Normalizing Client Hellos

[austincollinpena]

Is there a mechanism to normalize client hellos? Chrome is randomizing order: https://hnull.org/2022/12/01/sorting-out-randomized-tls-fingerprints/

[ghost]

I dont understand what the concern is here, can you clarify? it seems Chrome is randomizing the client hello, on purpose. they dont want a server seeing a JA3 and saying "thats Chrome". what is the issue?

[austincollinpena]

If you are a programmer or a fan of anagrams, the way to create fingerprints that are robust against randomization has probably already occurred to you: sort the extensions into order. We recently introduced a new format for TLS fingerprints in NPF, called npf:tls/1, which does just that. The slash and digit are just part of the naming scheme used to identify how a fingerprint was formed (NPF uses a URI scheme). The NPF QUIC fingerprint definition has always used sorting, for the same reason.

If we want to continue tracking browsers like Chrome or Firefox, it is possible through normalizing the client hellos.

[dreadl0ck]

Hi @austincollinpena, thanks for sharing the blog post, just saw this.

Very interesting to see that browser vendors are trying to implement counter measures and that the Ja3 still provides enough features to uniquely identify clients even after sorting:

That is, 98.8% of the fingerprints are still distinct after sorting, because there are a lot of other data features in the fingerprints, and a lot of inherent diversity in implementations

Sorting should be fairly straight forward to implement,
would love to see that as an extra option for the package.

Will give it a shot once I find some time.