search

FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards
https://foxio.io
Other
774 stars 65 forks source link

ja4_r extension numbers #129

Closed 0xKilty closed 1 week ago

0xKilty commented 2 weeks ago

In the third part of ja4_r (the extensions), there are these numbers that are then hashed and truncated into a ja4.

For example they look like

..._00000403,00000503,00000603,00000804,00000806,00000401,00000501,00000601,00000203,00000201

I would like to know which extension in IANA Transport Layer Security (TLS) Extensions Table these numbers refer to.

Thanks.

noeltimothy commented 1 week ago

The third part refers to the following according to the JA4 spec (truncated sha256 hash of the list of extensions sorted, SNI and ALPN removed, followed by the list of signature algorithms

Hence, this correlates to https://www.rfc-editor.org/rfc/rfc8446.html

noeltimothy commented 1 week ago

Let me know if we can close this out if it has answered your questions.