TLS Fingerprinting (JA3 and JA4): Tracking Below the Browser

Q: What is TLS fingerprinting?

TLS fingerprinting identifies the software making a connection by examining the ClientHello message your client sends at the start of every encrypted session. Details such as the cipher suite list, extensions, and their order differ between browsers and libraries, and hashing them produces a fingerprint. Methods called JA3 and JA4 are the most common ways to compute it.

Q: What is the difference between JA3 and JA4?

JA3 is an older method from Salesforce that joins selected ClientHello fields and takes an MD5 hash, producing a single 32-character string. JA4 is a newer, more structured and human-readable method from FoxIO that is harder to evade and covers more protocols. JA4 is generally considered the more robust successor to JA3.

Q: Does a VPN change my TLS fingerprint?

No. A VPN changes the IP address a website sees, but it forwards your original TLS handshake unchanged, so your JA3 or JA4 fingerprint stays the same. The only way a VPN would change it is if its software re-originated your TLS connection, which standard VPNs do not do for browser traffic. This is why TLS fingerprinting is valuable to anti-bot systems even against VPN users.

Q: Can incognito mode or clearing cookies stop TLS fingerprinting?

No. TLS fingerprinting happens at the network layer, below the browser interface, so private browsing, clearing cookies, and disabling JavaScript have no effect on it. None of those actions change the ClientHello message your client sends. This makes it fundamentally different from cookie-based or JavaScript-based tracking.

Q: Who uses TLS fingerprinting?

It is used heavily by content delivery networks and bot-detection and anti-fraud systems, with Cloudflare being a well-documented user. A common use is spotting mismatches, such as a request claiming to be a browser while presenting the TLS fingerprint of an automation tool. It identifies the client software and library rather than naming an individual person on its own.

~/sheets/tls-fingerprinting.md

The Fingerprint a VPN Does Not Hide
Most fingerprinting happens inside your browser, in JavaScript. TLS fingerprinting happens underneath it, at the network layer, and that changes everything about how hard it is to escape. It identifies the software making a connection by examining the very first message your client sends to start an encrypted session. This page is the network-layer companion to our browser fingerprinting overview, which covers the in-browser vectors.
What Gets Fingerprinted
When any client opens a secure connection, it sends a ClientHello message in the clear before encryption begins. It lists the TLS version, the ordered set of cipher suites, the extensions, the supported groups or elliptic curves, and the EC point formats. The specific values, and especially their order, differ from one client and library to another. Hashing them produces a fingerprint that identifies the client type.
JA3 and JA4
JA3 is a method open-sourced by Salesforce. It joins selected ClientHello fields into a string and takes the MD5 hash, producing a 32-character fingerprint. JA3S is the server-side counterpart. JA4 is a newer, more structured and human-readable successor from FoxIO that is harder to evade and part of a wider family covering other protocols such as HTTP and TCP. JA4 is generally considered the more robust of the two, though JA3 is still widely deployed.
Why It Survives VPNs and Incognito
Because it operates below the browser, TLS fingerprinting is not affected by private mode, clearing cookies, disabling JavaScript, or browser extensions. None of those change the ClientHello. Crucially, a VPN does not change it either. A VPN swaps the IP address a site sees, but it forwards your original TLS handshake unchanged, so the same JA3 or JA4 hash still arrives. This is why anti-bot systems value it even against VPN users.
Who Uses It
TLS fingerprinting is used heavily by content delivery networks and bot-detection and anti-fraud systems, with Cloudflare a well-documented user. A common job is catching mismatches: a request that claims through its User-Agent to be a browser, but presents the TLS fingerprint of an automation tool such as a scripting library, is flagged as suspicious. It identifies the client software and library rather than naming an individual person on its own. It pairs naturally with our SSL and TLS checker for understanding the handshake.
Can You Control It
Honestly, not easily. The best everyday approach is to use a mainstream browser in its default state so your fingerprint blends in with millions of others, because a rare TLS stack stands out. Specialized mimicry tools exist for legitimate interoperability, but actively faking a fingerprint can create other detectable inconsistencies. There is no simple consumer off switch.
Frequently Asked Questions
What is TLS fingerprinting?
TLS fingerprinting identifies the software making a connection by examining the ClientHello message your client sends at the start of every encrypted session. Details such as the cipher suite list, extensions, and their order differ between browsers and libraries, and hashing them produces a fingerprint. Methods called JA3 and JA4 are the most common ways to compute it.
What is the difference between JA3 and JA4?
JA3 is an older method from Salesforce that joins selected ClientHello fields and takes an MD5 hash, producing a single 32-character string. JA4 is a newer, more structured and human-readable method from FoxIO that is harder to evade and covers more protocols. JA4 is generally considered the more robust successor to JA3.
Does a VPN change my TLS fingerprint?
No. A VPN changes the IP address a website sees, but it forwards your original TLS handshake unchanged, so your JA3 or JA4 fingerprint stays the same. The only way a VPN would change it is if its software re-originated your TLS connection, which standard VPNs do not do for browser traffic. This is why TLS fingerprinting is valuable to anti-bot systems even against VPN users.
Can incognito mode or clearing cookies stop TLS fingerprinting?
No. TLS fingerprinting happens at the network layer, below the browser interface, so private browsing, clearing cookies, and disabling JavaScript have no effect on it. None of those actions change the ClientHello message your client sends. This makes it fundamentally different from cookie-based or JavaScript-based tracking.
Who uses TLS fingerprinting?
It is used heavily by content delivery networks and bot-detection and anti-fraud systems, with Cloudflare being a well-documented user. A common use is spotting mismatches, such as a request claiming to be a browser while presenting the TLS fingerprint of an automation tool. It identifies the client software and library rather than naming an individual person on its own.
Last updated: April 2026