SNI and ALPN in JA4_ro extension list

[satta]

I am wondering whether JA4_ro should or should not contain the SNI and/or ALPN extensions. In the Markdown spec (https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#raw-output), the 0010 and 0000 values are listed as part of JA4_ro:

JA4_ro = t13d1516h2_1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035_001b,0000,0033,0010,4469,0017,002d,000d,0005,0023,0012,002b,ff01,000b,000a,0015_0403,0804,0401,0503,0805,0501,0806,0601

while, for instance, the Rust reference implementation as well as the Zeek one (https://github.com/FoxIO-LLC/ja4/blob/main/zeek/ja4.zeek#L162) seem to always skip these.

Is the example in the Markdown documentation wrong? It would be helpful if the spec would clarify whether these two extensions are always to be excluded or whether they should just be excluded from the sorted extension list.

[john-althouse]

Thank you! This is my mistake. The "o" option is intended to output the original values in the original order, less GREASE values.

These values are omitted from the regular JA4 so that the same application would have the same b and c sections of the fingerprint regardless of if it were going to a domain, IP, or changing ALPNs.

However, JA4_o and JA4_ro is intended to be used for deep-dive type of investigations and troubleshooting, therefor the values should remain. I will update the spec with this information and will do the same with JA4H as well.

[john-althouse]

Specs updated. We'll work on updating the code.

[satta]

Thanks for the changes to the spec, this makes it much clearer. Will adapt my implementation.