Jump to content

The demise of privacy Chapter IV: New JA4 browser fingerprint... to block traffic based on the "reputation".

Saxon

By Saxon
in Web Browsers

 Share

Recommended Posts

Saxon

Saxon

Posted
Posted

Can be checked here:

https://browserleaks.com/ip

"Fingerprinting TLS Clients with JA4 on F5 BIG-IP

What is JA4?

JA4 is a subset of the larger JA4+ set of network fingerprints.  JA4+ is a set of simple network fingerprints for a number of protocols that are intended to be both human and machine readable, and replaces the JA3 TLS fingerprinting standard from 2017 (Salesforce is no longer maintaining JA3).  Currently, JA4+ includes JA4/S/H/L/X/SSH, or JA4+ for short.

JA4+ Fingerprints

JA4 — TLS Client

JA4S — TLS Server Response

JA4H — HTTP Client

JA4L — Light Distance/Location

JA4X — X509 TLS Certificate

JA4SSH — SSH Traffic

More fingerprints are in development and will be added to the JA4+ family as they are released."

https://community.f5.com/kb/technicalarticles/fingerprinting-tls-clients-with-ja4-on-f5-big-ip/326298

3

Saxon

Saxon

Posted
  • Author
Posted

"Amazon CloudFront launches support for JA4 fingerprinting

Posted on: Oct 11, 2024

Amazon CloudFront now supports JA4 fingerprinting of incoming requests, enabling customers to allow known clients or block requests from malicious clients. The JA4 fingerprint is passed via the Cloudfront-viewer-ja4-fingerprint header. You can inspect the JA4 fingerprints using custom logic on your application web servers or using CloudFront Functions or Lambda@Edge.

A JA4 TLS client fingerprint contains a 38-character long fingerprint of the TLS Client Hello which is used to initiate a secure connection from clients. The fingerprint can be used to build a database of known good and bad actors to apply when inspecting HTTP requests. You can add the Cloudfront-viewer-ja4-fingerprint header to an origin request policy and attach the policy to your CloudFront distributions. You can then inspect the header value on your application web servers or in your Lambda@Edge and CloudFront Functions to compare the header value against a list of known malware fingerprints to block malicious clients. You can also compare the header value against a list of expected fingerprints to allow only requests bearing the expected fingerprints.

Cloudfront-viewer-ja4-fingerprint headers are available for immediate use in all CloudFront edge locations. You can enable JA4 fingerprint headers in the CloudFront Console or using the AWS SDK. There are no additional fees to use JA4 fingerprint headers. For more information, see the CloudFront Developer Guide."

https://aws.amazon.com/about-aws/whats-new/2024/10/amazon-cloudfront-ja4-fingerprinting/

3
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted
2 hours ago, Saxon said:

Can be checked here:

https://browserleaks.com/ip

When I visit this link, the JA4 "fingerprint" CHANGES if I refresh the page!  That doesn't sound like a "fingerprint" to me.  Maybe it's something with Ungoogled Chromium?

Also, the middle section derived from Cipher Suites can easily be RANDOMIZED by a startup script that modifies cipher suites at every browser launch.

Much Ado About Nothing, in my opinion.

1
Sampei.Nihira

Sampei.Nihira

Posted
Posted (edited)
52 minutes ago, NotHereToPlayGames said:

When I visit this link, the JA4 "fingerprint" CHANGES if I refresh the page!  That doesn't sound like a "fingerprint" to me.  Maybe it's something with Ungoogled Chromium?

Also, the middle section derived from Cipher Suites can easily be RANDOMIZED by a startup script that modifies cipher suites at every browser launch.

Much Ado About Nothing, in my opinion.

Obviously.
Just delete from the various browsers you use even one Insecure Cipher Suites,different for different browsers,to have the parameters changed.
So you can have (n) browsers installed that report different parameters (but same user :)).
And among trillions of internet browsers IF THERE IS a website that uses these fingerprinting techniques (I would also like to know for what purpose a website that has the ability to analyze all this traffic on the net) manages to associate my 3 different values with 3 different browsers to my one person.

Not to mention that simply blocking js in any adblocker prevents the detection of these values.

 

Edited by Sampei.Nihira
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted
9 hours ago, Sampei.Nihira said:

Not to mention that simply blocking js in any adblocker prevents the detection of these values.

Bingo!  I've been blocking js "by default" for over TWENTY YEARS.

