# JA3/JA3S Hashes

The TLS negotiation between a client and a server has a fingerprint. The fingerprint can be used to identify the type of encrypted communication.

TLS is used to encrypt communication for privacy and security. HTTP uses TLS in HTTPS as do most command and controls frameworks.To initiate a TLS session, a client will send a TLS Client Hello packet after the TCP 3-way handshake. This packet and the way in which it is generated is dependent on the client application. The server will respond with a TLS Server Hello packet that is formulated based on server-side libraries, configurations, and the Client Hello. Because TLS negotiations are transmitted in the clear, it’s possible to fingerprint and identify client applications.

Things to look for:

* Frequently changing JA3/JA3S hashes
* Numerous JA3 hashes from a single host
* Unvarying and unknown JA3/JA3s hashes

## References:

* <https://github.com/salesforce/ja3>
* <https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967>
* <https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41>
* <https://www.vectra.ai/blogpost/is-there-still-value-in-ja3-fingerprinting>&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://howto.thec2matrix.com/detection/ja3-ja3s-hashes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.