john-althouse
commented
1 month ago -o is for original ordering, so it doesn't sort the ciphers or extensions. This will produce different, potentially more unique fingerprints. However, due to Chromium's extension randomization, all Chromium browsers will produce different JA4_o fingerprints for every single connection. This is why we sort.
See the bottom of this doc for details: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md
Let me know if you have any other questions!
What is the difference between using original rendering flag (-o) and using --ja4.
Does it produce difference in the output or render differently when the ja4 is produced ?