What does HackerNews think of ja3?

JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.

Language: Python

How the great firewall of China detects and blocks fully encrypted traffic [pdf] | Jun 2023
This paper is nice, but it goes over some finer technical things. So, not about the great wall, but there's projects out there, like this one https://github.com/salesforce/ja3 , which talk about how you can fingerprint fully encrypted traffic(TLS/HTPS). There's a great section in the Readme "How it works" that goes over it. Would be surprising if the great wall doesn't do this, when some open source firewall will.
Firefox Private Browsing mode upgrade | Oct 2022
Expand Context ↕
It's sufficient to identify you since there is still all other tracking data any browser supplies as part of the HTTPs connection handshake [1].

It's also not necessary to have Mozilla be the bad actor. Anyone who has access to the information in the future is a possible bad actor as they might be able to cross-reference the allegedly "innocuous" information with some future, more-pervasive data.

---

[1] - https://github.com/salesforce/ja3
Show HN: I made a Chrome extension that can automate any website | Nov 2021
Expand Context ↕
Not only that - enterprise bot management protections will run behavioral identification (e.g. how your mouse moves —> AI -> bot yes/no), TCP stack fingerprinting (and other devices if available e.g. gyroscope), TLS ClientHello fingerprinting (e.g. see https://github.com/salesforce/ja3), etc. Lots of very unique info in the Scraping Enthusiasts discord where lots of pro scrapers hang out.
Download the FCC Speed Test App | Apr 2021
Expand Context ↕
Fingerprinting something like this would be trivial, they've probably already done it. Using the ja3 library [1] you can make pretty good deterministic TLS connection fingerprints, and that works fine for traffic that you can't decrypt. IDS/IPS software has used similar methods to identify and block encrypted traffic for some time now.

[1] https://github.com/salesforce/ja3
Merlin: A cross-platform command and control server and agent written in Go | Jan 2019
Expand Context ↕
Tools like JA3 https://github.com/salesforce/ja3 can fingerprint TLS traffic to provide one way to perform some type of evaluation. Defender can detect on a lot of other things like an applications behavior.
JavaScript is now required to sign in to Google | Nov 2018
Expand Context ↕
Unfortunately I don't have much reading material to provide. It's a bit of an arms war, so the latest and greatest countermeasures are typically kept secret/protected by NDA. The rabbit hole can go very deep and can differ from company to company.

The most drastic example I can think of was an unverified rumor that a certain company would "fake" log users in when presented with valid credentials from a client they considered suspicious. They would then monitor what the client did - from the client's point of view it successfully logged in and would begin normal operation. If server observed the device was acting "correctly" with the fake login token, they would fully log it in. If the client deviated from expected behavior, it would present false data to the client & ban the client based on a bunch of fancy fingerprinting.

Every once in awhile, someone will publish their methods/software; Salesforce and their SSL fingerprinting software comes to mind: https://github.com/salesforce/ja3