FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards
https://foxio.io
Other
992 stars 86 forks source link

What is the exact license of the software? and the ja4 fingerprint calculation algorithm? #15

Closed adulau closed 12 months ago

adulau commented 1 year ago

What is the exact license of the software? and the ja4 fingerprint calculation algorithm?

There are two licenses in the directory. One seems to be a Berkeley 3-clause but the other seems to be a proprietary. What about the algorithms do you grant a RF license?

We have ja3 in MISP and I would like to see if we are safe to implement it.

john-althouse commented 1 year ago

The license for JA4 (TLS Client Fingerprinting) is BSD 3-Clause. The license for JA4+ (which includes JA4S, JA4H, JA4L, JA4X, JA4SSH) is FoxIO License 1.1 which is permissive for most use cases, including for internal business purposes, but is not permissive for monetization. For anyone putting JA4+ in a for-sale product, they just need to contact us for an OEM license.

All of JA4+ can be implemented into open source tools like MISP, so long as the FoxIO license is referenced or linked somewhere. Arkime is an open source tool that is currently implementing JA4+ by having a button to enable or disable it. So if a company were using Arkime to secure their own company, they can use JA4+ freely. If they were productizing and selling Arkime, they could use the JA4+ feature after contacting us for an OEM license, otherwise, they could click the button to turn it off.

If you want, I can setup a call with an open source licensing expert that can answer any questions.

johnthacker commented 1 year ago

I understand how the license applies to the software, but someone could read the technical documents (or observe JA4+ as produced by tools licensing your software) and implement an attempt to produce compatible JA4+ fingerprinting without ever reading your software. That would have nothing to do with the software license.

It could, perhaps, have to do with any patents FoxIO might have on the JA4+ fingerprint calculation algorithm - the FoxIO license (unlike the BSD-3-clause license) includes terms granting a patent license for anything that FoxIO could license related to what the software necessarily infringes, so therefore any patents on the JA4+ fingerprint calculation algorithm, should they exist. An independent reverse engineered implementation would not necessarily have such protection.

So what I, and I think adulau, is wondering, is are there any patents (or pending or intended patent claims) for the JA4+ fingerprint calculation itself that could possibly be infringed by a separate implementation that does not use or inspect the FoxIO JA4+ reference implementation?

john-althouse commented 1 year ago

Yes, @johnthacker you are correct. The FoxIO License is a software and patent license for JA4+ (excluding JA4 TLS Client Fingerprinting). I have made it more clear in the Readme that the methods are patent pending.

For implementation into open source, it would be best practice if the JA4+ code resided in a separate repo with the FoxIO License and called as a plugin utility. But it doesn't have to live in a separate repo. If it is included in the main repo, the FoxIO License should be added to a NOTICE file and a note added to the Readme/License that the source includes utilities with a different license. See Arkime and Wireshark as examples. For GPL, JA4+ would need to act as a separate process, this is only true for GPL licensed projects. For other open source licenses like Apache 2.0, JA4+ can be included in the same process.

Also, if a tool like MISP is not generating JA4+ but merely consuming and sharing JA4+ fingerprints gathered elsewhere, that does not require a license at all. Any tool can do that without question.

jasonish commented 1 year ago

Just to confirm your interpretation, a clean room reimplementation of JA4 (not JA4+) would be clear and free of any patent issues?

adulau commented 1 year ago

Thanks for the answer.

Also, if a tool like MISP is not generating JA4+ but merely consuming and sharing JA4+ fingerprints gathered elsewhere, that does not require a license at all. Any tool can do that without question.

The problem is that we have misp-modules and extension which are actually implementing validation or even creation of matching rules. We actually do that for YARA or Sigma for example. If JA4+ is not free of any patent, we won't be able to implement those. If you plan to apply for a patent (as there are mention of "patent pending"), I would recommend to go for the IETF overall strategy In general, IETF working groups prefer technologies with no known IPR claims or, for technologies with claims against them, an offer of royalty-free licensing by granting a royalty-free license to all open source implementation. If there is no royalty-free license, it will be difficult or even impossible for open source authors to comply with the terms of their open source license.

satta commented 1 year ago

Just another aspect worth mentioning: as I already stated in https://redmine.openinfosecfoundation.org/issues/6379, software containing code that is under any sort of license discriminating against fields of endeavor (like commercial use) will also be problematic for downstream packaging, like in Debian and its derived distributions (see #6 of https://www.debian.org/social_contract#guidelines) or Fedora. Such software will be deemed "non-free" and hence be moved to a less accessible section of the distribution unless the respective code is removed (i.e. usually patched out by the packager) from the source carried by the distribution completely.

