Characterizing a TLS Session with ja3

Salesforce created ja3 to fingerprint TLS traffic with the idea of using it to characterize benign and malicious traffic. The original idea for this tool came from Lee Brotherston and was presented at DerbyCon.

In this post, we walk through a test case where we use the tool to fingerprint locally generated traffic.

Steps

Download ja3 from github. ja3 has bindings to many languages and tools, but we are only interested in the Python version found in the python/ subdirectory.

$ git clone https://github.com/salesforce/ja3
$ ls python/ja3.py

Configure tcpdump to listen for HTTPS traffic. There are tcpdump options to pare down the packet capture to record only TLS client hellos, but we are not using them here for simplicity’s sake.

$ sudo tcpdump -A 'tcp port 443' -w curl_https.pcap

Generate TLS traffic,

$ curl https://www.google.com

Kill the tcpdump session to stop recording and run the PCAP through ja3 to generate a digest,

$ ./ja3.py --json curl_https.pcap
{
    "destination_ip": "172.217.6.196", 
    "destination_port": 443, 
    "ja3": "771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-13172-16-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2", 
    "ja3_digest": "456523fc94726331a4d5a2e1d40b2cd7", 
    "source_ip": "XXX.XXX.XXX.XXX"
    "source_port": 37316, 
    "timestamp": 1571059401.57057
}

Conclusion

Let’s look up our fingerprint ("ja3_digest": "456...") in a database. Unfortunately for us, it’s not found there. We tried other databases to no avail. Either the public databases are incomplete, or this version of curl (7.58.0) is so new that it has never been characterized. Maybe there are some commercial databases that are more exhaustive.