<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - Browser Fingerprinting</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/browser-fingerprinting.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-07-06T13:00:00+10:00</updated><entry><title>Fingerprints Are Evidence, Not Identity</title><link href="https://www.peakhour.io/blog/fingerprints-are-evidence-not-identity/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/fingerprints-are-evidence-not-identity/</id><summary type="html">&lt;p&gt;Browser and network fingerprints are useful security evidence, but they should not be treated as proof of a person's identity.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The word "fingerprint" can create the wrong expectation.&lt;/p&gt;
&lt;p&gt;In security, a browser or network fingerprint is not the same as a human fingerprint. It does not prove who a person is. It does not remove uncertainty. It should not be treated as a permanent identity for a customer.&lt;/p&gt;
&lt;p&gt;A fingerprint is evidence. Sometimes it is strong evidence. Sometimes it is weak, common, stale, or deliberately manipulated. Its value comes from how it is combined with route, behaviour, account state, network context, credential risk, and the action being requested.&lt;/p&gt;
&lt;p&gt;That distinction is more than wording. It affects how security teams design controls, explain decisions, and avoid overblocking legitimate users.&lt;/p&gt;
&lt;h2&gt;What Network Fingerprints Can Tell You&lt;/h2&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-network-fingerprinting/"&gt;Network fingerprinting&lt;/a&gt; compares connection and protocol evidence. TCP behaviour, TLS handshakes, JA3 or JA4-style representations, HTTP/2 settings, header shape, MTU, proxy indicators, ASN, and path characteristics can all help classify the client or infrastructure behind a request.&lt;/p&gt;
&lt;p&gt;That can be useful during credential stuffing, scraping, scanning, API abuse, or Layer 7 attack pressure. Attackers may rotate IP addresses, but parts of the client stack or automation framework can remain consistent. Grouping requests by network evidence can make rate limiting, bot detection, and investigation more precise than IP-only rules.&lt;/p&gt;
&lt;p&gt;But the fingerprint is still not identity.&lt;/p&gt;
&lt;p&gt;Common browsers can share similar network shapes. Mobile networks and carrier-grade NAT can make unrelated users appear close together. VPNs and residential proxies can distort source context. Browser and library updates can change fingerprints overnight. Hashing can make signals portable while hiding useful detail. Attack tools can also try to imitate normal clients.&lt;/p&gt;
&lt;p&gt;The right conclusion from a suspicious network fingerprint is not "we know who this is". It is "this request deserves a different level of confidence".&lt;/p&gt;
&lt;h2&gt;What Browser Fingerprints Can Add&lt;/h2&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-browser-fingerprinting/"&gt;Browser fingerprinting&lt;/a&gt; adds evidence from the application layer and, where appropriate, browser-side checks. Headers, client hints, JavaScript-visible properties, rendering behaviour, storage behaviour, timezone, language, permissions, and API availability can help decide whether a request looks like the browser it claims to be.&lt;/p&gt;
&lt;p&gt;This matters because many attacks try to borrow the appearance of ordinary browser traffic. Automation frameworks, emulators, headless browsers, anti-detect browsers, and scripted API clients can all present a user-agent string that looks plausible. Browser evidence helps compare the claim with the rest of the request.&lt;/p&gt;
&lt;p&gt;Again, the useful output is confidence, not identity. A browser fingerprint might support a challenge. It might support a lower rate limit. It might explain why a session changing an email address needs step-up verification. It might help &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; separate obvious automation from normal traffic.&lt;/p&gt;
&lt;p&gt;It should not become a claim that one technical pattern equals one person.&lt;/p&gt;
&lt;h2&gt;The Comparison Matters&lt;/h2&gt;
&lt;p&gt;Peakhour's page on &lt;a href="/learning/fingerprinting/browser-fingerprinting-vs-network-fingerprinting/"&gt;browser fingerprinting vs network fingerprinting&lt;/a&gt; makes the operational split clear. Network fingerprints usually come from passive connection and protocol evidence. Browser fingerprints often involve request and browser-side evidence. They answer related but different questions.&lt;/p&gt;
&lt;p&gt;A strong decision often needs both.&lt;/p&gt;
&lt;p&gt;A request claiming to be a normal browser should look broadly consistent across TLS, HTTP/2, headers, JavaScript-visible browser properties, proxy context, route behaviour, and account history. If the browser looks normal but the network path resembles a known automation cluster, that is useful. If the network path looks ordinary but the browser evidence is inconsistent or missing on a sensitive route, that is useful too.&lt;/p&gt;
&lt;p&gt;The mismatch is the signal. The response still depends on consequence.&lt;/p&gt;
&lt;p&gt;A suspicious request to a public asset route might only need logging. The same evidence on login, password reset, stored-card checkout, account email change, admin access, or an expensive API route may justify a challenge, tighter limit, temporary hold, or review.&lt;/p&gt;
&lt;h2&gt;How to Use Fingerprints Responsibly&lt;/h2&gt;
