JA3 and JA4 Fingerprinting Explained: How TLS Reveals Your V
JA3 and JA4 hash the TLS ClientHello to reliably identify the client library. Why Chrome looks different from Firefox, and OpenVPN from both. Full breakdow
JA3 and JA4 Fingerprinting Explained: How TLS Reveals Your VPN Client #
JA3 and JA4 hash the TLS ClientHello to reliably identify the client library. Why Chrome looks different from Firefox, and OpenVPN from both. Full breakdown.
2026-04-22Β·13 min readJA3JA4TLS fingerprintingVPN detectionJA3 and JA4 are two hash-based TLS ClientHello fingerprinting schemes that are used across the network-security industry: censorship systems use them for blocking, CDNs use them for bot detection, and VPN-detection services like IPLogs β use them for classification. This post explains what they are, what they capture, how to compute them, and why they are surprisingly reliable for identifying VPN clients.
What JA3 captures #
A TLS ClientHello contains a large amount of client-specific state:
- TLS version (e.g. 0x0303 for TLS 1.2)
- Cipher suites in a specific order
- TLS extensions in a specific order
- Named elliptic curves (supported groups)
- Elliptic-curve point formats
> JA3 is a one-way hash of the cipher suite order, extension order, and curve preferences. It is small, fast to compute, and difficult to forge without deeply modifying the TLS client.
Computing a JA3 #
The canonical JA3 string for Firefox 119 on macOS looks like:
771,4865-4867-4866-49195-49199-52393-52392-49196-49200,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0
Applying MD5 to that string yields the JA3 hash. Libraries implementing JA3 exist for Go (dreadl0ck/ja3), Rust (s0cks/rust-ja3), Python (salesforce/ja3), and Zeek. The dreadl0ck Go implementation is used internally by IPLogs and is about 29Γ faster than the Python reference.
What JA4 changes #
JA4 was introduced in 2023 by FoxIO. It fixes three limitations of JA3:
- MD5 replaced. JA4 uses the first 12 characters of a truncated hash, increasing readability and enabling partial matching.
- Separate TCP and QUIC variants. JA4 includes a protocol prefix β
tfor TCP,qfor QUIC β so you can distinguish between a client's TLS-over-TCP and TLS-over-QUIC fingerprints without recomputing. - Sorted cipher suites.JA4 sorts the cipher-suite list before hashing, which means minor ordering differences don't produce different hashes. This helps against naive evasion.
Why VPN clients have distinctive fingerprints #
Every major commercial VPN client uses one of a few underlying TLS libraries β and each library produces a narrow set of JA3/JA4 values. Examples observed in IPLogs production:
- OpenVPN over TCP/443 with TLS-crypt emits a JA3 hash distinct from any browser β wrong cipher order, no ALPN, no servername in ClientHello in some configurations.
- WireGuard wrapped in stunnel emits the stunnel OpenSSL JA3 which is a known fingerprint across the industry.
- REALITY-based proxies (Xray, sing-box) are designed to mimic a browser JA3 but do so imperfectly β SNI fuzzing reliably triggers their cert-switch behavior, which is itself a signal.
How IPLogs uses JA3/JA4 #
When a request reaches the IPLogs backend, the Go TLS stack extracts the raw ClientHello and computes both a JA3 and a JA4. The hashes are matched against a curated database of known-VPN fingerprints. A match raises the ja3knownvpn signal at weight 0.7 β high enough on its own to push a verdict tovpnlikely when combined with even one other signal.
Limitations #
JA3/JA4 is deterministic only for the library. The VPN operator who wantsto evade fingerprinting can replace their TLS library's ClientHello field order to mimic a popular browser. This is what modern anti-censorship proxies like Xray/REALITY and VMess WebSocket attempt to do. It works when done precisely; in practice most implementations leave subtle artifacts in extension order or in the server_name field that active probing can still detect.
Try it #
Paste any IP into the home-page checker β and β if the IP maintains a reachable HTTPS service β the engine will collect and classify its JA3/JA4 alongside the other six detection layers. See the API docs β for the exact signal names.
References #
- Althouse, Atkinson, Atkins, "JA3 β A method for profiling SSL/TLS clients", Salesforce Engineering 2017.
- FoxIO, "JA4 β Network fingerprinting standard", 2023.
- dreadl0ck/ja3 (Go implementation used in IPLogs), github.com/dreadl0ck/ja3.
Check any IP against the 7-layer pipeline #
The detection methods described above are all available through the IPLogs public API, free, no signup required.
Try the IP checker β β## More posts
- β How VPN Detection Actually Works β The Research-Backed 7-Layer Method β
- β How to Detect VPN Users in 2026: A Developer's Guide (JavaScript + Server) β
- β We Just Released 9 Free IP Intelligence Datasets (CSV, JSON, Auto-Refreshed) β
- β How the Great Firewall of China Works in 2026 β A Technical Explainer β
Source: iplogs.com β
Canonical source
https://docs.platphormnews.com/docs/ja3-and-ja4-fingerprinting-explained-how-tls-reveals-your-v-61a5
Original source
https://iplogs.com/blog/ja3-ja4-tls-fingerprinting-explained
Source domain
iplogs.com
Publisher
iplogs.com
License / usage
Unknown. Review the original source terms before republishing beyond public-safe excerpts.
Overall quality score, confidence 82%
40 sentences, 10 headings, 18 list items.
Keep source attribution visible in the rendered document.
Related Documentation
Chert | iMessage Infrastructure for Reaching People at Scale
Skip to main content https://docs.platphormnews.com/docs/chert imessage infrastructure for reaching people at scale main content Back to docs https://docs.platphormnews.com/docs Skip to content β https://www.trychert.com
7 min read
SEO Starter Guide: The Basics | Google Search Central | Documentation | Google for Developers
Skip to main content https://developers.google.com/search/docs/fundamentals/seo starter guide main content Google Search Central English Deutsch EspaΓ±ol EspaΓ±ol β AmΓ©rica Latina FranΓ§ais Indonesia Italiano Polski Portugu
22 min read
Chert | iMessage Infrastructure for Reaching People at Scale
Skip to content https://www.trychert.com/ main content New Chert is now live on Hacker News Check it out β https://www.trychert.com/agent Chert https://www.trychert.com/ Home https://www.trychert.com/ Blog https://www.tr
5 min read
Three Inverse Laws of AI - Susam Pal
9 min read
GameStop Proposes to Acquire eBay at $125.00 Per Share | GameStop Corp.
GameStop Corp. (NYSE: GME) today submitted a non-binding proposal to acquire 100% of eBay Inc. (NASDAQ: EBAY) at $125.00 per share in cash and stock. The offer represents a 46% premium to eBayβs unaffected closing price on February 4, 2026, the day GameStop started accumulating its position in eBay. GameStop has built a 5% economic stake in eBay through derivatives and beneficial ownership of common stock. GameStop is filing a Schedule 13D and HSR notification tomorrow. The full proposal letter and accompanying materials are available at investor.gamestop.com/ebay . The proposed offer is $125.00 per share, comprising 50% cash and 50% GameStop common stock, with full shareholder election rights as to consideration type and pro-rata allocation. Aggregate undiluted equity value is approximately $55.5 billion, based on eBayβs most recently disclosed undiluted share count, representing a 27% premium to the 30-day VWAP and a 36% premium to the 90-day VWAP. The transaction is conditioned on
11 min read