JA3/JA3S for Client Fingerprinting

[Sightem]

I was looking at the client fingerprinting logic within the CServerHandler::fingerprintForRequest function here, I am wondering if TLS fingerprinting, specifically JA3 has been considered as an alternative/addition to HTTP headers and IP address hashing.

[vaxerski]

I was pondering that as well, and although for now we could just do it for 10 mins, what if we want to add in the future token invalidation? Oh well, I guess we'll have to rely on the clients not being specifically designed to bypass checkpoint

[vaxerski]

oh woops I answered the wrong issue with this lol 10am me

[vaxerski]

I haven't considered any other methods, why would JA3 be better? We just need a basic fingerprint that has no chance of legitimately changing

[Sightem]

I haven't considered any other methods, why would JA3 be better? We just need a basic fingerprint that has no chance of legitimately changing

well currently it relies on the ip address, a lot of residential ISPs have really high volatility so the fingerprint will break constantly (this is the case in at least Turkey and Morocco from what I know). Modern browsers (or at least chrome and firefox) intentionally randomize the order of TLS extensions though, so hash is different every time the client refreshes the page. python, go, and curl do not implement this however. Stability can be achieved though, check this out. Essentially you just take only the SSLExtension component, treat the hyphen-separated numbers as a list of integers, and sort that list numerically in ascending order. then when the packets are received the TLS layers can be parsed, sorted, and fingerprinted

[Sightem]

oh woops I answered the wrong issue with this lol 10am me

EU x NA collab real

[vaxerski]

have really high volatility

how high are we talking? do they literally change every 5 minutes? that sounds impossibly excessive

[Sightem]

how high are we talking? do they literally change every 5 minutes? that sounds impossibly excessive

Lowest I've seen has been ~10 minutes, mind you this is without any form of router/setup restarts. though i should also say this was a rare case, but across Turkey ips change 3-4 times a day and its very consistent between ISPs

[vaxerski]

with our TTL of the token of 1 hour that should not be a problem