When a client connects over HTTPS, it sends a TLS ClientHello message that includes its supported cipher suites, extensions, elliptic curves, and compression methods. This combination — aggregated into a hash — is the TLS fingerprint. Chrome, Firefox, Safari, and curl all produce different fingerprints. So do attack tools.
JA3 and JA4
JA3 is the original fingerprinting method, created by Salesforce. It hashes 5 fields from the ClientHello into an MD5 string. JA4, a newer standard, adds directionality and is harder to evade. Both are passive — computed from the TLS handshake without any visible interaction with the client.
Why This Catches Attackers
- Most DDoS attack tools use Python's ssl library or custom C implementations — with fingerprints nothing like a browser.
- Spoofing a JA3 fingerprint requires correctly replicating dozens of specific TLS parameters — a significant development effort.
- Rotating bot IPs doesn't change the TLS fingerprint — one rule blocks the entire tool across all IPs.
- Known attack tool fingerprints are shared in threat intel feeds — Akarguard maintains a continuously updated blocklist.
Passive detection
TLS fingerprinting happens before any HTTP request is made. Bots are identified at the TLS handshake — before they can even start their attack.
Limitations
Sophisticated attackers using headless Chromium (Puppeteer, Playwright) produce genuine browser fingerprints. TLS fingerprinting alone won't stop them — but it dramatically reduces the botnet population that needs to be handled by more expensive behavioral detection methods.