search

phuslu / nginx-ssl-fingerprint

high performance ja3 and http2 fingerprint for nginx.
BSD 2-Clause "Simplified" License
138 stars 23 forks source link

Ja4 Supporting #42

Open yarosman opened 4 months ago

yarosman commented 4 months ago

There exist updates in TLS client fingerprinting technology https://github.com/FoxIO-LLC/ja4/tree/main

phuslu commented 4 months ago

Thanks! I admit that ja4 do some enhancements/improvements than ja3, but I'd like wait it to be mature I think that bigtech (e.g. cloudflare) will merge/support ja4 variants or raise another alternative for it. Let's keep eyes on it.

phuslu commented 4 months ago

a bit related/similar with https://github.com/phuslu/nginx-ssl-fingerprint/issues/13

phuslu commented 4 months ago

Currently I dont like ja4 because it sorted extension -- randomize extensions is a feature of new chrome -- we could distinguish/detect bot on top of it, so we shall not sort. Rest parts of ja4 is LGTM.

yarosman commented 4 months ago

Chrome randomizes extensions, Firefox will randomize in the future (I read somewhere)) ) - therefore without ordering, we have cases when on each page reloading we will get different ja3, and ja4 fixes it

ne4u commented 2 months ago

Currently I dont like ja4 because it sorted extension -- randomize extensions is a feature of new chrome -- we could distinguish/detect bot on top of it, so we shall not sort. Rest parts of ja4 is LGTM.

I agree. here's why: if you have a client that identifies as a current version of chrome but does not have a random extension list on subsequent requests, you know it's a bot. An unsorted list can always be sorted later.

But, I also agree that the hash by itself is less useful. Just out of curiosity what happens when FIPS mode is enabled on the system or during compile time since md5 function is removed? It seems to me the hash function can be removed and any hash functionality could be done by whatever process consumes the fingerprint data.

phuslu commented 2 months ago

For md5 hash, I remove it after randomize extension introduced in chrome, but users request me re-instate it soon. see https://github.com/phuslu/nginx-ssl-fingerprint/issues/44 and https://github.com/phuslu/nginx-ssl-fingerprint/pull/46

I suppose that the users maintain/detect legacy bot's ja3 hash as fingerprint in nginx side(e.g. lua_shared_dict)

phuslu commented 1 month ago

Cloudflare added the support of JA4 in its enterprise plan, it's my turn to follow it now.

https://developers.cloudflare.com/bots/concepts/ja3-ja4-fingerprint/