Free online service for scanning TLS fingerprints of client applications (JA3 and JA4 scanner)
TLS Fingerprinting is a technique for obtaining unique fingerprints of clients and servers, allowing you to determine the type of software used (web browser, console utility, bot, malware, etc.).
A TLS (Transport Layer Security) handshake is used for identification. Moreover, the unencrypted part of the transmitted data is used – that is, there is no need to decrypt the data.
A TLS handshake has enough unique features that allow you to identify the client (which software group it belongs to) and, sometimes, even the version of the program.
A TLS fingerprint is a hash obtained by hashing the identifying features of the client or server.
Usually, different groups of clients have different TLS fingerprint values, but sometimes the hash values may coincide for unrelated utilities and programs.
A distinction is made between TLS fingerprints of servers and clients. Sometimes the same program can be both a server (listening for incoming connections) and a client (initiating connections) – for example, this is common among malware that acts as a Command and Control infrastructure (also known as C2 or C&C).
This service will show JA3 and JA4 fingerprints for your web browser.
Description of the output fields:
- JA3 – the original version of the TLS client fingerprint. Currently, the Google Chrome web browser actively resists obtaining this TLS fingerprint – as a result, for the Google Chrome web browser, this value is different every time.
- JA3_FULL – the raw data used to compute the JA3 hash.
- JA3N – an improved version of JA3 – it sorts the part of the data whose order is randomized in Google Chrome, due to which the hash becomes the same for all Google Chrome requests (and other applications that use this method of preventing TLS fingerprinting).
- JA3N_FULL – the raw data used to obtain the JA3N hash.
- JA4 – the next version of the client TLS fingerprint. Currently, for the Google Chrome web browser, it gives the same results.
- JA4_R – the raw data used to compute the JA4 hash.
This service has a variant for console utilities, its address is https://suip.biz/?act=ja4, example of usage:
curl -A 'Chrome' 'https://suip.biz/?act=ja4'
Link to your report: https://suip.biz/?act=report&id=c3b2f73d7711c36faa7c49c513e04431Scan results for: 44.192.67.10
================================================= Your TLS fingerprints: JA3: 15edee9ddf63a0941a98c4bc50eb02be JA3_FULL: 771,4866-4865-4867-49196-49195-52393-49200-52392-49199-49172-49171-157-156-53-47,0-5-10-11-13-50-16-17-23-43-45-51-65281-41,29-23-24-25-30-256-257-258-259-260,0 JA3N: 99c8f8dee1257ab2e2fd557c5350cb1f JA3N_FULL: 771,4866-4865-4867-49196-49195-52393-49200-52392-49199-49172-49171-157-156-53-47,0-5-10-11-13-16-17-23-41-43-45-50-51-65281,29-23-24-25-30-256-257-258-259-260,0 JA4: t13d1514h2_8daaf6152771_fddc3888abdf JA4_R: t13d1514h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0011,0017,0029,002b,002d,0032,0033,ff01_0403,0503,0603,0804,0805,0806,0809,080a,080b,0401,0501,0601,0402,0303,0301,0302,0203,0201,0202 =================================================
Your User Agent:
CCBot/2.0 (https://commoncrawl.org/faq/)
Details:
Parent browser: CCBot
Platform: unknown
Comment: CCBot
Browser: CCBot
Browser maker: CommonCrawl Foundation
Version: 2.0
Major version: 2
Device type: unknown
Device pointing method: unknown
Minor version: 0
Is it a mobile device? No
Is it a tablet? No
Is it a crawler (bot)? Yes