Skip to content
Log in

JA3 fingerprint

Definition

An MD5 hash computed from selected fields of the TLS Client Hello: the TLS version, cipher suites, extensions, elliptic curves, and elliptic-curve point formats. Because different TLS client implementations produce different combinations of these values, the JA3 hash can identify the TLS library or application that initiated a session. JA3S is the corresponding hash for the Server Hello.

Related terms

Flow record
A summary record of a network conversation, typically recording source and destination IP addresses and ports, protocol, start time, duration, byte count...
Server Name Indication (SNI)
A TLS extension sent in plaintext in the Client Hello message that identifies the hostname the client intends to reach. SNI is...
SSL inspection (TLS interception)
A technique in which an intermediary device terminates an incoming TLS session, inspects the decrypted content, then re-encrypts and forwards it using...
SSLKEYLOGFILE
A file format, originally implemented in Mozilla Firefox and later adopted by Chrome and other browsers, that logs TLS session keys as...
Traffic fingerprinting
The process of identifying an application, protocol, or user action from statistical properties of an encrypted flow, such as packet size distributions,...

Explained in

  • Encrypted Traffic AnalysisAn MD5 hash computed from selected fields of the TLS Client Hello: the TLS version, cipher suites, extensions, elliptic curves, and elliptic-curve point format...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account