On Usability of Hash Fingerprinting for Endpoint Application Identification

In network security, a common challenge is the ability to gain information about the communicating endpoints based only on the network traffic. Methods for gaining end-point awareness on the network level by fingerprinting different network protocol layers have existed for long. A fairly recent addition to these techniques have been different hash finger-printing algorithms, such as JA3 and JA3S, that can be used for identifying the communicating endpoint applications of the network connection. These algorithms pick a suitable set of protocol specific parameters and concatenate their values into a string. An MD5 hash value is calculated from this string, which comprises the fingerprint. In this article we contest the use of the MD5 hash in the fingerprinting process, and propose that the original string of concatenated protocol parameter values should be used instead. We argue that the original string provides more value for the network security landscape.