Investigating Surfshark and NordVPN with JA4T
We found that both Surfshark and NordVPN route certain ports through TCP proxies such as port 5060, which is only used for unencrypted phone calls. No other VPN providers proxy traffic in this way. The reason for the proxying is unknown. Additionally, we found that NordVPN’s proxy is misconfigured, causing increased latency and bandwidth usage.
Resources: JA4+ Network Fingerprinting: https://github.com/FoxIO-LLC/ja4 JA4+ Blog: https://blog.foxio.io/ja4%2B-network-fingerprinting JA4TCP Blog: https://blog.foxio.io/ja4t-tcp-fingerprinting JA4TScan: https://github.com/FoxIO-LLC/ja4tscan NMap: https://nmap.org/
JA4+ is a suite of network fingerprinting methods that are being implemented across the industry and consist of the following methods, with more being added on a regular basis:
For this investigation, we are primarily utilizing JA4TCP (JA4T). You can read up on how JA4T works in this blog post. In short, it’s a collection of artifacts from the TCP SYN and SYN-ACK packets which make up the TCP three-way handshake. These fingerprints allow us to fingerprint client and server operating systems, devices, certain applications, hosting/provider characteristics, if a connection is going through a tunnel, VPN or proxy, and enable us to troubleshoot network issues.