&lt;p&gt;Fingerprints work best when they are attached to an explainable decision. A security event should show the route, account or token context where relevant, source network evidence, browser evidence, policy action, response code, and review outcome. That gives operators a way to understand and correct decisions.&lt;/p&gt;
&lt;p&gt;Peakhour's guide to &lt;a href="/learning/fingerprinting/network-fingerprint-signals-and-security-decisions/"&gt;network fingerprint signals and security decisions&lt;/a&gt; frames the choices properly: allow, log, challenge, rate limit, block, or review. A fingerprint should help choose among those actions. It should not replace judgement.&lt;/p&gt;
&lt;p&gt;Responsible use also means accepting uncertainty. Fingerprints collide. They drift. They can be spoofed. Some privacy tools intentionally reduce or alter browser signals. Some legitimate users have unusual configurations. Some high-risk requests have only partial evidence.&lt;/p&gt;
&lt;p&gt;That uncertainty does not make fingerprints useless. It means they should be one layer in a wider control set.&lt;/p&gt;
&lt;p&gt;For account and API security, the practical question is not "can this fingerprint identify a person?" It is "does this evidence change the confidence we should place in this request?"&lt;/p&gt;
&lt;p&gt;If the answer is yes, use it carefully. Increase scrutiny on sensitive actions. Reduce friction where evidence is clean. Preserve enough context for review. Avoid pretending that a technical fingerprint is a human identity.&lt;/p&gt;
&lt;p&gt;That is the more accurate model, and it leads to better security decisions.&lt;/p&gt;
&lt;p&gt;For a protocol-level example, see &lt;a href="/blog/fingerprint-is-a-cohort-not-a-client/"&gt;A network fingerprint is a cohort, not a client&lt;/a&gt;. It compares the information retained by JA3, JA4 and Cisco Mercury and explains why a matching TLS value can still cover many applications and users.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Fingerprinting"></category><category term="Bot Management"></category><category term="Account Protection"></category><category term="Network Fingerprinting"></category><category term="Browser Fingerprinting"></category></entry><entry><title>The Invisibility Cloak</title><link href="https://www.peakhour.io/blog/bots-residential-proxies-anti-detect-browsers/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/bots-residential-proxies-anti-detect-browsers/</id><summary type="html">&lt;p&gt;Learn how attackers combine residential proxies and anti-detect browsers to evade detection and how modern security tools can fight back.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Every time you connect to a website, you leave behind a "digital fingerprint." This is not a physical fingerprint, but a set of signals from your device and browser. Security tools analyse this fingerprint—which includes your IP address, browser type, operating system, supported fonts, and even subtle characteristics of your network connection (&lt;a href="/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;)—to distinguish legitimate users from malicious bots.&lt;/p&gt;
&lt;p&gt;For years, this was a reliable way to spot automated threats. Bots often had clumsy, inconsistent fingerprints that made them easier to identify. Today, attackers can combine tools that mimic real users closely enough to weaken many traditional defences. The two most important components of this modern "invisibility cloak" are &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt; and anti-detect browsers.&lt;/p&gt;
&lt;h2&gt;What Are Residential Proxies?&lt;/h2&gt;
&lt;p&gt;A residential proxy is an intermediary server that uses an IP address assigned by an Internet Service Provider (ISP) to a real home internet connection. When a bot routes its traffic through a residential proxy, its requests appear to originate from a genuine home user, not a data centre.&lt;/p&gt;
&lt;p&gt;These proxy networks are large, often containing millions of IP addresses sourced from around the globe. How are these IPs obtained? Often through questionable means:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Malware and Botnets&lt;/strong&gt;: Unsuspecting users' devices are infected with malware that turns them into proxy endpoints.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SDKs in Free Apps&lt;/strong&gt;: Some free applications (often VPNs or mobile apps) include code that enrols the user's device into a proxy network in exchange for using the app, often without the user's full knowledge or consent.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By rotating through this large pool of legitimate-looking IPs, attackers can launch large-scale attacks that are difficult to separate from normal traffic. To a website's security system, a distributed attack from a residential proxy network looks like thousands of individual customers from different locations.&lt;/p&gt;
&lt;h2&gt;What Are Anti-Detect Browsers?&lt;/h2&gt;
&lt;p&gt;While residential proxies mask the attacker's network location, anti-detect browsers are designed to spoof the rest of the digital fingerprint. These specialised browsers allow an attacker to create and manage thousands of unique browser profiles, each with a customised and consistent fingerprint.&lt;/p&gt;
&lt;p&gt;An anti-detect browser can control and randomise every detail a website uses for identification, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Browser type and version (e.g., Chrome, Firefox, Safari)&lt;/li&gt;
