Post-quantum TLS rolled out last January and broke most open-source scrapers
The introduction of post-quantum TLS has significantly impacted web scraping techniques. JA4 fingerprints now classify bots with 98.6% accuracy, making traditional methods like User-Agent rotation ineffective. As a result, many open-source scraping tools are struggling to adapt to these new standards.
- ▪JA4 fingerprints classify bots at 98.6% accuracy using only TLS handshake features.
- ▪Post-quantum key exchange became the default for connections on January 31, 2026, leading to larger ClientHello sizes.
- ▪Most open-source scraping stacks have not yet implemented PQ-compatible TLS, putting them at a disadvantage.
Opening excerpt (first ~120 words) tap to expand
← All posts Industry Insight May 12, 2026 5 min read JA4 and Post-Quantum TLS Broke the Basic Scraper Your User-Agent header doesn't matter anymore. JA4 fingerprints classify bots at 98.6% accuracy before headers are even read. Here's what shifted in 2026. tls-fingerprintingja4bot-detectionweb-scrapinganti-bot The TLS Handshake Is the Bot Detection Floor 98.6%. That's the classification accuracy a CatBoost model hit using only JA4 features. No headers. No IPs. No behavior. Just the shape of the TLS handshake. The arXiv paper landed in February 2026, and the result isn't an outlier. Cloudflare, AWS, VirusTotal, and Akamai all run JA4 (or its earlier cousin JA3) in production.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at FourA Blog.
Discussion
0 commentsMore from FourA Blog
