What is TLS?

TLS (Transport Layer Security) is a cryptographic protocol that secures data transmitted over networks. It is the successor to SSL and is used to encrypt communications between clients and servers, ensuring confidentiality, integrity, and authenticity. TLS is fundamental for secure web browsing, email, and many other internet services.

How the TLS handshake works

Every TLS connection begins with a handshake in which the client and server agree on a protocol version, a cipher suite, and the cryptographic material they will use to derive session keys. The client opens with a ClientHello that advertises the TLS versions it supports, the cipher suites it prefers, the extensions it understands, and (in TLS 1.3) its key share. The server replies with a matching ServerHello, its certificate, and its own key share. Both sides then derive symmetric keys and switch the rest of the conversation onto authenticated encryption. From that point on, every record carries an integrity tag, so any tampering by a network attacker is detectable.

TLS versions: 1.2 vs 1.3

TLS 1.2 is still widely deployed but TLS 1.3 — finalised in 2018 — is now the default for modern browsers and servers. TLS 1.3 removes legacy cipher suites that had known weaknesses (RC4, CBC modes with predictable IVs, RSA key transport), forces forward secrecy, and reduces the handshake to a single round trip. Older protocol versions (SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1) are deprecated by all major browsers and should not be enabled on production servers.

TLS fingerprinting and bot detection

Because the ClientHello is sent in clear text and contains a long list of capability hints, it acts as a near-unique signature of the client software that produced it. Real browsers (Chrome, Firefox, Safari) produce handshake fingerprints that differ in distinctive ways from those produced by scripted HTTP clients (cURL, Python requests, Go's net/http, headless automation frameworks). Even when an attacker spoofs a browser user-agent string, the underlying TLS stack usually betrays the real client.

JA4 is the modern open-source standard for capturing this signature. It hashes the TLS version, cipher suites, extensions, signature algorithms and ALPN values into a short, stable string that a detection engine can match against known good and bad clients. JA3 (its predecessor) is still in use but JA4 is more resistant to randomisation tricks like Chrome's GREASE values.

How Procaptcha uses TLS signals

Prosopo's bot detection collects JA4 alongside other passive signals as part of its access control rules. A site can configure rules that allow, challenge, or block traffic based on combinations of JA4, IP reputation, geolocation, and behaviour — all without storing PII or sending visitor data to a third-party CDN. Because TLS fingerprints are stable across IP rotations and proxy networks, they remain useful even when an attacker rotates through thousands of residential proxies.