| Scrapfly

Extension Details

Extension Name

extended_master_secret

Extension Code (Decimal)

23

Extension Code (Hex)

0x0017

RFC Reference

RFC 7627

What is extended_master_secret?

The Extended Master Secret extension addresses the "Triple Handshake Attack" vulnerability in TLS 1.2 and earlier by binding the master secret to the full handshake context. Without this extension, an attacker performing a man-in-the-middle attack could potentially force the client and server to derive the same master secret for different handshakes. The extended master secret is computed using a hash of the entire handshake, preventing this attack. Defined in RFC 7627, this extension significantly improves TLS security and is widely supported by modern clients.

Role in JA3 Fingerprinting

How This Extension Affects Fingerprinting

The extended_master_secret extension is part of the TLS Client Hello packet that JA3 analyzes to create a unique fingerprint of your browser or HTTP client.

JA3 Construction: JA3 concatenates TLS parameters including extensions in a specific format:
TLS_VERSION,CIPHERS,EXTENSIONS,CURVES,POINT_FORMATS

Different browsers and HTTP clients support different sets of TLS extensions, making this a key differentiator in fingerprinting. The presence, absence, or order of extensions like extended_master_secret can reveal:

Browser type and version (Chrome, Firefox, Safari, Edge)
Operating system (Windows, macOS, Linux, Android, iOS)
HTTP library (curl, Python requests, Go http.Client, Node.js)
Bot detection - automated tools often have distinctive extension sets

Test Your TLS Configuration

See if your browser or HTTP client includes the extended_master_secret extension in its TLS handshake:

Test Your JA3 Fingerprint

The JA3 tool will show all TLS extensions your client advertises, including extended_master_secret.

Browser & Client Support

Modern Browser Support:

Chrome/Edge: Full support for extended_master_secret
Firefox: Full support for extended_master_secret
Safari: Full support for extended_master_secret

HTTP Client Libraries:

curl: Support varies by OpenSSL/LibreSSL version
Python requests: Limited TLS extension control
curl_cffi: Can mimic browser TLS configurations
Scrapfly API: Automatically matches real browser TLS fingerprints

Related TLS Resources

TLS Extensions

Testing Tools

Technical References

RFC Specification: RFC 7627 - TLS Extensions
IANA Registry: TLS ExtensionType Values
JA3 Project: JA3 - TLS Client Fingerprinting