How to Configure JA3 Fingerprint on VergeCloud for Improved Threat Detection

Setting Up JA3 Fingerprint on VergeCloud: Enhance Website Security and Threat Detection

VergeCloud JA3 Fingerprint

The JA3 Fingerprint feature enables you to assess SSL/TLS clients that submit requests to your website, regardless of port, IP address, or HTTP parameters. This capability allows you to recognize users with an SSL/TLS client even if they change their User Agent, port, or IP address.

Glossary

  • JA3 Fingerprint: A unique identifier for SSL/TLS clients based on the parameters during the TLS handshake.
  • SSL/TLS: Secure Sockets Layer / Transport Layer Security, protocols for establishing a secure communication channel over a computer network.
  • TLS Handshake: The process where the client and server establish the parameters of their communication, including security settings.

Real Usage Scenarios

For example, a financial institution can utilize the JA3 Fingerprint feature to monitor and analyze the SSL/TLS clients accessing their services. By identifying specific fingerprints associated with known malicious activity, they can enhance their security measures against potential threats.

How JA3 Fingerprint Works

JA3 is crafted to generate a fingerprint of the SSL/TLS client, primarily aimed at providing a distinct identifier for each client based on parameters during the TLS handshake process.

To compute the JA3 Fingerprint, the following values are extracted from the TLS handshake:

  • SSL/TLS Version
  • List of Offered Cipher Suites
  • List of Offered SSL Extensions
  • Elliptic Curve List (if available)
  • Elliptic Curve Point Formats (if available)

By consolidating these values and calculating an MD5 hash, the JA3 Fingerprint for each request is derived.

Activate JA3 Fingerprint

Enabling the calculation and activation of the JA3 Fingerprint for requests to your website can be accomplished with a single click within the VergeCloud CDN. To turn on this feature, enable the Calculate JA3 Fingerprint option found in the HTTPS settings section.

To access and monitor the JA3 Fingerprint of requests to your website, activate this field in the Log Forwarding menu under the HTTP Requests section to receive its values in your logs.

After retrieving and verifying the JA3 Fingerprint values for each request, you can manage them through the VergeCloud Firewall by identifying malicious requests with identical fingerprints. For this, create a new rule in the VergeCloud CDN's Firewall Settings and set the rule parameter to JA3 Fingerprint. Subsequently, block these requests using the hash values extracted from the logs.