JA4 didn't define SCSVs clearly which caused incompatible implementations #184
Comments
|
I encountered the same issue. I found some Golang JA4 implementation (https://github.com/wi1dcard/fingerproxy/blob/master/pkg/ja4/ja4.go) and Wireshark contain the cipher But Nginx implementation doesn't include it. Please explicitly define the action, to prevent the community implementation inconsistency. |
|
@secmobi @tozh Thanks for bringing this up! Do you have a pcap example? My initial thought is to update the spec to include these in the count and hash when present as they help to identify specific TLS implementations. The downside being that this would increase the number of potential fingerprints a specific library could produce but that's outvalued by the fact that it would tell a better story of what is happening in the connection. |
(This is partially redundant with FoxIO-LLC/ja4-nginx-module#10 but I believe worth to create the issue here since the root cause is on the specs rather than in the nginx module implementation, and two repos appear to be maintained by different person. )
In JA4 Technical Details, when defining
Number of Ciphers, the doc didn't clarify if Signalling Cipher-Suite Values (SCSVs) should be counted or excluded. At least two SCSVs are involved:TLS_EMPTY_RENEGOTIATION_INFO_SCSVin value of0x00ffdefined in RFC 5746, which is quite commonly seen in real worldTLS_FALLBACK_SCSVin value of0x5600defined in RFC 7507In a simple test using
curlas client, the ja4 nignx module generated:While on the same TLS request, the ja4 plugin in Wireshark generated:
The differences between them are highlighted.
The ambiguous definition also potentially cause a third party implementation producing incompatible values (when using a different language or library, or even different functions in the same library for obtaining cipher suite), pretty like what happened on ja3er.
The text was updated successfully, but these errors were encountered: