Skip to content
GProxy
Sign up
Glossary 4 Connection Type: 2 views

JA3 Fingerprint

Explore JA3 fingerprints: how they work to identify TLS client configurations and detect proxy connections. A key aspect of modern security.

Security

A JA3 fingerprint is an MD5 hash derived from specific fields within a TLS Client Hello message, used to uniquely identify the client application or library initiating a TLS connection, thereby serving as a robust method for TLS client fingerprinting and proxy detection.

Understanding TLS Client Fingerprinting

When a client initiates a TLS handshake, it sends a Client Hello message containing various parameters necessary for establishing a secure connection. These parameters include the TLS version, a list of supported cipher suites, extensions, elliptic curves, and elliptic curve formats. The specific combination and order of these parameters are often unique to a particular client application, operating system, and TLS library. This distinct signature allows for the identification of the client, even if other identifying information (like user-agent strings) is modified or absent.

What is a JA3 Fingerprint?

Developed by Salesforce, JA3 is a method to create a standardized fingerprint of the Client Hello message. It focuses on five key fields from the Client Hello:

  1. TLS Version: The highest TLS version the client supports.
  2. Cipher Suites: A comma-separated list of the cipher suites the client supports, ordered by preference.
  3. TLS Extensions: A comma-separated list of TLS extensions the client includes, ordered by type.
  4. Elliptic Curves: A comma-separated list of supported elliptic curves.
  5. Elliptic Curve Formats: A comma-separated list of supported elliptic curve formats.

These five values are concatenated into a single string, using "," as a separator for lists and "-" as a separator between the five main fields. This concatenated string is then hashed using MD5 to produce the final 32-character JA3 fingerprint. The use of MD5 is for brevity and consistency, not cryptographic security.

JA3 Calculation Example

Consider a hypothetical Client Hello with the following parameters:

  • TLS Version: 0x0303 (TLS 1.2)
  • Ciphers: 0xc02c,0xc02b,0xc030,0xc02f,0x009c,0x0095
  • Extensions: 0x0000,0x000b,0x000a,0x0012,0x0023,0x0017,0x0010,0x0035,0xff01,0x000d,0x0005
  • Elliptic Curves: 0x001d,0x0023,0x0024
  • Elliptic Curve Formats: 0x0000,0x0001,0x0002

The concatenated string would be:
769,49164-49163-49168-49167-156-149,0-11-10-18-35-23-16-53-65281-13-5,29-35-36,0-1-2

The MD5 hash of this string would be the JA3 fingerprint, e.g., e66a3d11b302c086d0b604e769494441.

JA3 in Proxy Detection

Proxies, particularly forward proxies and those performing TLS interception, often modify or terminate and re-initiate TLS connections. This process inherently alters the Client Hello message, leading to a JA3 fingerprint that differs from the original client's.

How Proxies Influence JA3 Fingerprints

  • Forward Proxies (HTTPS): When a client connects to an HTTPS proxy, the proxy establishes a new TLS connection to the destination server. The Client Hello message observed by the destination server originates from the proxy software, not the end client. Consequently, the JA3 fingerprint reflects the proxy's TLS stack (e.g., Squid, Nginx, HAProxy, or custom proxy software) rather than the actual browser or application used by the end-user. This discrepancy is a strong indicator of proxy usage.

  • TLS Interception Proxies (MITM): These proxies explicitly terminate the TLS connection from the client and establish a new, separate TLS connection to the destination. This is common in corporate environments for inspection or by malicious actors. The Client Hello sent to the destination server is generated by the interception proxy, resulting in a JA3 fingerprint characteristic of the interception software.

  • SOCKS Proxies: SOCKS proxies can operate at a lower level, tunneling raw TCP connections. If a SOCKS proxy simply forwards the TCP stream without modifying the TLS handshake, the original Client Hello from the client might pass through untouched, and the JA3 fingerprint would remain the same. However, many SOCKS implementations or specific configurations might still terminate and re-initiate TLS or alter header information, leading to a changed JA3.

Identifying Proxies with JA3

By analyzing incoming Client Hello messages, a server can:

  1. Detect Discrepancies: Compare the JA3 fingerprint with other client indicators like the User-Agent header. A User-Agent claiming to be Chrome on Windows, but presenting a JA3 fingerprint known to belong to a proxy server or a specific scraping library, indicates proxy usage or spoofing.
  2. Categorize Traffic: Identify traffic originating from known proxy services, data centers, or botnets that use consistent TLS stacks.
  3. Block/Throttle: Implement policies to block or throttle connections from specific JA3 fingerprints associated with unwanted traffic (e.g., scrapers, bots, or compromised systems).

JA3 vs. JA3S

While JA3 fingerprints the client's Client Hello, JA3S (JA3 Server) fingerprints the server's Server Hello message. JA3S focuses on the TLS version, cipher suite, and extensions from the Server Hello. While useful for identifying server-side TLS implementations, it is less directly applicable to client proxy detection.

Limitations and Evasion Techniques

While powerful, JA3 fingerprinting is not infallible:

  • Spoofing: Sophisticated clients, bots, or proxy services can be configured to intentionally mimic specific JA3 fingerprints, effectively spoofing a legitimate browser. This requires control over the TLS library's Client Hello parameters.
  • TLS Library Updates: Updates to TLS libraries (e.g., OpenSSL, NSS, BoringSSL) or operating systems can alter the Client Hello parameters, changing the JA3 fingerprint for an otherwise identical client. This necessitates continuous monitoring and updating of JA3 signature databases.
  • Library Diversity: Different HTTP client libraries (e.g., Python's requests, Go's net/http, Node.js https) and their underlying TLS implementations (e.g., OpenSSL, GnuTLS, BoringSSL, Go's crypto/tls) will naturally produce distinct JA3 fingerprints.

Common JA3 Fingerprint Variations

| Client Type | Typical JA3 Characteristics JA3 is a powerful tool for identifying and detecting various types of client traffic, particularly within the context of proxy services and bot detection. Knowing how to interpret and mitigate JA3 fingerprints is crucial for both proxy providers and consumers.

Auto-update: 04.03.2026
All Categories

Advantages of our proxies

25,000+ proxies from 120+ countries

Unlimited Proxies Residential Proxies