ShieldLabs is an anonymous visitor identification and traffic quality platform. It analyzes device, browser, IP, and network signals, detecting mismatches between them to identify anonymous visitors and assign a real-time explainable risk score to every visit, as well as detect abuse patterns across your traffic.

What is ShieldLabs used for?

ShieldLabs is used to identify anonymous visitors, assess traffic quality, and detect abuse activity such as multi-accounting, fake account creation, account takeover, free trial abuse, bonus abuse, ban evasion, referral fraud, account sharing, coupon abuse, subscription abuse, giveaway fraud, voting manipulation, and survey fraud.

Who is ShieldLabs for?

ShieldLabs is best for startups, small-to-mid-sized businesses, and digital platforms with medium to high traffic volume that need a cost-effective anonymous visitor identification solution. Built for product, fraud, and growth teams at SaaS platforms, fintech, iGaming, e-commerce, Web3, media and streaming, travel, and technology platforms - any business dealing with anonymous traffic and abuse.

How accurate is ShieldLabs?

ShieldLabs detects anonymized connections and environment spoofing with up to 99% accuracy through multi-layer analysis.

How is ShieldLabs different from traditional abuse prevention platforms?

ShieldLabs delivers the same level of visitor identification and abuse detection used by platforms like Google and X / Twitter — with transparent per-request pricing, self-serve integration in 5 minutes, and an explainable risk score. No "Contact Sales," no enterprise contracts.

Can a visitor be recognized when IP changes?

Yes. ShieldLabs generates a persistent visitor ID. This identifier remains stable across sessions even when the visitor changes IP, clears cookies, switches to incognito mode, or creates a new account.

What is a persistent visitor ID?

A persistent visitor ID is a stable identifier assigned to each visitor. Unlike cookies or IP addresses, it survives IP rotation, cookie clearing, incognito mode, and account changes - allowing real-time recognition of returning visitors regardless of how they try to hide.

What is browser fingerprinting?

Browser fingerprinting is a technique for identifying website visitors by collecting unique browser signals such as browser version, preferred language, screen resolution, installed fonts, and graphics rendering. These signals are combined to generate a unique identifier that recognizes the visitor across sessions — even without cookies.

What is device fingerprinting?

Device fingerprinting identifies a visitor based on hardware and operating system signals such as device type, OS version, memory, processor, and screen parameters. Combined with browser fingerprinting, it produces a more stable and accurate identification.

How does device fingerprinting differ from browser fingerprinting?

Browser fingerprinting collects signals from the browser — version, language, plugins, screen resolution. Device fingerprinting collects signals from the hardware and operating system — device type, OS, memory, processor. ShieldLabs combines both to generate a persistent visitor ID with higher accuracy than either method alone.

Does ShieldLabs do device fingerprinting or browser fingerprinting?

Both. ShieldLabs analyzes 70+ signals across device, operating system, and browser to generate a persistent visitor ID. It then cross-validates these signals against network and IP data to detect mismatches and expose anonymous visitors.

Is browser fingerprinting safe?

For businesses, browser fingerprinting is used to identify anonymous visitors and distinguish between legitimate users and potentially fraudulent ones. ShieldLabs does not track users across sites and does not collect personally identifiable information during the fingerprinting process. For visitors, the process is invisible and adds no friction to their experience.

Can ShieldLabs detect a visitor in incognito mode or on a VPN?

Yes. Device and browser fingerprinting signals remain consistent even in incognito mode. VPN connections are detected through IP intelligence and cross-layer mismatch analysis. ShieldLabs identifies the visitor in both cases.

What can ShieldLabs detect?

ShieldLabs detects VPN, proxy, TOR, iCloud Private Relay, anti-detect browsers, tampered browsers, anti-fingerprint tools, data center and hosting infrastructure, environment spoofing, device tampering, location spoofing, timezone mismatches, and abuse activity. All detection works in real time.

Does ShieldLabs detect anti-detect browsers?

Yes. Anti-detect browsers are designed to mask device fingerprints and rotate identities. ShieldLabs detects them through cross-layer mismatch analysis, identifying the difference between what the browser claims and what is actually detected.

Can ShieldLabs detect fake accounts and multi-accounting?

Yes. The system builds an identity graph linking visitors, devices, and accounts across sessions. When the same person creates multiple accounts — even using different IPs, browsers, or anti-detect tools — the system connects them through shared device and network characteristics.