AFAICS compile time or runtime switches will not affect this consequence. Having the code as a plugin that runs separately as outlined in https://github.com/FoxIO-LLC/ja4/issues/15#issuecomment-1769322016 would be appropriate though, if it is also packaged separately..

john-althouse commented 1 year ago

Just to confirm your interpretation, a clean room reimplementation of JA4 (not JA4+) would be clear and free of any patent issues?

Right, the intention is that JA4 (not JA4+) is open-source BSD 3-Clause, exactly the same as JA3, same license and everything. There should be nothing to prevent the use of JA4 (not JA4+) by anyone for any reason except those listed in the BSD 3-Clause license. If you're running JA3, you can run JA4.

For the rest of JA4+(S,H,L,X,SSH), I'm working with our open source expert attorney to put together a memo that explains exactly how we can work with GPL tools. From what I understand, we can create a separate JA4+ module, with its own repository, that end-users can choose to load into GPL-licensed tools as a Plugin. That would satisfy all licenses and would allow for the use of JA4+, for internal business purposes, royalty-free without concern on GPL licensed tooling.

I know this is unorthodox and I apologize for that. I want to work on this type of stuff full time, developing new methods, ensuring continued support, development, database creation and curation, it requires funds. I hope you can understand. I'm going to work on creating these JA4+ modules for different open source tools so the community can more easily utilize JA4+ for free. It may take a while, but we'll get there!

jasonish commented 1 year ago

I know this is unorthodox and I apologize for that. I want to work on this type of stuff full time, developing new methods, ensuring continued support, development, database creation and curation, it requires funds. I hope you can understand.

Yes, I fully respect that, no issues there!

adulau commented 1 year ago

Thanks for all the feedback. Can you write somewhere that JA4 is free of any patent? or a royalty-free license is given to all the open source implementation?

john-althouse commented 1 year ago

Thanks for all the feedback. Can you write somewhere that JA4 is free of any patent? or a royalty-free license is given to all the open source implementation?

Yes, I'll sure that up next week. It may require a change to the license. We'll see what the attorneys say.

erik4711 commented 1 year ago

Also, if a tool like MISP is not generating JA4+ but merely consuming and sharing JA4+ fingerprints gathered elsewhere, that does not require a license at all. Any tool can do that without question.

@john-althouse Does this imply that a commercial tool can read a stream of JA4+ fingerprints from an open source tool without purchasing an OEM license from FoxIO? What if the open sourced JA4+ generating code is delivered with the commercial tool, either as a lib or compiled binary?

john-althouse commented 1 year ago

Also, if a tool like MISP is not generating JA4+ but merely consuming and sharing JA4+ fingerprints gathered elsewhere, that does not require a license at all. Any tool can do that without question.

@john-althouse Does this imply that a commercial tool can read a stream of JA4+ fingerprints from an open source tool without purchasing an OEM license from FoxIO? What if the open sourced JA4+ generating code is delivered with the commercial tool, either as a lib or compiled binary?

  1. Yes. Any commercial tool can consume a feed of JA4+ fingerprints without a license. That tool could thereby say it "supports" JA4+ fingerprints by building some detection or capabilities around them. If you do that, let me know so I can add the company/tool to the list.

  2. Distributing and supporting JA4+ generating code as part of a for-profit company would require an OEM license and we work amicably with even the smallest one-person companies to ensure that anyone can get a license.

john-althouse commented 1 year ago

@jasonish @adulau @satta @johnthacker Sorry for the delay! The README has been updated to show that FoxIO is not planning to pursue a patent for JA4 TLS Client Fingerprinting, which implies that it is free of any patent issues, as we have no patent for it. The BSD 3-Clause license remains in place!

john-althouse commented 1 year ago

@jasonish @adulau @satta @johnthacker FYI I've added a License FAQ to the repo. Again, I'm happy to setup a meeting with an open source licensing expert if you'd like.

john-althouse commented 12 months ago

With the License FAQ and in talking with several open source authors, it appears all questions have been answered and appropriately documented. Closing.