SpeedIQInternet · VPN · Privacy
← Back to Blog
Privacy & Security

TLS Fingerprint Explained: What JA3 and JA4 Reveal About Your Browser

TLS Fingerprint Explained: What JA3 and JA4 Reveal About Your Browser

27. May 2026Category Privacy & Security2 min read
TLS Fingerprint Explained: What JA3 and JA4 Reveal About Your Browser

What Is a TLS Fingerprint?

Every time your browser connects to a website over HTTPS, it begins with a TLS handshake — a negotiation process where your browser and the server agree on encryption settings. During this handshake, your browser sends a ClientHello message that lists its supported cipher suites, TLS extensions, and other capabilities in a specific order. This combination of values is your TLS fingerprint. For the strategic overview of where TLS sits in the broader fingerprinting picture, see our complete browser fingerprinting guide.

TLS fingerprinting has a uniquely powerful characteristic: it happens at the network level, before any application-layer privacy protection (like VPNs, proxies, or browser privacy settings) can intervene.

JA3: The Standard TLS Fingerprinting Method

JA3 is a widely used TLS fingerprinting algorithm developed by Salesforce researchers in 2017. It creates an MD5 hash from five fields in the ClientHello message: TLS version number, cipher suites, TLS extensions, elliptic curves, and elliptic curve point formats.

All Chrome 124 users on Windows produce the same JA3 hash. This makes JA3 most useful for identifying browser types and detecting anomalous traffic rather than tracking individual users.

JA4: The Modern Evolution

JA4 is a next-generation TLS fingerprinting method developed in 2023. Key improvements over JA3:

  • Sorted cipher suites: Makes the fingerprint stable across TLS library updates.
  • ALPN extension handling: Identifies the application protocol being negotiated (HTTP/1.1, HTTP/2, HTTP/3).
  • Human-readable format: Partially human-readable without requiring a lookup table.

Who Uses TLS Fingerprinting?

CDNs and DDoS Protection

Cloudflare, Akamai, and Fastly use TLS fingerprinting to distinguish legitimate browsers from bots. A request claiming to be Chrome 124 but presenting a different TLS fingerprint is likely from an automated tool.

Network Surveillance

Because the ClientHello is unencrypted, ISPs and government surveillance systems can fingerprint all TLS connections on their network without decrypting the traffic.

How TLS Fingerprinting Differs from Browser Fingerprinting

Browser fingerprinting occurs at the application layer — JavaScript running in your browser. TLS fingerprinting occurs at the network layer, before your browser's application code runs. It cannot be blocked by browser extensions, privacy settings, or JavaScript restrictions. Even the Tor Browser has a TLS fingerprint. Even a VPN does not change your TLS fingerprint.

Summary

TLS fingerprinting captures your browser's unique signature from the TLS handshake — before any encryption is established. JA3 and JA4 are the standard methods, widely used in security tooling, bot detection, and network surveillance. Unlike browser fingerprinting, TLS fingerprinting cannot be blocked by browser settings or extensions.

Part of the Vatha network.