TLS Fingerprinting (JA3/JA4)

A passive network analysis technique that creates a hash fingerprint of a TLS ClientHello message by extracting fields such as TLS version, cipher suites, extensions, elliptic curves, and point formats. JA3 (2017) produces a 32-character MD5 hash; JA4 (2023) improves on JA3 with a more stable, structured fingerprint resistant to trivial evasion. Because a client's TLS stack is consistent across connections, fingerprints reliably identify client libraries (curl, Python requests, Chrome) and are widely used for bot detection, threat hunting, and network traffic classification without decrypting the payload.