Can ShieldLabs detect account takeover?

Yes. When an account is accessed from an unrecognized device, suspicious connection, or unusual location, the system flags it as a potential account takeover.

Can ShieldLabs detect location spoofing?

Yes. The system detects timezone and geolocation mismatches between what the browser reports and what the IP and network reveal — indicating masked or spoofed visitor location.

Does ShieldLabs detect account sharing?

Yes. When multiple devices, locations, and network signatures access the same account, the system flags it as potential account sharing — helping protect subscription value and enforce per-user access.

Risk Score is a numerical assessment of explainable risk for every visit. It is calculated from anonymity indicators, cross-layer mismatches, and network signals. A high score indicates an increased probability of an anonymous or masked visit. Every score includes clear reasons for every contributing factor.

How is Risk Score calculated?

Each detected signal contributes to the final score - VPN detection, proxy connection, OS mismatch between browser and network, timezone conflict, data center IP, and more. Risk score reflects the cumulative risk level and explains each factor.

What is traffic risk level?

Traffic risk level is an overall assessment of anonymity across all your traffic. It shows what percentage of visitors are clean, low risk, medium risk, or high risk - giving you visibility into overall traffic quality.

Does ShieldLabs automatically block users?

No. ShieldLabs provides risk score, scoring reasons, and detailed visitor data. The blocking decision is made by you - either manually or through automated rules you configure.

What is an identity graph?

An identity graph is a map of connections between visitors, devices, and accounts. ShieldLabs builds this graph automatically by linking persistent visitor IDs, device fingerprints, and network signals across all sessions — revealing which accounts are connected and the risk level of each connection.

What are abuse patterns?

Abuse patterns are ready-made detection rules that identify suspicious connections between visitors, devices, and accounts — such as many accounts on one device, changing IDs on one account, or many devices on one account. Each pattern flags potential multi-accounting, account sharing, ban evasion, or coordinated abuse.

What is traffic quality?

Traffic quality is a measure of how much of your traffic comes from real, identifiable visitors versus anonymous, masked, or suspicious traffic. ShieldLabs assigns a risk level to your overall traffic and a risk score to every visitor.

How long does integration take?

Integration takes approximately 5 minutes. Add a code snippet to your site, and the system immediately begins anonymous visitor identification and real-time traffic analysis.

Which frameworks are supported?

ShieldLabs supports JavaScript, Next.js, React, Angular, Vue.js, Preact, and Svelte.

Does ShieldLabs provide API and Webhooks?

Yes. Risk score, visitor IDs, and detailed detection signals are available via API and Webhooks in real time for automation of fraud prevention rules and protection scenarios.

Does ShieldLabs affect real users?

No. The system operates in the background and does not require any additional actions from visitors. No CAPTCHAs, no challenges, no friction.

How does pricing work?

ShieldLabs offers transparent per-request pricing with a free tier. Start free, scale as you grow. No enterprise contracts, no "Contact Sales."

Is there a free plan?

Yes. The free plan includes 5,000 requests for initial traffic quality check and anonymous visitor identification.

What is a TLS fingerprint?

A TLS fingerprint is a value derived from how a client builds its TLS handshake, the cipher suites and extensions it sends to open the connection. Written as a format like JA3 or JA4, it identifies the kind of software making the connection, and it is hard to fake because it reflects the network stack rather than an editable header.

Are TLS fingerprints unique?

TLS fingerprints are not unique to one device. Many clients running the same browser version on the same platform share the same fingerprint, because they build the handshake the same way. That is why it works better for grouping clients by their real software, and for spotting ones that do not match what they claim, than as a sole identifier.

What is the difference between JA3 and JA4?

JA3 is the older format, building a hash from the TLS version, cipher suites, extensions, and curves, and it can change when a browser update reorders extensions. JA4 is newer, sorts the extensions so harmless reordering does not break the match, and splits the fingerprint into readable parts. JA4 is more stable across updates.

How does ShieldLabs use TLS fingerprinting?

ShieldLabs reads the TLS fingerprint as one of several network and device signals, never alone. It helps catch a client whose handshake does not match the browser it claims to be, and it feeds a risk score with the signals behind it. Your own rules decide the outcome, and the free tier covers your first 5,000 identifications.

