[/tools/network]

network details

share on xlinkedin

the handshake · browser ↔ detection provider

datadome

  1. 1.loader
    tags.js boots from api-js.datadome.co
  2. 2.collect
    reads canvas / webgl / events / transport tells
  3. 3.telemetry POST
    ships the signal blob to api-js.datadome.co/js/
  4. 4.cookie set
    plants the `datadome` cookie, bound to ip + ua + tls
  5. 5.gate
    403 + dd{} json → captcha-delivery.com on a bad score

cloudflare turnstile

  1. 1.loader
    challenges.cloudflare.com/turnstile/v0/api.js
  2. 2.collect
    managed challenge probes + proof-of-work
  3. 3.telemetry POST
    /cdn-cgi/challenge-platform/.../jsd
  4. 4.token set
    issues cf-turnstile-response; cf_clearance on pass
  5. 5.gate
    siteverify binds the token to ip + ua server-side

the cookie/token contract lives in cookie monster · the loader's probes in bot-detector intel

network knowledge base

a distinct catalog of transport and timing signals. these never appear in page javascript the way a fingerprint surface does, so they live here, not in the fingerprint knowledge base. each entry deep-links by its #net-key.

  • transport · tls
  • transport · http
  • transport · tcp
  • network info
  • webrtc
  • ip & proxy reputation
  • os via traffic
  • coherence
  • timing · network
  • timing · chronometric
  • timing · hardware
  • timing · side-channel

ja3

high · transport · tls

what it reveals

MD5 of the TLS ClientHello (version, ciphers, extensions, curves, EC-point-formats) in wire order. Identifies the TLS stack (browser/library/OS).

measurability

client (page js)
no
server (the wire)
yes

evasion

Order-sensitive, so broken by Chrome 110+ extension-order randomization and cipher-stunting. Defeating JA3 is not defeating JA4.

#net-tls.ja3reference ↗