 t13d1517h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,0029,002b,002d,0033,4469,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36
Android (Firefox) 8bc88bfe0bd40b49be5cae8597feb9a2 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-27-65037,29-23-24-25-256-257,0 54d3e8667a6b6db7fa9367de7ec127de 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-5-10-11-13-16-23-27-28-34-35-43-45-51-65037-65281,29-23-24-25-256-257,0 t13d1716h2_5b57614c22b0_eeeea6562960 t13d1716h2_002f,0035,009c,009d,1301,1302,1303,c009,c00a,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,001b,001c,0022,0023,002b,002d,0033,fe0d,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 Mozilla/5.0 (Android 14; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0
iPhone 773906b0efdefa24a7f2b8eb6985bf37 771,4865-4866-4867-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-49170-10,0-23-65281-10-11-16-5-13-18-51-45-43-27-21,29-23-24-25,0 44f7ed5185d22c92b96da72dbe68d307 771,4865-4866-4867-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-49170-10,0-5-10-11-13-16-18-21-23-27-43-45-51-65281,29-23-24-25,0 t13d2014h1_a09f3c656075_14788d8d241b t13d2014h1_000a,002f,0035,009c,009d,1301,1302,1303,c008,c009,c00a,c012,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0015,0017,001b,002b,002d,0033,ff01_0403,0804,0401,0503,0203,0805,0805,0501,0806,0601,0201 Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1
Прокси-сервер Squid Передаётся от приложения, использующего прокси
Python (requests, Windows) a48c0d5f95b1ef98f560f324fd275da1 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-49188-49192-49187-49191-159-158-107-103-255,0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 62fcc66dfa1611e219a93df2d1bb1b24 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-49188-49192-49187-49191-159-158-107-103-255,0-10-11-13-16-21-22-23-43-45-49-51,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d1812h1_85036bcba153_b26ce05bbdd6 t13d1812h1_0067,006b,009e,009f,00ff,1301,1302,1303,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 python-requests/2.32.3
Python (requests, Linux) 47175ad2a36618e885e11d5dbe61a201 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-159-158-52394-49325-49324-49188-49192-49187-49191-49162-49172-49161-49171-49311-49310-107-103-57-51-157-156-49309-49308-61-60-53-47,65281-0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 3dad9b940b32a516735f72ca85f7bcac 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-159-158-52394-49325-49324-49188-49192-49187-49191-49162-49172-49161-49171-49311-49310-107-103-57-51-157-156-49309-49308-61-60-53-47,0-10-11-13-16-21-22-23-43-45-49-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d3613h1_bcee18a5b459_e10b9050f4c9