Back to blog

June 29, 2026Browser fingerprinting Network signals Fraud prevention

What is TLS fingerprinting? How JA3 and JA4 identify a client

Vasil MakarchukChief Technology Officer

TLS fingerprinting: a client's TLS handshake, its cipher suites and extensions, condensed into a JA3 or JA4 hash that identifies the software behind the connection

Last updated on June 29, 2026 · 9 min read

TLS fingerprinting is a technique that identifies the software behind a connection by the way it negotiates a TLS handshake. When a client opens an encrypted connection, it sends a message describing the TLS versions, cipher suites, and extensions it supports, and the exact contents and order are characteristic of the client. Condensing that into a value, with a format like JA3 or JA4, produces a fingerprint that is hard to fake because it reflects the network stack rather than anything in the page.

TLS fingerprinting is the technique that catches a client lying about what it is. The user agent string is trivial to edit; the TLS handshake is not, because it is produced by the underlying library and operating system. This guide explains what TLS fingerprinting is, how it works, what JA3 and JA4 are, and where it fits in fraud detection. It is one of the browser fingerprinting techniques a site reads together.

Key takeaways

TLS fingerprinting reads how a client builds its TLS handshake, then condenses the cipher suites, extensions, and other parameters into a value such as a JA3 or JA4 hash.
It is powerful because the handshake is sent over the network and a page script cannot rewrite it, so it reflects the real client software rather than an editable string.
JA3 is the older format; JA4 is a newer one that sorts extensions and holds up better as browsers update, which makes it more stable.
For fraud detection, a TLS fingerprint is most useful when it disagrees with what a client claims to be, since that contradiction is a sign the client is not what it says.

How TLS fingerprinting works

TLS fingerprinting works by reading the first message of an encrypted connection, before any data is exchanged. When a client connects to a server over HTTPS, it begins a TLS handshake by sending a ClientHello message. That message is sent in the clear, because the encryption has not been set up yet, and it lists what the client supports.

The detail that makes fingerprinting possible is that different software builds this message differently. A browser, a mobile app, and a generic scripting library each advertise their TLS versions, cipher suites, extensions, and elliptic curves in their own combination and order. A server that records those parameters, and the order they arrive in, can recognize the same kind of client again, and can notice when a client does not look like what it claims to be.

How TLS fingerprinting works: a ClientHello message lists cipher suites and extensions, which are read in order and condensed into a JA3 or JA4 hash

What are JA3 and JA4?

JA3 and JA4 are the two best known ways to write a TLS fingerprint down as a value. They take the raw handshake parameters and turn them into a compact, comparable string.

JA3, introduced in 2017, is the older and widely adopted format. It builds a hash from the client's TLS version, its accepted cipher suites, its extensions, and its elliptic curves and curve formats. It is simple and effective, but because it depends on the exact order of extensions, a browser update that reorders them can change the hash.
JA4, released in 2023, is a newer format designed to fix that. It sorts the extensions so a harmless reordering does not break the match, and it splits the fingerprint into readable parts, including the transport and TLS version, the cipher and extension makeup, and any application protocol. The result is more stable across browser updates and easier to reason about. The open JA4 specification documents the full format.

A system does not have to choose one. Many read both, using JA3 for compatibility with older records and JA4 for stability going forward.

What a TLS fingerprint reveals

A TLS fingerprint does not reveal personal data. What it reflects is the software and library stack making the connection:

The client family, such as a mainstream browser versus a scripting library or a custom client.
The TLS library and its version, since the set and order of cipher suites and extensions follow the library that built the handshake.
The platform, because the operating system and its cryptographic defaults influence the handshake.

What it does not show is the content of the page or the user's identity. Its value is comparative: it says what kind of client is connecting, and whether that matches the rest of what the client presents. Because the handshake sits below the HTTP layer, it is far harder to fake than a user agent header, which is one line of text the client can set to anything.

Property	TLS fingerprinting
What it reads	The `ClientHello` of the TLS handshake: TLS versions, cipher suites, extensions, and elliptic curves, with their order
Why it differs between clients	Each software stack, a browser versus a scripting library, builds the handshake in its own combination and order, shaped by the TLS library and the operating system
What it reveals	The client family, the TLS library and version, and the platform, not page content or user identity
Why it is hard to fake	The handshake is sent over the network below the HTTP layer, so a page script cannot rewrite it the way it can a user agent header
Main limitation	Moderately unique only: many people on the same browser and platform share one fingerprint, so it is a corroborating signal, not a sole identifier

How unique and stable is a TLS fingerprint?

