The JA3 fingerprint is an excellent addition to any cybersecurity arsenal, helping detect malware and other threats in encrypted traffic. However, relying solely on JA3 for detection is likely to result in an overwhelming number of false positives. JA3 fingerprints should be used as a supplement to more comprehensive IoC data sets like prevalent baseline behavior, host processes, and domain destination features.

JA3 was developed by Salesforce researchers in 2017 as an elegant solution to the problem of detecting malicious applications within encrypted traffic. It takes the details from each TLS client-server handshake — including TLS version, accepted cipher suites, extensions, and elliptic curve group and elliptic curve point formats — and converts them into a single 32-character MD5 hash. The fingerprints can then be matched against a list of known fingerprints to identify malware and other malicious clients.

Exploring JA3 Fingerprints: Enhancing Security in Your Network

This approach is a significant improvement over traditional signature-based methods, which can be defeated by changing application configurations or even by a well-trained attacker. Using JA3 fingerprints as the only source of detection can be dangerous, leading to security teams chasing false positives and failing to detect sophisticated and evolving threats.

The main drawback of JA3 is that it is easy to subvert. Attackers can craft ClientHello packets that match those of popular TLS clients like browsers, making them harder to detect. In fact, a pair of CU Cyber members recently published a simple Go library that makes it trivial to impersonate JA3 fingerprints.