What is an SSL fingerprint?
It can be said that each browser generally has a fixed SSL fingerprint. For general users, as long as the default state is sufficient, the default is the default SSL fingerprint of the Google chrome browser.

Mainly you can set the number and order of cipher suites, which can resist some websites that use JA3 method to detect SSL fingerprints. Generally, each browser has a relatively fixed SSL fingerprint. When doing multi-account or anti-association projects, the change of the SSL fingerprint may play a certain role. However, if you don’t know what an SSL fingerprint is, it is recommended to still don't mess with it, because it may be counterproductive.

The JA3 method is used to collect the decimal values ​​of the bytes of the following fields in the client Hello packet: version, accepted ciphers, list of extensions, elliptic curve, and elliptic curve format. Then, separate each field with "," and the values ​​in each field with "-", concatenating the values ​​together in order.

JA3 is a method for creating SSL/TLS client fingerprints that should be easy to generate on any platform and easily shared for threat intelligence purposes.

Example client hello packet viewed in Wireshark

The order of the fields is as follows:

TLSVersion, Ciphers, Extensions, EllipticCurves, EllipticCurvePointFormats

example:

769,47–53–5–10–49161–49162–49171–49172–50–56–19–4,0–10–11,23–24–25,0

If there are no TLS extensions in the Client Hello, these fields will be left blank.

769,4–5–10–9–100–98–3–6–19–18–99,,,

These strings are then MD5 hashed to generate a 32-character fingerprint that is easy to use and share. This is the JA3 TLS client fingerprint.

769,47–53–5–10–49161–49162–49171–49172–50–56–19–4,0–10–11,23–24–25,0 → ada70206e40642a3e4461f35503241d5769,4–5–10–9– 100–98–3–6–19–18–99,,, → de350869b8c85de67a350c8d186f11e6

We also need to introduce some code to account for Google's GREASE (Generate Random Extensions And Sustain Extensibility), as described here. In fact, Google uses this mechanism to prevent scalability failures in the TLS ecosystem. However, JA3 ignores these values ​​entirely to ensure that programs using GREASE can still be fingerprinted with a single JA3 hash.

Websites that can be used for SSL fingerprinting:

https://browserleaks.com/ssl

Conclusion

JA3 and JA3S are a security analysis method based on TLS fingerprint. JA3 fingerprints can indicate how client applications communicate over TLS, and JA3 fingerprints can indicate server responses. If the two are combined, they essentially generate a fingerprint of the cryptographic negotiation between the client and server. While TLS-based detection methods are not necessarily a panacea or guaranteed mapping to client applications, they are always the axis of security analysis.

Lalicat anti fingerprint browser design SSL custom method, mainly to change the JA3 fingerprint of the virtual browser, which is not comprehensive, but also very simple and efficient. Hope can help some users who pursue perfectionism.