How a side effect of password reuse became an industrialized attack: the term's 2011 coinage, the breach dumps that fed it, the Sentry MBA and OpenBullet toolchains, and the defenses that grew up around it.
Traces FunCaptcha from Kevin Gosschalk's game-dev roots and the 2014-era rotate-the-image challenge to the Arkose Labs rebrand, the MatchKey suite, and the cost-of-attack model now defending Twitter, Microsoft and OpenAI.
How reCAPTCHA went from a crowdsourced OCR project at Carnegie Mellon in 2007 to Google's invisible risk-scoring engine, traced through the original Science paper, announcements, and version changes.
Traces the WAF from network packet filters that could not see HTTP, through Sanctum AppShield and Ivan Ristic's ModSecurity, the OWASP Core Rule Set, PCI DSS pushing adoption, to cloud WAFs and machine-learning attack scoring.
Traces browser fingerprinting from Mayer's 2009 deanonymization experiment and Eckersley's Panopticlick through canvas, the AmIUnique and Hiding-in-the-Crowd studies, the commercial anti-fraud market, and the browser-vendor pushback.
Traces the 2010 EFF Panopticlick experiment and Eckersley's 'How Unique Is Your Web Browser?' paper: the 18.1-bit result, the eight measurements, the entropy math, the fingerprint-tracking heuristic, and the Cover Your Tracks rebrand.
How QUIC went from a 2012 Google experiment in Chrome and YouTube to a standardized IETF transport, traced through gQUIC, the TLS 1.3 redesign, HTTP/3, and the May 2021 publication of RFC 9000.
Traces the certificate authority from X.509's 1988 origins and the VeriSign oligopoly through the breaches that broke the trust model — Comodo, DigiNotar, TURKTRUST, Symantec — to Certificate Transparency and the CA/Browser Forum.
Two case studies in how browsers strip a certificate authority of trust: DigiNotar's 2011 breach and bankruptcy, and Symantec's 2017 mis-issuance saga and Google's staged distrust.
A timeline of TLS-client fingerprinting: the p0f-era SSL patches, Lee Brotherston's FingerprinTLS, Salesforce's JA3 and JARM, Cisco's destination-context work, and FoxIO's JA4+ suite.
How anti-detect browsers grew out of carding forums and affiliate multi-accounting into a commercial tool category, and why the work moved from JavaScript spoofing into the browser engine itself.
Two decades of the market that sells CAPTCHA solutions: the human-solver farms, the wage economics that gutted text CAPTCHAs, the OCR and audio breaks, and the multimodal-model solvers of 2026.
Tracing Tor from the 1995 Naval Research Lab onion-routing prototype through the 2002 release, the 2006 nonprofit, the v3 onion-service rewrite, and the Tor Browser's uniform-fingerprint defense against tracking.
Traces Let's Encrypt from the 2013 founding of ISRG and the ACME protocol through the 2016 launch, the march to a majority-HTTPS web, and the 2024-2026 move from OCSP to CRLs and short-lived certificates.