&lt;li&gt;Operating system (Windows, macOS, iOS, Android)&lt;/li&gt;
&lt;li&gt;Screen resolution, fonts, and plugins&lt;/li&gt;
&lt;li&gt;Time zone and language settings&lt;/li&gt;
&lt;li&gt;Subtle browser characteristics like Canvas and WebGL rendering&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;With a few clicks, an attacker can make a single machine in one country appear as thousands of unique users on different devices and operating systems from all over the world.&lt;/p&gt;
&lt;h2&gt;The Combined Threat: A Perfect Storm for Attacks&lt;/h2&gt;
&lt;p&gt;When attackers combine residential proxies with anti-detect browsers, they cover both the network and browser layers that many controls rely on. The residential proxy provides a legitimate IP address, and the anti-detect browser provides a consistent, human-looking browser fingerprint.&lt;/p&gt;
&lt;p&gt;This combination makes attacks like large-scale credential stuffing, content scraping, and inventory scalping much harder to distinguish from legitimate user traffic. Each malicious request appears to be from a unique person on a standard device, using a normal home internet connection.&lt;/p&gt;
&lt;h2&gt;Why Traditional Defenses Fail and What to Do About It&lt;/h2&gt;
&lt;p&gt;This level of sophistication weakens traditional security measures:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;IP Blocklists and Reputation Services&lt;/strong&gt;: These struggle when attackers are using a constantly rotating pool of millions of legitimate residential IP addresses. Our own research shows that even the best IP intelligence services &lt;a href="/blog/anti-fraud-residential-proxy-detection/"&gt;fail to detect the vast majority of residential proxy traffic&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Basic Browser Fingerprinting&lt;/strong&gt;: Anti-detect browsers are specifically designed to defeat these checks by providing a consistent and realistic fingerprint.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;To combat this combined threat, organisations need a modern approach to bot detection that looks beyond the surface:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Advanced Network Fingerprinting&lt;/strong&gt;: Instead of just looking at the IP address, modern solutions analyse the underlying characteristics of the network connection itself (like the TLS/JA3 fingerprint). These signatures can often identify the underlying automation tool or proxy network, even when the IP address appears legitimate.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Advanced systems model normal user behaviour—such as mouse movements, typing speed, and page navigation—to identify the subtle, non-human patterns of automation that even sophisticated bots can't perfectly mimic.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hardware and Rendering Fingerprinting&lt;/strong&gt;: While anti-detect browsers can spoof software-level details, faking the underlying hardware is far more difficult. Advanced techniques, such as those used in &lt;a href="/learning/fingerprinting/what-is-google-picasso/"&gt;Google's Picasso&lt;/a&gt;, analyse how a device renders graphics (e.g., Canvas and WebGL), processes audio, and performs CPU-intensive tasks. This creates a hardware fingerprint based on the unique characteristics of the GPU, audio stack, and CPU clock speed. This fingerprint can reveal inconsistencies between the claimed browser profile and the actual hardware being used. When combined with network fingerprinting and residential proxy detection, this becomes a strong signal for identifying a single machine attempting to impersonate many different users.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dedicated Residential Proxy Detection&lt;/strong&gt;: Specialised techniques are required to identify traffic coming from residential proxy networks. This is a critical signal, as very few legitimate users have a reason to route their traffic this way.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Attackers using residential proxies and anti-detect browsers are harder to identify, but they still leave signals. Network characteristics, hardware fingerprints, and the behavioural tells of automation give security teams a better chance of separating the bot from the user it is trying to resemble.&lt;/p&gt;</content><category term="Security"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="Residential Proxies"></category><category term="Bot Management"></category><category term="TLS Fingerprinting"></category><category term="Credential Stuffing"></category></entry><entry><title>Anti-Detect Browsers</title><link href="https://www.peakhour.io/blog/anti-detect-browsers-application-security-threat/" rel="alternate"></link><published>2025-01-15T10:00:00+11:00</published><updated>2025-01-15T10:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-15:/blog/anti-detect-browsers-application-security-threat/</id><summary type="html">&lt;p&gt;Anti-detect browsers represent one of the most sophisticated threats facing modern web applications and APIs. Learn how these tools work, why they pose a significant threat to application security, and how modern security platforms can detect and mitigate their use.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Anti-detect browsers matter to defenders because they attack the assumptions behind browser trust. Many bot and fraud controls look for consistency between the browser, network, session, and behaviour. Anti-detect tooling is designed to make automated or repeated activity look more like separate ordinary browser sessions.&lt;/p&gt;
