The Privacy Threat Has Moved Below the Browser
For most of the last decade, the privacy advice given to journalists, researchers, and ordinary users has been the same: use a reputable VPN, prefer a privacy-respecting browser, block third-party cookies, and clear your storage. That guidance is still useful — but it is no longer sufficient.
Tracking has moved down the stack. Advertisers, data brokers, and large CDNs now correlate users at the transport layer — before a single line of JavaScript runs and before a single cookie is set. The mechanism that makes this possible is called TLS fingerprinting, formalized through hashes such as JA3 and the newer JA4+ family.
This article explains how JA3/JA4 work, why they defeat most consumer privacy tools, and what role a stealth browser plays alongside Tor Browser, Mullvad Browser, Brave, and a trustworthy VPN.
What Is a TLS Fingerprint?
When your browser opens an HTTPS connection, the very first packet it sends is the TLS ClientHello. This packet advertises:
The TLS version your client supports
The ordered list of cipher suites it will accept
The TLS extensions it offers (SNI, ALPN, supported groups, signature algorithms, etc.)
The elliptic curves and point formats it can use
For HTTP/2 connections, the SETTINGS frame values (such as INITIAL_WINDOW_SIZE and MAX_CONCURRENT_STREAMS)
Every TLS implementation — Chromium's BoringSSL, Firefox's NSS, Apple's Secure Transport, Go's crypto/tls, Python's ssl, Node's tls — arranges these fields in a slightly different but deterministic way.
In 2017, researchers John Althouse, Jeff Atkinson, and Josh Atkins at Salesforce published the JA3 algorithm, which converts the relevant ClientHello fields into a 32-character MD5 hash. In 2023, FoxIO released JA4+, a suite of fingerprints that captures TLS, HTTP/2, TCP, and even SSH characteristics with greater stability and granularity.
The result: your TLS handshake is, in effect, a persistent identifier of the software stack making the connection — independent of your IP address, cookies, or User-Agent.
Why TLS Fingerprinting Matters for Privacy
JA3/JA4 were originally designed for defensive use — letting security teams spot malware C2 traffic or unauthorized clients on a corporate network. That is a legitimate and valuable use case.
The privacy concern is that the same technique is now widely deployed against ordinary users by entities that users have not threat-modeled:
Ad-tech platforms and data brokers can use TLS fingerprints as a supercookie-equivalent identifier that survives cookie clearing, incognito mode, and even IP rotation.
Large CDNs that sit in front of a significant fraction of the web can correlate the same TLS fingerprint across thousands of unrelated sites — a cross-site identifier the user never consented to.
Adversarial networks (hostile ISPs, public-Wi-Fi MITM boxes, state-level filters) can identify which application a user is running even when traffic is fully encrypted, simply by looking at the ClientHello.
Under the GDPR, Article 4(1) defines personal data to include "online identifiers" that can single out a natural person. The European Data Protection Board's Opinion 9/2014 on device fingerprinting (https://www.edpb.europa.eu/) explicitly extends consent obligations to fingerprinting techniques. TLS-level fingerprints fit this definition cleanly — yet they are almost never disclosed in cookie banners, and users have no UI affordance to refuse them.
This is the gap that motivates a stealth browser.
Why VPNs, Tor, and Privacy Browsers Don't Fully Close the Gap
Each tool in the mainstream privacy stack solves part of the problem but leaves the TLS layer exposed in different ways:
| Tool | What it hides | What it leaves exposed |
|---|
| VPN / proxy | Your IP address (Layer 3) | Your TLS fingerprint passes through unchanged — the VPN tunnel carries your original ClientHello |
| Tor Browser | IP + many JS-layer fingerprints | The Tor Browser TLS fingerprint is itself a strong identifier — it tells every site you visit "this user is on Tor", which is sometimes exactly what users in hostile environments need to avoid |
| Brave / Firefox with resistFingerprinting | Canvas, WebGL, AudioContext, fonts | TLS ClientHello is unchanged from the underlying engine; ad-tech can still correlate sessions by JA4 |
| Mullvad Browser | JS-layer fingerprints, when combined with Mullvad VPN | TLS fingerprint is the standard Firefox build — distinctive, and separable from non-Mullvad-Browser Firefox traffic |
| Custom HTTP clients (curl, requests, httpx) | Nothing relevant for browsing | Each library has its own well-known JA3/JA4 — trivially classified as "non-browser traffic" |
This is not a criticism of those tools — they are excellent at what they do. It is a structural observation: the TLS handshake is generated by whichever crypto library your client is linked against, and you cannot reshape it from JavaScript or from a userland VPN. Closing the TLS gap requires modification at the network stack itself.
What a Stealth Browser Actually Does
A stealth browser in the privacy sense is a Chromium-based browser whose BoringSSL and HTTP/2 networking layers have been modified so that the ClientHello, ALPN, and HTTP/2 SETTINGS frames it emits match a chosen, well-attested browser profile bit-for-bit. The same approach underlies open-source libraries like utls (used by anti-censorship projects such as Lantern and Snowflake) and curl-impersonate, which were built explicitly so that users in censored regions could blend into normal browser traffic.