And I don't do an "all or nothing" approach.  If a website (including my banking site) "requires" js, I don't allow the 20, or 30, or 40 js files, nope, I track which 4 or 5 are actually "needed".

Remember "NoScript"?  It's for people that don't know what they are doing!  It's for people that rely on "all or nothing".

Karla Sleutel

Karla Sleutel

Posted
Posted
22 hours ago, NotHereToPlayGames said:

If a website (including my banking site) "requires" js, I don't allow the 20, or 30, or 40 js files, nope, I track which 4 or 5 are actually "needed".

My grandma, along with hundreds of millions of other users, won't do it. So yeah, it's a new fingerprint standard.

3
Karla Sleutel

Karla Sleutel

Posted
Posted
On 10/14/2024 at 12:34 AM, Sampei.Nihira said:

Obviously.
Just delete from the various browsers you use even one Insecure Cipher Suites,different for different browsers,to have the parameters changed.

Wrong, it won't change the HTTP/2 Fingerprint (akamai hash), for example.

Besides, it will make you unique, so you again gave a bad advice on MSFN.

3
Sampei.Nihira

Sampei.Nihira

Posted
Posted (edited)
52 minutes ago, Karla Sleutel said:

Wrong, it won't change the HTTP/2 Fingerprint (akamai hash), for example.

Besides, it will make you unique, so you again gave a bad advice on MSFN.

The topic is JA4,so you went OT as usual.

Anyway dear Snow White,here are 2 images that prove you/you 4 are wrong.
Study,as usual,always the same exact advice.
If I enter the values of my Opera Android browser in the smartphone,the values are still different.

And moreover you still have NOT understood (but no wonder you 4 are famous in this forum for this ability of yours) that every website that violates privacy sooner or later is blocked by adblockers,anti-trackers browser,DNS and filter lists.....etc......etc...

1.png

2.png

Edited by Sampei.Nihira
Karla Sleutel

Karla Sleutel

Posted
Posted (edited)
11 hours ago, Sampei.Nihira said:

And moreover you still have NOT understood (but no wonder you are famous in this forum for this ability of yours)

Insulting, as you usual with you.

11 hours ago, Sampei.Nihira said:

 every website that violates privacy sooner or later is blocked by adblockers,anti-trackers browser,DNS and filter lists.....etc......etc...

 

Wishful thinking.

Edit. Still no proof.

Edited by Karla Sleutel
3
Karla Sleutel

Karla Sleutel

Posted
Posted
12 hours ago, Sampei.Nihira said:

Anyway dear Snow White,here are 2 images that prove you/you 4 are wrong.

We have no way of knowing what you had done to change the values, the screens only show the result, but not the process. 

 

12 hours ago, Sampei.Nihira said:

Anyway dear Snow White,here are 2 images that prove you/you 4 are wrong.

1.png

2.png

 

3
Tripredacus

Tripredacus

Posted
Posted
On 10/14/2024 at 3:34 AM, Sampei.Nihira said:

I would also like to know for what purpose a website that has the ability to analyze all this traffic on the net

This is an enterprise feature, based solely on this:
 

Quote

Amazon CloudFront now supports JA4 fingerprinting of incoming requests, enabling customers to allow known clients or block requests from malicious clients

A major issue in the modern enterprise is that a lot of the software is on the internet, and users are not tied down to a specific or regulated computing system anymore. You may have that for people in an office, but many people are using a large assortment of notebooks and mobile devices to access resources. So a use case scenario is if you have a web application that needs to be private, but the users are not in a regulated environment or even in the same location. In the past, you'd have to restrict access to an online resource either with user agents or IP addresses and that doesn't work for this scenario. And it has the potential to go beyond just requiring authentication, if you can block the entire site from those you don't want to see it.

1
Klemper

Klemper

Posted
Posted
On 10/14/2024 at 7:43 AM, NotHereToPlayGames said:

When I visit this link, the JA4 "fingerprint" CHANGES if I refresh the page! 

OS and the browser, please.

Karla Sleutel

Karla Sleutel

Posted
Posted
On 10/14/2024 at 10:35 PM, Sampei.Nihira said:

The topic is JA4,so you went OT as usual.

It's not off-topic because what you claim you did (changing cipher suites) also leads to the changes in those other HTTP2 fingerprints, but not akamai.

But you misunderstood as usual, and rude as usual. The moderators will decide who posts off-topic, not you.

3

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...