TIL: How JA4 fingerprinting works

January 10, 2026 ·1 min read #security#networking

JA4 is the successor to JA3 — a way to fingerprint a TLS client from the shape of its ClientHello rather than its content. The clever bit: it’s human-readable and broken into parts you can match on independently.

A JA4 fingerprint is built from:

Protocol + version + SNI flag (e.g. t13d = TLS over TCP, 1.3, with SNI)
Cipher suite count + sorted hash
Extension count + sorted hash

Because the cipher and extension lists are sorted before hashing, JA4 is resilient to the GREASE/randomization tricks that broke JA3. Two requests from the same client library produce the same fingerprint even if the wire order shuffles.

Why I care: it’s a cheap, high-signal feature for behavioral baselining. A fleet of bots all sharing one exotic JA4 stands out instantly against the long tail of real browsers.

← All notes