Computes JA3 from your browser's TLS ClientHello — the exact fingerprint a DPI sees.
JA3 is the MD5 of TLS-version + cipher-list + extension-list + curves + EC-point-formats. Identical across page loads from the same client; varies by browser/version/OS — and crucially, by VPN-client TLS implementations, which is why a 'not-Chrome-but-says-Chrome' JA3 is a giveaway to DPI.
JA3 is a property of the TLS client itself, not the site you connect to. Two browser-side approaches to reduce uniqueness.
Firefox: about:config → privacy.resistFingerprinting and the security.tls.* family. Brave standardizes much of this by default. Disabling browser extensions that fork the TLS stack keeps the fingerprint closer to a baseline browser.
Browsers that ship as-is — without unusual extensions, custom certificates, or TLS-modifying plugins — produce a JA3 that matches large user populations. A common-stable JA3 is harder to single out than a rare one.
JA3 is the MD5 of five fields from the TLS ClientHello: protocol version, cipher suites, extensions, supported groups, and EC point formats — concatenated as ordered comma-separated lists. The output is a 32-char hex hash stable across page loads from the same client. It varies meaningfully by browser, version, and OS. Chrome 130 on macOS has a different hash than Chrome 130 on Windows, and both differ from Firefox 128. Public databases map JA3 hashes to known clients. This matters in two ways. Detection: a DPI box that sees a JA3 inconsistent with the User-Agent header (e.g. UA says 'Chrome' but JA3 is a known Go-stdlib pattern) flags the connection as proxy/VPN traffic and may apply different rules — degrade speed, log, drop. Censorship-resistance: a VPN client whose JA3 doesn't match a real browser's is identifiable as a proxy even before the operator sees what's inside. GREASE values (random 2-byte tokens following pattern 0a0a/1a1a/2a2a) are what modern Chrome/Firefox inject in the ClientHello to keep implementations honest. JA3 excludes them from the hash so the fingerprint stays stable, but their presence/absence is itself a signal: clients without GREASE are unlikely to be modern browsers.
Technical tool for diagnosing the quality of a network connection. Does not provide means of access to information resources whose access is restricted under applicable law.