Skip to main content

Learn / TLS

What is TLS fingerprinting?

A method of identifying clients by inspecting the exact shape of their HTTPS handshake.

Layer
Transport security and protocol negotiation
Visible to
The destination server and any service terminating TLS
Why it matters
It can identify the client before most application logic runs

The basics

TLS fingerprinting measures how your browser negotiates encryption, not what it says in JavaScript.

When a browser opens an HTTPS connection, it begins with a handshake that advertises what encryption methods and protocol features it supports. That handshake has structure. It includes supported cipher suites, extensions, protocol versions, and ordering choices that vary across browsers, operating systems, and client libraries.

Those differences are useful to defenders, but they are also useful to trackers and anti-bot vendors. A server can record the exact shape of the handshake and derive a compact signature from it. The best known example is JA3, with newer variants extending that idea further.

TLS fingerprinting matters because it happens early. It does not depend on JavaScript execution, cookies, or user interaction. If a client sends a recognizable handshake, the server can begin classifying that request before most of the page experience exists.

How it works

The identifying signal is in the handshake itself.

  • 1. The browser starts HTTPS negotiation

    Before a page fully loads, the browser sends a TLS ClientHello message describing the features it supports for encrypted communication.

  • 2. The server records the handshake details

    The site or an attached security service can inspect the exact parameters sent in that handshake, including ordering, supported suites, and protocol options.

  • 3. A fingerprint is derived

    Those values can be serialized or hashed into a stable identifier such as JA3, making it easier to recognize the same client implementation later.

  • 4. The result is used in risk models

    TLS fingerprints are commonly fed into bot detection, fraud scoring, and anti-abuse systems because they are available before most page-level scripts run.

Why sites use it

TLS fingerprints are attractive because they are available immediately and hard to fake well.

  • Fraud and bot detection

    Commercial anti-abuse tools often compare incoming TLS handshakes against known browser patterns and known automation stacks.

  • Client classification

    A server can often tell whether traffic looks like a mainstream browser, a custom HTTP client, or a tool with an unusual TLS implementation.

  • Cross-layer correlation

    TLS is especially valuable because it can be combined with HTTP header order, JavaScript signals, and IP metadata to strengthen identification.

A VPN usually changes the source IP address, not the browser or client library generating the TLS ClientHello. That is why TLS fingerprinting often survives a network change.

How 404 addresses it

404 directly targets the handshake layer by replacing the TLS signature a site sees.

TLS fingerprinting is one of the layers 404 is designed to address directly. Instead of leaving your native browser handshake untouched, 404 rewrites handshake characteristics so the connection is no longer broadcasting the same default cipher ordering and client signature that your machine would normally expose.

That matters because it closes part of the gap left by ordinary privacy tools. A VPN can change network location, but it does not rewrite the browser's TLS profile. 404 aims to make that layer less stable and less useful for correlation, while acknowledging that no tool can guarantee perfect resistance against every classifier or every future detection model.

See pricing How 404 works

Further reading

If you want the protocol details, start with these resources.