An Overview of JA4+ Network Fingerprinting and Its Implications
JA4+: The Next Leap in Network Fingerprinting
The need for effective tools in cybersecurity is ever pressing. One advancement is the JA4+ suite of modular network fingerprints. Successor to the 2017 JA3 standard for TLS fingerprinting, JA4+ refines and extends its capabilities, offering not just a new method but an entire toolset that takes network fingerprinting to a whole new level.
The Essence of JA4+
JA4+ offers a wide array of fingerprints tailored for multiple protocols. Each component of a signature—expressed in an a_b_c format—stands alone, inviting granular inspection. This unique arrangement allows you to zero in on targeted parts of the fingerprint, while the straightforward design ensures both simplicity and scope for future enhancements.
JA4+ consists of various components:
- JA4: TLS Client
- JA4S: TLS Server Response
- JA4H: HTTP Client
- JA4L: Light Distance/Location
- JA4X: X509 TLS Certificate
- JA4SSH: SSH Traffic
For a more thorough breakdown, the JA4 blog provides the announcement and description of the fingerprints.
The improvements of JA4+ are many, but let's delve into some noteworthy aspects and quirks.
The Quest for Fidelity: A Peakhour Experiment
JA4+ brings a welcome innovation in the sorting of TLS cipher extensions, especially when you consider that cipher suites often appear in random order. However, Peakhour's experiments highlight the need for caution when dealing with TLS cipher ordering in the signature which was implement to reduce the impact of cipher stunting. Our tests revealed a loss of fidelity. This is precisely why the practice of logging raw signatures remains paramount. By doing so, you retain the flexibility needed for detailed post-analysis, allowing you to tackle the nuances of fidelity loss and implementation variations effectively.
The overview of TLS fingerprinting provides a more in-depth explanation of how a TLS signature is formed.
Google Chrome's recent initiative to randomise a portion of the TLS fingerprint highlights the need for sorting. While this move aimed to impede server implementers from fixating on Chrome's fingerprint, the outcome wasn't anticipated. Peakhour's data suggests that while the number of unique fingerprints soared after the Chrome update, making it almost impossible to identify the Chrome network stack through TLS fingerprint alone. Sort normalisation of the TLS Extensions solves this problem whilst maintaining almost 99% signature fidelity.
The H2 Signature Choice
Peakhour opts for the H2 signature over the HTTP signature to enhance fidelity. Interestingly, JA4+ doesn't include an H2 signature, which is a detail worth pondering.
Nod to the Pioneers
Before digging further into JA4+'s features and limitations, it's worth acknowledging its predecessors. The Cisco Mercury format has significantly shaped the field of network fingerprinting. Its preference for raw signatures resonates with JA4+ and offers a proven method to tackle diverse signature production. The original JA3 also laid important groundwork (by the same Author as JA3).
Trade-offs and Future Avenues
While the ease of sharing signatures through SHA is appealing, there are limitations—most notably, potential compatibility issues. As Fastly noted differences in the implementation can be hidden behind the SHA hash, causing issues when searching and correlating signatures between different services. JA4 tries to address this with open-source app support.
A New Chapter in Network Fingerprinting?
JA4+ embodies an exciting development in network fingerprinting. Its applicability, modularity, and extensibility provide a potent toolkit for threat-hunting and advanced security analysis. As the method continues to evolve, it's garnering high expectations for future enhancements and applications.
For further engagement and contribution, the official JA4+ repository is available. It's an open platform for the community to discuss, develop, and refine this promising toolset further.
We commend the overall initiative and the renewed interest in fingerprinting that JA4+ sparks. It's indeed a compelling next step in the complex dance of network security.