JA4 & JA4T: The New Standard in Network Fingerprinting

1. What are JA4 and JA4T?

In the cat-and-mouse game of web security, relying solely on IP addresses or User-Agent strings is no longer sufficient. Attackers easily rotate IPs and spoof User-Agents. JA4+ is a suite of network fingerprinting methods designed to identify the client application and the underlying operating system regardless of these obfuscations.

The suite solves the limitations of the previous industry standard (JA3) by introducing human readability, better collision resistance, and support for modern protocols like QUIC/HTTP3.

• JA4 (TLS Fingerprint): This fingerprints the application making the request (e.g., Chrome, Firefox, a Python script, or a Golang bot). It looks at how the client initiates the SSL/TLS handshake.
• JA4T (TCP Fingerprint): This fingerprints the network stack and operating system (e.g., Windows, Linux, iOS). It looks at the raw TCP packet parameters before encryption even begins.

The Power of Combination: By checking if the application (JA4) matches the expected operating system (JA4T), security systems can detect sophisticated spoofing. For example, a request claiming to be "Chrome on Windows" that has a Linux TCP fingerprint is immediately flagged as fraudulent.

2. JA4: The Application Fingerprint

The JA4 fingerprint is generated by parsing the TLS Client Hello packet—the very first message sent by a client to a server to initiate a secure connection.

Unlike its predecessor JA3, which produced a single, unreadable MD5 hash, JA4 produces a structured, three-part string that is partially human-readable.

The Format: JA4_a_b_c
Example: t13d1516h2_8daaf6152771_e3547807c630

Breakdown of the Structure

1. Part A (The Environment): t13d1516h2
   • t: Protocol (t = TCP, q = QUIC).
   • 13: TLS Version (1.3).
   • d: Destination (d = Domain/SNI, i = IP).
   • 15: Number of Cipher Suites sent.
   • 16: Number of Extensions sent.
   • h2: The first and last character of the ALPN (Application-Layer Protocol Negotiation), e.g., "h2" for HTTP/2.


2. Part B (The Ciphers): 8daaf6152771
   • A truncated SHA256 hash of the list of Cipher Suites supported by the client.
   • Crucial Improvement: JA4 sorts the ciphers before hashing. This prevents "Cipher Stunting," where bots randomize cipher order to evade detection.


3. Part C (The Extensions): e3547807c630
   • A truncated SHA256 hash of the TLS Extensions and their values (excluding variable data like SNI or Session ID). These are also sorted to ensure consistency.

3. JA4T: The Operating System Fingerprint (Detailed Breakdown)

While JA4 identifies the application (the browser or script), JA4T identifies the device (the underlying Operating System). It does this by analyzing the raw parameters of the TCP connection before any data is actually exchanged.

The JA4T fingerprint is generated by parsing the TCP SYN packet—the very first "handshake" packet a device sends to a server to ask for a connection.

The Format: JA4T_a_b_c_d
Example: JA4T_65535_0204080103_1460_08

Just like JA4, the JA4T string is divided into four distinct parts that describe the configuration of the sender's network kernel.

Breakdown of the Structure

1. Part A (TCP Window Size): 65535
   • What it is: The "Receive Window" tells the server how many bytes of data the client can accept at once before it needs to send an acknowledgment back.
   • Why it fingerprints: This value is rarely random.
     • Windows often uses values like 64240 or 8192.
     • Linux often uses 29200 or 64xxx.
     • iOS/MacOS usually uses 65535.
   • If a request claims to be Chrome on Windows but sends a Window Size of 65535, it is likely a Linux bot spoofing a Windows User-Agent.


2. Part B (TCP Options Order): 0204080103
   • What it is: A sequence representing the order in which the client sends TCP "Options."
   • The Codes: Each number corresponds to a specific option type defined by IANA:
     • 02: Maximum Segment Size (MSS)
     • 04: SACK Permitted (Selective Acknowledgement)
     • 08: Timestamps
     • 01: NOP (No-Operation / Padding)
     • 03: Window Scale
   • Why it fingerprints: Operating systems hard-code this order in their kernel.
     • Linux typically sends: MSS → SACK → TS → NOP → Window Scale.
     • Windows typically sends: MSS → NOP → Window Scale → SACK.
   • It is extremely difficult to change this order without rewriting the operating system kernel or using raw sockets (which most standard bots do not do).