t13d3613h1_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602

python-requests/2.32.3
PowerShell (Invoke-WebRequest, Windows) (первое подключение) 68b3ecfaf0034bb9fcbecd518b5ab8d4 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-43-13-35-10-11-51-49-23-65281-45,29-23-24,0 fcc54fa6dc5ae1f61346221b10bc8680 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-10-11-13-23-35-43-45-49-51-65281,29-23-24,0 t13d201100_2b729b4bf6f3_36bf25f296df t13d201100_002f,0035,003c,003d,009c,009d,1301,1302,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_000a,000b,000d,0017,0023,002b,002d,0031,0033,ff01_0804,0805,0806,0401,0501,0201,0403,0503,0203,0202,0601,0603 Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.6
PowerShell (Invoke-WebRequest, Windows) (переподключение) 6ad69cecca55b3321a3261b1ae4aaab1 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-43-13-35-10-11-51-49-23-65281-45-41,29-23-24,0 9174d0d3b2705371807708013561fd0b 771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-10-11-13-23-35-41-43-45-49-51-65281,29-23-24,0 t13d201200_2b729b4bf6f3_89322cc15493 t13d201200_002f,0035,003c,003d,009c,009d,1301,1302,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_000a,000b,000d,0017,0023,0029,002b,002d,0031,0033,ff01_0804,0805,0806,0401,0501,0201,0403,0503,0203,0202,0601,0603 Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) PowerShell/7.4.6
PowerShell (Invoke-WebRequest, Linux) (первое подключение) fa6f215f4de3751f6cb7cac85602ab67 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,65281-0-11-10-35-5-22-23-13-43-45-51,29-23-30-25-24-256-257-258-259-260,0-1-2 eb1003f00e5d28ee81d9ee24d357e5d5 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,0-5-10-11-13-22-23-35-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d111200_c5d436628c5c_a6f532063c55 t13d111200_1301,1302,1303,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0016,0017,0023,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 Mozilla/5.0 (Linux; Arch Linux; en-US) PowerShell/7.4.6
PowerShell (Invoke-WebRequest, Linux) (переподключение) 12c6febee80767b58544b96f2a309026 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,65281-0-11-10-35-5-22-23-13-43-45-51-41,29-23-30-25-24-256-257-258-259-260,0-1-2 31ee3d9feeab3716116b2468d3fc2244 771,4866-4867-4865-49196-49195-49200-49199-49188-49187-49192-49191,0-5-10-11-13-22-23-35-41-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d111300_c5d436628c5c_580f1b29fba7 t13d111300_1301,1302,1303,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0016,0017,0023,0029,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 Mozilla/5.0 (Linux; Arch Linux; en-US) PowerShell/7.4.6
PHP (file_get_contents, Windows) a468eae2a82cd86fea9fd0c541ed8ff0 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49326-49324-49314-49310-50-49312-49308-60-47-49327-49325-49315-49311-106-49313-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 0bae95ba86cab1d4e0fe0db9339f1519 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49326-49324-49314-49310-50-49312-49308-60-47-49327-49325-49315-49311-106-49313-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65-255,0-10-11-13-21-22-23-35-43-45-51,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d751100_479067518aa3_d41ae481755e t13d751100_002f,0032,0033,0035,0038,0039,003c,003d,0040,0041,0044,0045,0067,006a,006b,0084,0087,0088,009c,009d,009e,009f,00a2,00a3,00ba,00bd,00be,00c0,00c3,00c4,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c050,c051,c052,c053,c056,c057,c05c,c05d,c060,c061,c072,c073,c076,c077,c09c,c09d,c09e,c09f,c0a0,c0a1,c0a2,c0a3,c0ac,c0ad,c0ae,c0af,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,0023,002b,002d,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602  
PHP (file_get_contents, Linux) fc1b1608487e90882a99f985570f3398 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49324-49310-50-49308-60-47-49325-49311-106-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65,65281-0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 d05baa862687f2cb8f8a74248b3d4ebe 771,4866-4867-4865-49199-49195-49200-49196-158-162-163-159-49191-49187-49171-49161-49192-49188-49172-49162-103-51-64-107-56-57-156-157-49324-49310-50-49308-60-47-49325-49311-106-49309-61-53-52393-52392-52394-49245-49249-49239-49235-49244-49248-49238-49234-49267-49271-196-195-49266-49270-190-189-136-135-69-68-49233-49232-192-186-132-65,0-10-11-13-21-22-23-35-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d681200_13e0e9e1c501_0b298858d6c1 t13d681200_002f,0032,0033,0035,0038,0039,003c,003d,0040,0041,0044,0045,0067,006a,006b,0084,0087,0088,009c,009d,009e,009f,00a2,00a3,00ba,00bd,00be,00c0,00c3,00c4,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c050,c051,c052,c053,c056,c057,c05c,c05d,c060,c061,c072,c073,c076,c077,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,0023,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602  
PHP (cURL, Windows)              
PHP (cURL, Linux)              
Tor c79653a3a53172c2304e6da72cd7aa2a 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-156-157,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0 0d918d348f893db516ba41ef6a22f5bf 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-156-157,0-5-10-11-13-16-21-23-28-34-43-51-65281,29-23-24-25-256-257,0 t13d1113h2_47af8f603342_f81080dfc557 t13d1113h2_009c,009d,1301,1302,1303,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0015,0017,001c,0022,002b,0033,ff01_0403,0503,0603,0804,0805,0806,0401,0501,0601,0203,0201 Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
sqlmap              
WhatWeb              
WPScan              
cURL 5ba6f86deff79afc9902f9927d1c1697 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,65281-0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2 36c45da3fc87b9fa46fae4e199884130 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,0-10-11-13-16-21-22-23-43-45-49-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d3013h2_1d37bd780c83_e10b9050f4c9 t13d3013h2_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602 curl/8.10.1
wget ac9e51091379e0dddbfbb33edd96398f 771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,11-28-51-10-35-5-45-0-49-13-65281-43-21,23-24-25-29-30-256-257-258-259-260,0 aeaf2f865911f886e3f721156a5f552e 771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,0-5-10-11-13-21-28-35-43-45-49-51-65281,23-24-25-29-30-256-257-258-259-260,0 t13d291300_723694b0fccc_899037bd0b8c t13d291300_002f,0033,0035,0039,009c,009d,009e,009f,1301,1302,1303,1304,c009,c00a,c013,c014,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0ac,c0ad,cca8,cca9,ccaa_0005,000a,000b,000d,0015,001c,0023,002b,002d,0031,0033,ff01_0401,0809,0804,0403,0807,0501,080a,0805,0503,0808,0601,080b,0806,0603,0201,0203 Wget/1.24.5
GoLang              
ngrok (Win/Lin)              
openssl (s_client) caf4ec11cce2d9dba8e2575080fc4dfb 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,65281-0-11-10-35-22-23-13-43-45-51,29-23-30-25-24-256-257-258-259-260,0-1-2 b993a03dac6e9e9770c5c542315b64f2 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47,0-10-11-13-22-23-35-43-45-51-65281,29-23-30-25-24-256-257-258-259-260,0-1-2 t13d301100_1d37bd780c83_ef4b9b248d72 t13d301100_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0016,0017,0023,002b,002d,0033,ff01_0403,0503,0603,0807,0808,081a,081b,081c,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602  
testssl.sh              
SSLyze              
WSL Ubuntu              
Puppeteer              
curl_chrome116 ddf2256b916f994a5f4412d3caa096f0 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,23-18-27-45-43-0-65281-51-11-17513-13-16-35-10-5-21,29-23-24,0 aa56c057ad164ec4fdcb7a5a283be9fc 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-5-10-11-13-16-18-21-23-27-35-43-45-51-17513-65281,29-23-24,0 t13d1516h2_8daaf6152771_e5627efa2ab1 t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0015,0017,001b,0023,002b,002d,0033,4469,ff01_0403,0804,0401,0503,0805,0501,0806,0601 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Nmap              
HTTrack (WinHTTrack / WebHTTrack)              
Telegram Pretends to be HTTP traffic, although it transmits encrypted data: ja4.ja4h == "po11nn07enus_99eca2ca61a8_000000000000_000000000000"
Viber 57fbe0aefee44901190849b0e877a5e1 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-173-171-52398-52397-52396-157-169-52395-172-170-156-168-61-60-49208-49206-183-179-149-145-53-175-141-49207-49205-182-178-148-144-47-174-140-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2 2d384510d2e6e07594ac35e5188e66c9 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-173-171-52398-52397-52396-157-169-52395-172-170-156-168-61-60-49208-49206-183-179-149-145-53-175-141-49207-49205-182-178-148-144-47-174-140-255,0-10-11-13-21-22-23-35-43-45-51,29-23-30-25-24,0-1-2 t13d571100_131602cb7446_d41ae481755e t13d571100_002f,0033,0035,0039,003c,003d,0067,006b,008c,008d,0090,0091,0094,0095,009c,009d,009e,009f,00a8,00a9,00aa,00ab,00ac,00ad,00ae,00af,00b2,00b3,00b6,00b7,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c035,c036,c037,c038,cca8,cca9,ccaa,ccab,ccac,ccad,ccae_000a,000b,000d,0015,0016,0017,0023,002b,002d,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602  
WhatsApp              
MySQL              
Heritrix              
Evilginx              

