Table of Contents
Definition
JA3 and JA3S fingerprinting are techniques used to identify encrypted network communication by analyzing how TLS connections are initiated and negotiated. Developed by Salesforce in 2017, they focus on connection behavior rather than content and generate unique identifiers based on how the connection is set up.
JA3 represents the client, while JA3S represents the server. Together, they help make sense of encrypted communication without needing to access the underlying data. These techniques are widely used in network detection and response (NDR) environments to identify suspicious activity such as malware, unauthorized applications, and command and control communication.
Why JA3 and JA3S Are Important
Encryption protects data but reduces visibility for security teams. JA3 and JA3S address this by shifting analysis from content to behavior, specifically how a connection is made rather than what is sent through it.
This matters because IP addresses and domains change often, but the way software connects usually stays the same, making fingerprints a more reliable signal. In the context of David Bianco’s Pyramid of Pain, a framework that ranks how difficult various indicators are for attackers to change, JA3 and JA3S sit high up. Changing an IP costs an attacker nothing. Changing the fundamental way their tool negotiates a connection is significantly harder.
How JA3 Works (Client Side)
When a client connects to a server, it sends a Client Hello message announcing what security settings it supports. JA3 extracts specific fields from this message: TLS version, accepted cipher suites, list of extensions, elliptic curves, and elliptic curve formats. These values are combined in a defined order and processed into a 32-character fingerprint.
A good way to think about JA3 is as the modern equivalent of a browser User-Agent string, but for encrypted traffic. Just as a User-Agent identifies what browser is connecting, a JA3 fingerprint reveals the nature of the client, whether that is Chrome, a Python script, or malware like Trickbot, without relying on anything the client declares about itself.
How JA3S Works (Server Side)
After receiving the Client Hello, the server responds with a Server Hello, selecting one option from what the client offered. JA3S extracts the TLS version, chosen cipher suite, and extensions from this response, then processes them into a fingerprint.
Crucially, servers respond differently to different clients but consistently to the same client. This means combining JA3 and JA3S into a pair significantly reduces false alarms compared to using either fingerprint alone.
JA3 vs JA3S
JA3 and JA3S capture different parts of a TLS connection. JA3 focuses on how the client initiates the connection, while JA3S reflects how the server responds. Looking at both together provides a more complete view of the interaction.
| Aspect | JA3 | JA3S |
| Focus | Client behavior | Server behavior |
| Based on | Client Hello | Server Hello |
| Identifies | Applications, devices, tools | Server configurations |
| Fields extracted | 5 field groups | 3 field groups |
Together, these fingerprints provide both sides of the connection, improving accuracy and reducing ambiguity during analysis.
Use Cases
Threat Detection and Malware Identification
JA3 and JA3S are widely used to detect malware and command and control communication. Malware families such as Trickbot use specific connection settings that produce recognizable fingerprints, enabling detection even when traffic is fully encrypted.
These techniques are also effective in identifying command and control channels between infected systems and attacker-controlled servers. Even when those servers rotate IP addresses and domains, their connection fingerprints often remain consistent, making JA3 and JA3S pairs a reliable way to track them.
Threat Hunting and Anomaly Discovery
Analysts use JA3 and JA3S to search for rare or unknown fingerprints across network traffic. These low-frequency or previously unseen values often indicate activity that does not match known applications, making them strong candidates for further investigation.
This approach helps surface hidden threats that may not trigger traditional detection methods.
Application and Behavior Profiling
JA3 helps identify client-side applications, while JA3S provides insight into server configurations. Together, they allow teams to understand what types of software are communicating across the network without relying on installed agents.
They are also useful for detecting automated tools. Bots, scanners, and scrapers tend to use distinct connection patterns, making them easier to distinguish from normal user-driven activity.
Investigation and Forensics
During incident analysis, JA3 and JA3S help reconstruct communication patterns when payload data is unavailable or cannot be inspected. This is especially useful in environments where only network logs are available.
By correlating fingerprints across sessions, analysts can trace activity, identify affected systems, and build a clearer picture of how an incident unfolded.
Where JA3 and JA3S Fit in Network Security
JA3 and JA3S fingerprinting are commonly used in network-centric security approaches, including network detection and response (NDR), that focus on analyzing traffic behavior rather than inspecting content. They are particularly relevant in environments where encryption limits traditional visibility and where understanding how systems communicate becomes more important than what is being transmitted.
In such environments, these techniques support multiple layers of analysis:
- Detection: Identifying suspicious communication patterns, including malware and command and control traffic, based on consistent connection behavior
- Hunting: Surfacing rare or unknown fingerprints that do not match expected application behavior
- Profiling: Understanding which applications and tools are operating on a network without relying on endpoint data
- Investigation: Reconstructing sessions and correlating activity across multiple connections to understand how an incident unfolded
By relying on metadata from TLS handshakes, JA3 and JA3S remain effective even when payload data is encrypted or unavailable. This makes them particularly useful in large-scale or privacy-sensitive environments where decryption is not feasible.
Rather than acting as standalone indicators, these fingerprints are most effective when used as part of a broader analytical workflow that combines multiple signals to build context and support decision-making.
Benefits
JA3 and JA3S provide several practical advantages in encrypted traffic analysis.
Here’s how:
- Provides visibility into encrypted traffic without decryption
- Does not rely on IP addresses or domains, which attackers change easily
- Produces consistent, stable signals that remain valid over time
- Works at scale since it is based on metadata rather than content
- Supported natively by widely used security tools including Zeek and Suricata
- The JA3+JA3S pair significantly reduces false alarms compared to either fingerprint used alone
Best Practices
- Use the JA3+JA3S pair together rather than either value in isolation
- Build a baseline of normal connection behavior so deviations stand out
- Focus on rare or unknown fingerprints, not just known-bad lists
- Correlate findings with traffic logs, DNS records, and endpoint activity
- Treat matches as starting points for investigation, not conclusions
What Comes Next: JA4
Modern browsers now introduce random variations into TLS handshakes, and the method JA3 uses to generate its codes has certain limitations, such as sensitivity to minor changes and reduced effectiveness with TLS 1.3.
To address these challenges, JA4 produces more consistent fingerprints in the face of browser randomization, is harder to spoof, and supports newer protocols that JA3 was not built to handle.
Conclusion
JA3 and JA3S fingerprinting offer a proven way to analyze encrypted traffic by focusing on how connections are made rather than what is transmitted. JA3 identifies the client, functioning like a User-Agent string for encrypted traffic. JA3S identifies the server. Together, they provide a more precise view of network communication while making evasion significantly harder for attackers.
Combined with strong baselines and good investigative practices, and with JA4 continuing to evolve the approach, these techniques ensure that security visibility is not lost as encryption becomes the norm, only shifted from content to behavior.
