JA4 Fingerprint 'not working' as expected

Hey Guys,

My understanding of using const ja4_fingerprint = request.headers.get("x-vercel-ja4-digest") is that it should be unique however I am getting the same fingerprint as others in my organisation and we’re all located in different parts of the world. I’m in SA JHB, colleague in SA CPT and a colleague in Italy.

Interestingly a similar issue: Vercel TLS Fingerprint
Their stated fingerprint is EXACTLY what I’m seeing: t13d1516h2_8daaf6152771_02713d6af862

So first is my understanding correct? Should these fingerprints be unique?

I initially thought it was because we use Cloudflare but we only use it for our production domain, technically the preview branches shouldn’t be affected / behind cloudflare right?

So yeah just trying to understand this. I wanted to use it as another means to dedupe users - mobile, email, fingerprint - obviously without the user being aware but if their fingerprint matched another user then we would prevent signup.

Let me know what you think.

Hi Simon,

Thank you for reaching out. Allow me to reiterate what I shared with you in the Support Case you raised with Vercel Support for the benefits of others in the Community:

It’s important to note that while JA4 fingerprinting can provide valuable information, it’s not designed to uniquely identify individual users or devices. The assumption that each user should generate a unique JA4 fingerprint is unfortunately not accurate. Here’s why:

  1. Standardized TLS libraries: Many applications use standard TLS libraries, which can result in identical JA4 fingerprints for different users.
  2. Common browser engines: Popular web browsers often share similar or identical TLS configurations, especially if they’re based on the same engine (e.g., Chromium).
  3. Operating system updates: When OS updates occur, many users on the same version may suddenly share the same JA4 fingerprint.
  4. Limited variability: While there are many possible TLS configurations, in practice, only a subset of secure and efficient options are commonly used.
  5. Cloud services and CDNs: Users accessing content through popular cloud services or CDNs may generate similar or identical JA4 fingerprints.

These factors explain why you and users mentioned in the community post are generating the same fingerprint. Your specific JA4 fingerprint is even the first one listed in this Github repo:

It’s not a malfunction, but rather a limitation of using JA4 fingerprinting for unique user identification.

Please let us know if you have any further questions or issues.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.