Concretely, a well-built stealth browser does three things that mainstream privacy browsers do not:
Cipher suite and extension ordering. It rewrites the order of cipher suites, supported groups, and TLS extensions in the ClientHello to match a target Chrome / Safari / Firefox build, so that the JA3 / JA4 hash matches that of a real, common browser version rather than a unique modified build.
HTTP/2 frame synchronization. It aligns the HTTP/2 SETTINGS frame, header order, and pseudo-header order with the target browser. Akamai's HTTP/2 fingerprint and Cloudflare's ja4_h2 are both derived from these values; mismatches between TLS and HTTP/2 fingerprints are themselves a fingerprint.
Profile coherence with the JS layer. A modified TLS stack is only useful if it is paired with consistent application-layer signals — User-Agent, Client Hints, Canvas, WebGL, timezone, language. Coherence across layers is what produces a profile that looks like a real installed browser, rather than a unique "privacy tool" silhouette.
The goal is not invisibility — it is indistinguishability from a large anonymity set of normal users, which is precisely the privacy property that Tor's design documents have always argued is the only one that matters.
Who Actually Needs This
Most internet users do not need a stealth browser. A reputable VPN plus Brave or Mullvad Browser is more than enough for everyday tracking concerns. The realistic audience for a stealth browser is narrower:
Investigative journalists working on stories where the act of researching a topic — repeatedly visiting a particular set of domains from a recognizable Tor/VPN fingerprint — would itself reveal the investigation to its subjects.
Human-rights researchers and OSINT analysts monitoring extremist networks, where standing out as "a researcher tool" is a safety risk.
Academic and independent security researchers studying tracking, fingerprinting, and bot-detection systems, who need to reproduce and verify vendor claims.
People in coercive or surveilled relationships — domestic abuse survivors, LGBTQ+ users in hostile jurisdictions — for whom a TLS fingerprint that screams "privacy tool" can itself be a tell.
Privacy engineers and red-team consultants under written authorization, validating their employer's defenses.
If you do not fall into one of these categories, a stealth browser is overkill, and the simpler stack is the right answer.
A Realistic 2026 Privacy Stack
A stealth browser is one layer, not the whole stack. A defensible setup looks roughly like this:
Network layer. A no-logs VPN audited by a reputable third party (Mullvad, IVPN, ProtonVPN have all undergone public audits), or Tor where the threat model justifies it.
DNS layer. Encrypted DNS (DoH/DoT) to a provider that is not your VPN exit, to avoid single-point correlation.
Transport layer. A stealth browser such as https://xtlogin.com, or open-source equivalents like utls-based clients for scripted work, so that your TLS/HTTP-2 fingerprint matches a common browser profile rather than uniquely identifying your tooling.
Application layer. Per-context profile separation — a different coherent identity for journalism work, personal use, and research — instead of relying on a single "incognito" toggle.
Operational layer. Threat-model your sessions: assume that any layer can fail, and design so that no single failure deanonymizes you across all of them.
The point is defense in depth. TLS fingerprinting is the layer most users currently have nothing for; closing it brings the network-level defense up to parity with the JS-level defenses that Tor Browser and Mullvad Browser already provide.
FAQ
Q: Can a VPN change my JA3 / JA4 hash?
No. A VPN re-routes IP packets (OSI Layer 3), but the TLS ClientHello is generated by the application on your device and travels through the tunnel unchanged. Only software that modifies the TLS stack itself can change the JA3/JA4 hash.
Q: Doesn't Tor Browser already protect against fingerprinting?
Tor Browser is excellent against JavaScript-layer fingerprinting and is the right tool for many threat models. But the Tor Browser TLS fingerprint is itself recognizable as Tor — which is sometimes exactly what a user needs to avoid (e.g., when Tor traffic is treated as suspicious by the destination or the local network).
Q: Is changing cipher suite order enough to defeat JA4?
No. JA4+ captures a much richer signal than JA3 did — including ALPN, extension order, signature algorithms, supported groups, and HTTP/2 settings. Naive randomization produces a new unique fingerprint, which is worse than blending into a large anonymity set. The goal is coherence with a real browser profile, not randomness.
Q: Is using a stealth browser legal?
In most jurisdictions, yes — using software that emulates a standard browser's network signature is no different in principle from using Tor or a VPN. As always, using any tool to violate a service's Terms of Service, commit fraud, or evade law enforcement is a separate question and is not what this article is about. The focus here is consent: users have a right under GDPR/CCPA-style frameworks to limit the identifiers they emit, and TLS fingerprints are identifiers.
Q: How do I tell what my current TLS fingerprint is?
Free tools such as https://browserleaks.com/tls, https://tls.peet.ws, and https://scrapfly.io/web-scraping-tools/ja3-fingerprint display your live JA3/JA4 hash. Comparing the hash you produce to public databases of known browser fingerprints is the simplest way to see whether you currently stand out.
