wi1dcard/fingerproxy

Clarifying the Scrapfly JA3

jjsaunier opened this issue · 2 comments

I came across your project and saw "JA3 and HTTP2 fingerprint; JA3 result is probably incorrect". I'm part of Scrapfly, so let me clarify:

https://scrapfly.io/web-scraping-tools/ja3-fingerprint
JA3 and HTTP2 fingerprint; JA3 result probably needs to be corrected (it doesn't match Wireshark's result).

We made the decision not to read the deprecated TLS version from the handshake on version >= TLS1.3 but read the "supported_versions." The original ja3 implementation is now old, and it makes no sense for us to get a fingerprint that does not reflect the version. In TLS1.3, you get 771 on the original ja3 (771 is the TLS1.2 version); our version gives the correct version, 772. https://datatracker.ietf.org/doc/html/rfc8446#section-1.3.

You can see both fields on https://scrapfly.io/web-scraping-tools/ja3-fingerprint page, "Handshake Version" vs. "Supported Versions"

So yes, our Ja3 is not comparable with others, as we are not interested in getting fingerprints that do not reflect the actual client, TLS1.2 and TLS1.3 having the same config can't collide.

Feel free to close ;)

Hi @jjsaunier, thanks for the clarification. That makes sense. The original JA3 implementation is quite outdated. I agree that it is necessary to make a few changes to the old JA3, such as using the supported_versions extension, and sorting the extensions.

I will fix the readme soon. :)

p-l- commented

@jjsaunier regardless of who is "correct" / who makes "the right choice" in that situation, it is important to note that your choice creates different fingerprints that cannot be compared with existing JA3 implementations that comply with the "norm", and with JA3 fingerprint databases (and given that JA3 values are hashes, they are really impossible to compare). Hence, it's IMO misleading to call it "JA3"

If Scrapfly calls "JA3" something that is not "the original JA3" (even if that's something "better" than JA3, really, that is not my point), then it is true to say that Scrapfly's JA3 result is incorrect.

Also, the existence of a "supported version" TLS extension will be seen in the "extensions" part of JA3 (so a TLS 1.2 and TLS 1.3 will have different fingerprints even if they are exactly the same apart from the version).