3. Part C (MSS Value): 1460
   • What it is: The Maximum Segment Size. This is the largest single chunk of data the client can receive.
   • Why it fingerprints: This tells us about the network link type.
     • 1460 is standard for Ethernet/Wi-Fi.
     • 1380 or lower often indicates a VPN or 4G/5G mobile connection (due to MTU overhead).
   • This helps TrueGuard identify if a user is hiding behind a VPN tunnel.

4. Part D (Window Scale): 08

   • What it is: The "Window Scale" option. Because modern internet speeds are fast, the standard 16-bit Window Size (Part A) isn't big enough. This "Scale" value acts as a multiplier (2^8 in this example) to increase the buffer size.
   • Why it fingerprints: Different OS versions choose different default multipliers based on their memory management logic.

The "Impossible" Mismatch

The power of JA4T comes from the fact that these settings are tied to the OS Kernel (the core of the computer).

If an attacker uses a bot hosted on an AWS Linux Server but tries to scrape your site pretending to be an iPhone User:

1. They change the HTTP User-Agent to "iPhone 14 / Safari."
2. They might even try to spoof the JA4 (TLS) fingerprint.


3. HOWEVER: The Linux server will inevitably send the TCP packet with Linux ordering (Part B) and Linux Window Sizes (Part A).

4. How the Fingerprints are Generated

The generation process happens passively on the server or proxy side (like at the Trueguard) without injecting any JavaScript into the user's browser.

1. Packet Capture: The server intercepts the incoming TCP SYN packet and the subsequent TLS Client Hello packet.
2. Parsing & Sorting:
   • For JA4, the engine extracts the Protocol, Version, Ciphers, and Extensions. It sorts the Ciphers and Extensions to create a canonical order.
   • For JA4T, the engine records the TCP Window size and the ordered list of TCP options.


3. Hashing: The sorted lists are hashed using SHA256 and truncated to 12 characters to keep them compact.
4. Concatenation: The components are joined with underscores to create the final ID string.

5. Legitimate Use Cases & Fraud Prevention

JA4 and JA4T are becoming the industry standard for distinguishing humans from automated threats.

A. Preventing Account Takeover (ATO) & Credential Stuffing

Attackers use tools like OpenBullet or chemically-hardened browsers to test stolen credentials.

• The Detection: These tools often have distinct JA4 signatures that differ from standard Chrome or Safari. Even if they rotate through 10,000 Residential Proxies, their JA4 (tool signature) remains constant. You block the fingerprint, not the IP.

B. API Scraping and Inventory Hoarding

Scalper bots target "Check Out" APIs to buy limited inventory. They often use Python (Requests), Go, or Node.js scripts.

• The Detection: A script using the Python requests library has a very specific JA4 signature. If an e-commerce site sees a request to /api/buy with a Python JA4 signature, it can block it immediately, regardless of where the traffic is coming from.

C. Identifying "Headless" Browsers

Sophisticated bots use Headless Chrome (Puppeteer/Playwright) to render JavaScript and mimic humans.

• The Detection: While Headless Chrome attempts to look like regular Chrome, subtle differences in the TLS extensions often result in a unique JA4 hash. Furthermore, if the bot is hosted on a Linux server, the JA4T will show Linux while the User-Agent claims Windows 10. This mismatch is a high-confidence signal for blocking.

6. Technical Comparison: JA3 vs. JA4

Summary

JA4 and JA4T represent a shift from identifying where a user is (IP Address) to identifying what the user is (Application & OS).

JA4 fingerprints the TLS client to identify the software (Chrome, Python, Bot), while JA4T fingerprints the TCP packet to identify the device (Windows, Linux, Mobile). By analyzing these two signals in tandem, TrueGuard can identify and mitigate bot attacks that bypass traditional IP-based defenses, ensuring that traffic on your platform is genuine.