Skip to content
Pricing
Log InStart Free TrialBook a Demo
Fingerprinting

TLS Fingerprinting

TLS fingerprinting is a technique that identifies the software making an HTTPS connection by inspecting the parameters of its TLS handshake, particularly the ClientHello message. Because different TLS libraries and clients advertise cipher suites, extensions, and versions in characteristic ways, the handshake reveals the underlying client even without any application-level data.

How it works

How TLS Fingerprinting works

When a client opens an HTTPS connection it sends a ClientHello that lists the TLS versions it supports, its ordered cipher suites, supported extensions, elliptic curves, and signature algorithms. These choices are determined by the TLS library and its configuration, so they form a recognizable pattern for each client stack.

A server or middlebox captures these fields and encodes them into a compact fingerprint, historically with schemes like JA3 and more recently JA4. The fingerprint summarizes the handshake so that connections from the same client software produce the same value, independent of IP address or user agent.

TLS fingerprinting operates below the HTTP layer, which makes it hard for an application to fake convincingly. A tool can set any user-agent string it likes, but its TLS handshake still reflects the real library it uses, exposing mismatches between the claimed browser and the actual client.

Because it captures the client stack rather than the device, TLS fingerprinting is coarser than browser fingerprinting for distinguishing individuals but excellent for classifying the type of client and spotting automation.

Why it matters

Why TLS Fingerprinting matters for fraud prevention

TLS fingerprinting is powerful for bot and automation detection because scripting tools and libraries have TLS signatures that differ from mainstream browsers. When a request claims to be Chrome but presents the TLS handshake of a scripting library, that contradiction is a strong fraud indicator. Operating at the network layer, it resists the header spoofing that defeats simpler checks.

With TRACIO

How TRACIO handles it

TRACIO uses network-layer signals, including TLS handshake characteristics, as part of its server-side Smart Signals and bot detection. This complements client-side identification by catching automation that mimics browser headers but cannot replicate a genuine browser TLS stack. Combined with IP Intelligence, it helps separate real browsers from tooling regardless of the user-agent claimed.

FAQ

Frequently asked questions

Identify every device with confidence

Start with a free plan of 2,500 API calls per month. No credit card required.