2024-07-05, 11:20–11:40 (Europe/Paris), Amphitheater
JA3 technique has been succesfull for years in fingerprinting TLS implementation but a recent update in Chrome is making it mostly useless. A new alternative algorithm named JA4 has been developed but is it good enough ?
The JA3 technique was used rather successfully for a few years to identify TLS implementation. This technique is based on the analysis of the client message sent at the beginning of the TLS handshake. It has been implemented in a large range of tools such as Suricata, Nginx, Arkime and it was good enough to find some malware family or identify some browser version.
Sadly it was incidentally killed by Google in 2023 after a change done in Chrome that made the technique useless in most cases. A single Chrome version can have billions of JA3 fingerprint. And any other software can do the same in a few lines of code.
In this talk, we are going to make an analysis of the JA3 failure. Then look at his successor JA4 that we
will describe in details on the technical side and on the legal side.
Éric Leblond is the co-founder and chief technology officer (CTO) at Stamus Networks. He sits on the board of directors at Open Network Security Foundation (OISF). Éric has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata – the open-source network threat detection engine – since 2009 and is part of the Netfilter Core team, responsible for the Linux kernel's firewall layer. Eric is a respected expert and speaker on all things network security.
Éric resides in Escalles, France.