A reference on Cloudflare's network-layer fingerprinting: how JA3, JA4, and the HTTP/2 frame profile are computed at the edge, what cf.bot_management exposes, and how those signals feed the 1-99 bot score.
What a ClientHello actually contains, why JA3 worked for six years and then stopped, and what JA4 fixes, with a Python reference you can run against your own packet captures.
A primary-source walk through intercepting a mobile app's backend: proxying TLS, why certificate pinning stops you, how runtime unpinning works conceptually, and decoding schema-less protobuf payloads.
A field-by-field dissection of the TLS ClientHello, tracing exactly which bytes JA3 and JA4 read: version, cipher suites, compression, extensions, supported_groups, signature_algorithms, supported_versions, key_share, and ALPN.
A reference walk through the full JA4+ suite: how each of JA4, JA4S, JA4H, JA4L, JA4X, JA4T and JA4SSH is constructed, what it captures, and how the a_b_c format lets the parts compose.
A deep dive into uTLS: how the Go library forges a chosen browser's ClientHello through ClientHelloID parrots and handshake control, why Go's crypto/tls is otherwise easy to fingerprint, and where the mimicry still leaks.
Traces GREASE (RFC 8701), the reserved random values browsers inject into the TLS ClientHello to keep extension points usable, and the reason fingerprinting that fails to normalize them produces a different hash on every connection.
Traces how the cipher_suites list and its exact order in a TLS ClientHello identify a client, why that order is fixed per build, and why reordering it to evade detection becomes its own signal.
How the order of TLS extensions became a fingerprint, why Chrome started shuffling that order in early 2023 with a Fisher-Yates permutation in BoringSSL, and how JA4 answered by sorting the list.
How detectors catch tools that forge a perfect browser ClientHello: the mismatch between the TLS layer and the HTTP/2 frames above it, library-specific residue, header order, and version drift.
How TLS session resumption becomes a fingerprint and a behavior signal: session tickets, TLS 1.3 PSK, 0-RTT early data, and the resumption patterns that reveal a client or break a spoof.
Traces how the ALPN protocol list in a TLS ClientHello, and its predecessor NPN, fingerprints a client, and why the offered protocols and their order must agree with the HTTP layer that follows or the whole session looks forged.
How ECH encrypts the inner ClientHello, including SNI, with an HPKE key fetched from DNS, what the outer ClientHello still leaks, and where deployment actually stands now that RFC 9849 has shipped.
A version-by-version catalog of how Chrome, Firefox, Safari, and Edge ClientHellos changed from 2015 to 2026: GREASE, extension permutation, post-quantum key shares, and what a current per-browser fingerprint looks like.
Where TLS fingerprints are actually computed in a server stack: the OpenSSL and BoringSSL callbacks that hand you the raw ClientHello, the nginx, HAProxy, and Envoy modules built on them, and the constraints that decide whether you get the bytes at all.
Traces how a default Python requests handshake gives itself away in the ClientHello: the OpenSSL cipher list, the extension set, the missing GREASE, and why curl-cffi and uTLS-style impersonation exist.
Traces why TLS added post-quantum key exchange, how ML-KEM (FIPS 203) works, how the X25519MLKEM768 hybrid construction is built, and how the 2024-2026 browser rollout grew the ClientHello past one packet.
Traces how the 1,216-byte X25519MLKEM768 key share splits the ClientHello across packets, why classic TLS libraries without it now stand out, and what matching a 2026 Chrome handshake actually requires.
A message-by-message walk of the RFC 8446 handshake: ClientHello, HelloRetryRequest, ServerHello, EncryptedExtensions, Certificate, and Finished, marking exactly which bytes a passive observer can read and which the key schedule has already locked away.
Traces how Certificate Transparency turns CA mis-issuance into a public, append-only Merkle-tree record: SCTs, the gossip and audit model, how browsers enforce it, and why the same logs hand attackers a free subdomain map.
Traces how certificate revocation works on the web: CRLs, the OCSP request/response, stapling in the TLS handshake, must-staple, the privacy leak of plain OCSP, and why Let's Encrypt shut its responders off in 2025.
Traces how Mozilla, Apple, Microsoft, and Chrome curate the root CAs that anchor every HTTPS connection, the governance machinery behind inclusion and removal, and the Symantec, TrustCor, and Entrust distrust events that show the system enforcing itself.
How mutual TLS works at the message level, the CertificateRequest, Certificate, and CertificateVerify exchange in TLS 1.3, where client certificates are deployed, and why a private key beats every behavioral signal.
Traces what happens when a CDN or load balancer terminates TLS at the edge: which certificate the client validates, what fingerprint the origin actually sees, how traffic is re-encrypted to origin, and who you are trusting with the cleartext.