NOTE: I am gradually filling the table – if I missed any interesting applications with HTTPS support, please write in the comments.

It is worth noting that web browsers based on Google Chrome / Chromium have the same TLS fingerprints. Other applications, programming languages​​and libraries have unique TLS fingerprints.

2.5 Client TLS fingerprints may change in new software versions

Please note that the client TLS fingerprint is not something completely unchangeable.

We have already mentioned TLS session resumption and the fact that a client can have 2 constant TLS fingerprints.

It is also important to note that TLS fingerprints are not something predetermined for all software versions. If a client has updated the TLS library, then there is a high probability that its TLS fingerprints have changed.

At the same time, TLS, and especially its extensions, are currently developing rapidly and changing quite often.

For example, for web browsers, the TLS fingerprint may change with each new version. For Google Chrome, TLS fingerprints changed in the following major versions:

  • 99
  • 100
  • 101
  • 104
  • 107
  • 110
  • 116

For Firefox, TLS fingerprints changed in the following major versions:

  • 91esr
  • 95
  • 98
  • 100
  • 102
  • 109
  • 117

That is, TLS fingerprints change quite often, almost every major version of the web browser.

The situation is similar with programming languages ​​and other programs and utilities – new major versions often carry changes in TLS fingerprints and all hashes.

On the one hand, this opens up opportunities to increase the accuracy of determining not only the type, but also the version of the client. On the other hand, this requires constant updating of the JA3, JA3N and JA4 hash database.

2.6 TLS fingerprinting of QUIC clients

QUIC (short for Quick UDP Internet Connections; pronounced quick) is an Internet protocol developed by Google in late 2012.

QUIC allows multiplexing of multiple data streams between two computers, working on top of the UDP protocol, and contains encryption capabilities equivalent to TLS and SSL. It has lower connection and transmission latency than TCP. It tolerates the loss of some packets well by aligning the boundaries of cryptographic blocks with the boundaries of packets. The protocol includes the ability to perform forward (predictive) error correction at the packet level, but in practice it is disabled.

See also:

TLS fingerprinting of clients (JA3 and JA4 hashes for QUIC protocol):

tls.handshake.ja3 && quic
tls.handshake.ja4 && quic

JA3 and JA4 hashes of TLS protocol without QUIC:

tls.handshake.ja3 && ! quic
tls.handshake.ja4 && ! quic

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *