0

Background.

Context. I use Firefox, Google Chrome, or Chromium on Linux.

Question. How to have my browser resist the JA3 fingerprint, so that sites don't identify me by it?

Thoughts. I guess it may involve a way to randomise the way my client negotiates TLS connections? Any way to randomise the content of my TLS HELLO messages?

caveman
  • 142
  • 7

1 Answers1

-1

How to have my browser resist the JA3 fingerprint, so that sites don't identify me by it?

The JA3 fingerprint is specific for the browser and might differ between browser versions. This means the same JA3 fingerprint is shared with hundredths of thousands or even millions users. Thus sites can at most use it to identity the browser, but not identify or track the specific user behind the browser.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Not really true. It depends on the community. I use Linux, for example, and my version can make me unique in some websites. Plus, total uniqueness is not really the goal. It suffices that this will leak some information: i.e. gives up some entropy. Then, combining JA3 with other techniques can combinatorically lead to perfect identification. The question is not whether amount of information leaked by JA3 is a problem (it can be depending on the community, and the combinatoric effect with other techniques). The question is: how to resist JA3. – caveman Oct 18 '21 at 15:14
  • @caveman: If you want to resists fingerprint identification you need to blend in, not be unique. And blending in is already done with JA3 - you share the same fingerprint with many other users of the same browser. The problem is that other things are way more unique in your browser or environment, so that it makes more sense for an adversary to use these as fingerprint and not care about the lack of granularity in JA3. – Steffen Ullrich Oct 18 '21 at 16:14
  • @caveman: *"I use Linux, for example, and my version can make me unique in some websites."* - the JA3 fingerprint is not specific to a website but only depends on the client, specifically the contents of the TLS ClientHello. I just checked Firefox, Chrome and Chromium on Linux: Chrome and Chromium have the same fingerprint and share it with the versions on Mac and Windows - which is no wonder since they all use BoringSSL as TLS stack. Firefox has a different fingerprint but shared with Firefox on Windows, since in all cases the NSS TLS Stack is used. – Steffen Ullrich Oct 18 '21 at 16:28
  • Irrelevant. Linux versions often differ from that of Windows. E.g. there is a lag until the version gets distributed in repositories. Some use older, but patched ones. Some allow to use testing releases, etc. – caveman Oct 18 '21 at 18:46
  • Any idea how often is the the BoringSSL's HELLO content changes as a function of version changes of these browsers? – caveman Oct 18 '21 at 18:48
  • @caveman: There is rarely the need to change what makes up the fingerprint, i.e. ciphers, cipher order, extensions. This means the fingerprints are very stable. – Steffen Ullrich Oct 18 '21 at 20:25
  • So, you mean JA3 is not a good fingerprinting technique? – caveman Oct 18 '21 at 22:05
  • 1
    @caveman: JA3 fingerprints are not suitable to distinguish users. That's also not the design goal. It is used instead to fingerprint different TLS clients, i.e. browsers, software updates, malware communication etc and to associate a specific fingerprint with a specific behavior. This can be used to detect malware communication, i.e. new JA3 fingerprint or unusual behavior with known fingerprint. – Steffen Ullrich Oct 18 '21 at 22:11