What Is a TLS Fingerprint?
Every time your browser connects to a website over HTTPS, it begins with a TLS handshake — a negotiation process where your browser and the server agree on encryption settings. During this handshake, your browser sends a ClientHello message that lists its supported cipher suites, TLS extensions, and other capabilities in a specific order. This combination of values is your TLS fingerprint.
Like a browser fingerprint derived from canvas rendering or fonts, your TLS fingerprint is determined by your browser and its implementation — not by any stored identifier. And like those fingerprinting methods, it can be used to identify and track you. But TLS fingerprinting has a uniquely powerful characteristic: it happens at the network level, before any application-layer privacy protection (like VPNs, proxies, or browser privacy settings) can intervene.
How TLS Works: The ClientHello
To understand TLS fingerprinting, you need to understand the TLS handshake. When your browser connects to a server:
Your browser sends a ClientHello message containing: the TLS version(s) it supports, a list of cipher suites it can use (in order of preference), TLS extensions it supports, and specific extension values (like supported elliptic curves, compression methods, and session resumption data).
The server responds with a ServerHello selecting the mutually supported options.
Both sides complete the handshake and establish an encrypted connection.
The ClientHello is sent in cleartext — it is not encrypted, because the encryption has not yet been established. This means anyone on the network path between you and the server (your ISP, a network administrator, a surveillance system) can read your ClientHello and extract your TLS fingerprint.
JA3: The Standard TLS Fingerprinting Method
JA3 is a widely used TLS fingerprinting algorithm developed by Salesforce researchers in 2017. It creates an MD5 hash from five fields in the ClientHello message:
TLS version number
Cipher suites (decimal values, comma-separated)
TLS extensions (decimal values, comma-separated)
Elliptic curves (for ECDH key exchange)
Elliptic curve point formats
These values are concatenated with hyphens and hashed to produce a 32-character MD5 fingerprint. For example, Chrome's JA3 hash is consistent across all Chrome installations on the same platform with the same version — all Chrome 124 users on Windows produce the same JA3 hash.
This makes JA3 most useful for identifying browser types and detecting anomalous traffic (like malware communicating via non-standard TLS implementations) rather than tracking individual users. However, combined with other fingerprinting data, JA3 contributes to user identification.
JA3S: Server-Side TLS Fingerprinting
JA3S fingerprints the server's response in the TLS handshake — the ServerHello message. It captures the TLS version the server selected and the cipher suite and extensions it chose. JA3S fingerprints are less unique than JA3 but can identify specific server implementations and software stacks. When combined with JA3 (client fingerprint), a JA3+JA3S pair can uniquely identify both the client-server pair for a specific connection.
JA4: The Modern Evolution
JA4 is a next-generation TLS fingerprinting method developed in 2023, addressing several limitations of JA3. Key improvements:
Sorted cipher suites: JA4 sorts cipher suites before hashing, making the fingerprint stable across TLS library updates that change ordering without changing supported ciphers
ALPN extension handling: JA4 includes the first and last values of the ALPN (Application-Layer Protocol Negotiation) extension, which identifies the application protocol being negotiated (HTTP/1.1, HTTP/2, HTTP/3)
Separate signature algorithms: JA4 treats signature algorithms as a separate component
Human-readable format: JA4 uses a structured format that is partially human-readable without requiring a lookup table
JA4 is increasingly adopted by security tools, CDNs, and network monitoring systems as a more reliable fingerprinting method than JA3.
JA4+ Fingerprint Suite
JA4 is part of a larger fingerprinting suite called JA4+, which includes:
JA4: TLS client fingerprint
JA4S: TLS server fingerprint
JA4H: HTTP client fingerprint (based on HTTP headers)
JA4L: Light distance fingerprint (network latency-based location estimation)
JA4X: X.509 certificate fingerprint
JA4SSH: SSH traffic fingerprint
Combined, these fingerprints create a comprehensive network-level profile of a connection that can identify specific clients, detect anomalies, and enable network-level tracking independent of application-layer privacy measures.
Who Uses TLS Fingerprinting?
Security and Threat Intelligence
TLS fingerprinting is widely used in cybersecurity for legitimate defensive purposes. Security tools like Suricata, Zeek, and commercial SIEM products use JA3/JA4 to identify malware based on its TLS fingerprint. Malware often has distinctive TLS implementations (using unusual cipher suites or older TLS versions) that differ from legitimate browsers, making fingerprinting a valuable detection method.
CDNs and DDoS Protection
Content delivery networks and DDoS mitigation services (Cloudflare, Akamai, Fastly) use TLS fingerprinting to distinguish legitimate browsers from bots. A request claiming to be Chrome 124 but presenting a TLS fingerprint different from real Chrome is likely from an automated tool or bot. This fingerprinting is a key component of bot detection systems.
Network Surveillance
Because TLS fingerprinting occurs at the network layer and the ClientHello is unencrypted, ISPs, government surveillance systems, and network administrators can fingerprint all TLS connections on their network without decrypting the traffic. This provides information about what software clients are using and can potentially correlate connections to specific users or devices.
Anti-Fraud Systems
Financial services and e-commerce platforms use TLS fingerprinting as part of device identification. If a transaction arrives with a TLS fingerprint that does not match the claimed browser, it may indicate fraud or account takeover.
How TLS Fingerprinting Differs from Browser Fingerprinting
Browser fingerprinting (canvas, WebGL, fonts) occurs at the application layer — JavaScript running in your browser collects and reports data. This means browser-level privacy tools (disabling JavaScript, using Brave's fingerprint protection) can block or randomize it.
TLS fingerprinting occurs at the network layer, before your browser's application code runs. It cannot be blocked by browser extensions, privacy settings, or JavaScript restrictions. Even the Tor Browser has a TLS fingerprint. Even a VPN does not change your TLS fingerprint — the TLS connection between your browser and the VPN server still presents the same ClientHello.
The only way to change your TLS fingerprint is to use a different browser or modify the TLS library used by your browser.
Encrypted Client Hello (ECH): The Privacy Solution
The TLS working group has developed Encrypted Client Hello (ECH), a TLS extension that encrypts the sensitive portions of the ClientHello — including the Server Name Indication (SNI) that identifies which website you are connecting to. ECH is supported in Chrome, Firefox, and is being rolled out across major CDNs.
ECH significantly reduces the value of network-level TLS surveillance by hiding the most privacy-sensitive information. However, it does not eliminate TLS fingerprinting entirely — the outer ClientHello used to establish the ECH session itself has a fingerprint, though it is less distinctive than the full ClientHello.
How to Check Your TLS Fingerprint
SpeedIQ's TLS fingerprint tool shows your current JA3 and JA4 fingerprints. Here is what you can learn from your results:
Your JA3 hash: Compare this to known JA3 databases to see what your browser appears to be at the network level
Your JA4 fingerprint: The structured format reveals your TLS version, number of cipher suites and extensions, and ALPN protocol
Consistency check: If your TLS fingerprint matches the expected fingerprint for your claimed browser, you appear as a legitimate user to bot detection systems
Practical Implications for Privacy
For most users, TLS fingerprinting is a minor concern compared to cookie-based tracking and browser fingerprinting. However, it matters more in specific contexts:
Anti-bot evasion: Web scraping and automation tools need TLS fingerprints that match legitimate browsers to avoid detection by Cloudflare and similar services
High-risk environments: Journalists, activists, or whistleblowers in environments where network-level surveillance is a concern should be aware that their TLS fingerprint is visible even through a VPN
Understanding bot detection: If you use automation tools and encounter blocks, TLS fingerprint mismatch may be the cause
Frequently Asked Questions
Does a VPN hide my TLS fingerprint?
No. Your TLS fingerprint is visible in the connection between your browser and the VPN server (or between the VPN server and the destination website, depending on the VPN architecture). A VPN does not change how your browser implements TLS. The fingerprint remains the same.
Does using a different browser change my TLS fingerprint?
Yes. Chrome, Firefox, Safari, and Edge all have different TLS implementations and therefore different JA3/JA4 fingerprints. This is one of the few ways to change your network-level TLS fingerprint.
Is TLS fingerprinting used to track me across websites?
TLS fingerprinting alone is not a practical cross-site tracking method for most deployments, because it identifies the browser type rather than an individual user (millions of Chrome users share the same JA3 hash). Combined with other identifiers (IP address, timing data, behavioral patterns), it can contribute to user identification, but it is not the primary tracking mechanism websites use.
What is the difference between JA3 and JA4?
JA3 is the original 2017 method that produces an MD5 hash; it is less stable across browser updates because it includes cipher suite ordering. JA4 is the 2023 evolution that sorts cipher suites, includes ALPN data, and produces a more stable, partially human-readable fingerprint. JA4 is increasingly preferred in security tooling.
Summary
TLS fingerprinting captures your browser's unique signature from the TLS handshake — before any encryption is established. JA3 and JA4 are the standard methods, widely used in security tooling, bot detection, and network surveillance. Unlike browser fingerprinting, TLS fingerprinting cannot be blocked by browser settings or extensions — it occurs at the network layer.
For most users, the practical impact is primarily on bot detection (websites using TLS fingerprints to verify legitimate browsers) and network-level surveillance. Encrypted Client Hello (ECH) is the privacy technology being deployed to reduce the sensitivity of this information.
Use SpeedIQ's TLS fingerprint tool to see your current JA3 and JA4 fingerprints and understand what your browser reveals at the network level before any content is exchanged.