Open dhw opened 7 months ago
yes, it's interesting and not interesting at the same time; it's under patent and miss important data point of modern TLS
LIKE %_xxx_xxx
, just do fuzzy hash like ssdeepSo I don't think it's serve the same purpose of ja3 despite it's called ja4, the patent and licensing already killed it I think
I thought the hash in JA4 was aimed to make it easier to search logs for set parts in a fingerprint instead of a whole md5 hash allowing you to narrow down a client easier and I suppose sell you access to a database.
A good example was this
For example; GreyNoise is an internet listener that identifies internet scanners and is implementing JA4+ into their product. They have an actor who scans the internet with a constantly changing single TLS cipher. This generates a massive amount of completely different JA3 fingerprints but with JA4, only the b part of the JA4 fingerprint changes, parts a and c remain the same. As such, GreyNoise can track the actor by looking at the JA4_ac fingerprint (joining a+c, dropping b).
Tho this does not apply in this situation due to trying to not be unique. The only other thing I have run into is order of headers and correct format.
The databases I have come across don't contain User-Agent and either have just a md5 hash would be nice to have to have the string that makes up the hash with it. Anyways thanks for letting me know this will work just fine.
Has anyone tested the fingerprints for this yet?