A TLS fingerprint is moderately unique and fairly stable, and it is strongest as a corroborating signal rather than a sole identifier. Many people running the same browser version on the same platform share the same TLS fingerprint, so it does not single out one device the way a full browser fingerprint can. What it does well is group clients by their real software and flag the ones that do not fit.

Stability depends on the format. A JA3 hash can shift when a browser update changes the order of TLS extensions, which is exactly the drift JA4 was designed to reduce by sorting them. A resilient system treats the TLS fingerprint as one signal among several and does not expect it to stay identical forever, which is also why it is read alongside the browser and device layers rather than on its own.

TLS fingerprinting in fraud detection

TLS fingerprinting has several uses, and they are worth keeping distinct. Network and security teams use it broadly to classify traffic, and bot-management products use it to tell automated clients from browsers. The use that matters for ShieldLabs is a different one: consistency.

A TLS fingerprint is most valuable when it disagrees with what a client claims to be. If a connection presents itself as a recent version of a mainstream browser but its handshake matches a generic scripting library or a mismatched stack, that contradiction is a strong sign the client is not what it says. This is the exact tell that an anti-detect browser tends to leave, because it can edit the user agent easily but cannot as easily rewrite the TLS handshake to match. A defender uses that contradiction to inform a risk score, not to block a visitor outright.

Can TLS fingerprinting be spoofed?

TLS fingerprinting can be spoofed, but doing it consistently is the hard part. A determined client can use a real browser engine, or align its TLS library so its handshake matches a popular browser, and its fingerprint will look ordinary. Tooling exists specifically to do this for automation.

The catch is the same one that runs through all of fingerprinting: every layer has to agree. A client can fake the TLS handshake, or fake the user agent, but making the TLS fingerprint, the declared browser, the JavaScript-level signals, and the rest all tell the same story at once is difficult. When one of them is off, the mismatch becomes its own signal, which is why TLS is read together with the other techniques rather than trusted alone.

How ShieldLabs uses TLS fingerprinting

ShieldLabs reads the TLS fingerprint as one of several network and device signals, never on its own. It contributes to a stable device identifier and, more importantly, it is one of the signals that catches a client lying about what it is, when the handshake does not match the declared browser.

Each visit returns a risk score from 0 to 100 with the named signals behind it, including the anonymity signals and the contradictions that surface when the TLS layer disagrees with the rest of the fingerprint. Because the read happens as part of the connection, it adds no friction for a real visitor, and you act on the score through the API and webhooks while your own rules decide the outcome.

Frequently asked questions

WebGL fingerprinting: a hidden 3D scene rendered by a device's GPU into a distinct hash that identifies the graphics hardware

Browser fingerprinting Device intelligence

What is WebGL fingerprinting? How the GPU gives a device away

WebGL fingerprinting identifies a device by how its GPU renders 3D graphics. How it works, what it reveals, and how it differs from canvas.

Pavel NuryieuHead of ResearchJune 29, 2026

Font fingerprinting: the set of fonts installed on a device measured from how text renders, condensed into a value that identifies the device

Browser fingerprinting Device intelligence

What is font fingerprinting? How your installed fonts identify you

Font fingerprinting identifies a device by which fonts are installed, read from how text renders. How it works, what it reveals, and how stable it is.

Pavel NuryieuHead of ResearchJune 29, 2026

Browser audio fingerprinting: a silent waveform processed by a device's audio stack into a distinct value that identifies the device

Browser fingerprinting Device intelligence

What is audio fingerprinting? The browser technique, explained

Audio fingerprinting identifies a device by how it processes a sound signal in the browser. How it works, what it reveals, and how stable it is.

Pavel NuryieuHead of ResearchJune 29, 2026

How TLS fingerprinting works

What are JA3 and JA4?

What a TLS fingerprint reveals

How unique and stable is a TLS fingerprint?

TLS fingerprinting in fraud detection

Can TLS fingerprinting be spoofed?

How ShieldLabs uses TLS fingerprinting

Frequently asked questions

What is a TLS fingerprint?

Are TLS fingerprints unique?

What is the difference between JA3 and JA4?

Can TLS fingerprinting be spoofed?

How does ShieldLabs use TLS fingerprinting?

Related articles

What is WebGL fingerprinting? How the GPU gives a device away

What is font fingerprinting? How your installed fonts identify you

What is audio fingerprinting? The browser technique, explained