What is a JA3 / JA4 TLS fingerprint?
JA3 and its successor JA4 summarize the TLS ClientHello — the cipher suites, extensions, elliptic curves and their order a client offers when it connects. The server can hash this and recognize the client stack before a single byte of HTTP is sent.
This matters for stealth because a browser that claims to be Chrome in its User-Agent but presents a non-Chrome (or wrong-version) TLS handshake is instantly incoherent. Tooling that spoofs JavaScript over a mismatched network stack fails exactly here.
Clearcote keeps the TLS shape coherent with the persona's claimed Chrome version — only the version-variant fields (post-quantum key-share group, ALPS codepoint) change, while the cipher list and per-connection extension permutation stay real-Chrome (a fixed JA3 is itself a tell). See --fingerprint-tls-profile in the fingerprint flags.