&lt;p&gt;This article is not a guide to using those tools. The defensive question is simpler: when a browser tries to look ordinary, what can still be observed safely, and how should that evidence affect a request decision?&lt;/p&gt;
&lt;h2&gt;Why They Create Risk&lt;/h2&gt;
&lt;p&gt;Anti-detect browsers are often discussed as a browser-fingerprinting problem, but the risk is wider than that. The same traffic may also involve residential proxies, credential lists, automation, and API requests that never run browser-side checks. A login attempt, account creation flow, product scrape, checkout request, or mobile API call may look valid at the protocol level while still being part of an automated campaign.&lt;/p&gt;
&lt;p&gt;The hard part is that some signals are genuinely ambiguous. A changed browser, a new device, a shared network, or a privacy tool does not prove abuse. A defensive system has to treat those observations as risk inputs, not as standalone verdicts.&lt;/p&gt;
&lt;h2&gt;Browser Consistency Is Evidence, Not Identity&lt;/h2&gt;
&lt;p&gt;Anti-detect tooling tries to make browser-reported attributes look internally consistent. That weakens simple checks that only ask whether the browser appears plausible. Defenders need a broader view: does the claimed browser line up with the network stack, TLS and HTTP behaviour, session history, cookie continuity, route sequence, response-code pattern, and recent account behaviour?&lt;/p&gt;
&lt;p&gt;That does not mean a fingerprint identifies a person. Fingerprints classify software, client behaviour, and connection characteristics. They can help separate likely automation from ordinary traffic, but they need to be combined with route, account, proxy, and behavioural context. The result should be a risk classification with evidence attached, not an unexplained block.&lt;/p&gt;
&lt;h2&gt;Residential Proxies Change the Decision&lt;/h2&gt;
&lt;p&gt;Residential proxies are a common companion signal because they make requests appear to come from consumer networks. That creates a false-positive problem. Real customers also use shared residential, mobile, office, carrier-grade NAT, and public Wi-Fi networks. Blocking every suspicious or shared source would damage legitimate traffic.&lt;/p&gt;
&lt;p&gt;The safer approach is to use &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt; as one input in the decision. A proxy signal on a public content page may be logged. The same signal on repeated login failures, account creation, checkout abuse, or sensitive APIs may justify a challenge, rate limit, or block. Context changes the action.&lt;/p&gt;
&lt;h2&gt;The API Gap&lt;/h2&gt;
&lt;p&gt;Browser-side checks are weakest where the browser is not present. Mobile apps, partner integrations, token routes, and direct API clients may not expose the same JavaScript or browser evidence that a web page does. Attackers do not need a convincing browser if the target workflow accepts valid-looking API requests.&lt;/p&gt;
&lt;p&gt;That is why anti-detect risk belongs in the wider &lt;a href="/solutions/application-security/"&gt;application security&lt;/a&gt; model. API routes need method, schema, authentication, token, request cadence, response-code, account, and bot context. If the only signal available is an IP address, the decision will be too blunt.&lt;/p&gt;
&lt;h2&gt;Observable Signals Defenders Can Use&lt;/h2&gt;
&lt;p&gt;The useful evidence is usually the mismatch between what the request claims to be and how it behaves over time. A browser may look plausible on one request, but the wider pattern can still show automation: repeated attempts across accounts, route sequences that normal users do not follow, cache-miss pressure on expensive pages, unusual response-code loops, or browser and network characteristics that drift in ways ordinary clients rarely do.&lt;/p&gt;
&lt;p&gt;&lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt; works best when it combines these signals rather than chasing a single magic detector. IP intelligence, proxy classification, network and browser fingerprints, route-aware rates, API state, WAF findings, and behaviour should all feed the same action vocabulary: allow, challenge, rate limit, block, log, or review.&lt;/p&gt;
&lt;h2&gt;Safer Defensive Response&lt;/h2&gt;
&lt;p&gt;The defensive response should be proportionate. High-confidence exploit traffic can be blocked quickly. Uncertain browser or proxy evidence may be better challenged, rate limited, or logged until the pattern is clearer. Sensitive routes should have tighter policy than public content. Account-impacting actions should preserve enough evidence for review.&lt;/p&gt;
&lt;p&gt;This is especially important for support teams. If a real customer is challenged or blocked, operators need to see which signal drove the action and which route was involved. Without that record, anti-bot policy becomes a black box.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Anti-detect browsers are a practical problem because they reduce the value of simple browser checks. They do not make traffic invisible. They leave request-path evidence in network behaviour, route sequences, account activity, API usage, proxy signals, and response patterns.&lt;/p&gt;
&lt;p&gt;The right goal is not to identify a person from a fingerprint or to block every unusual browser. The goal is to classify risk with enough context to choose a safe action at the edge, then keep the evidence available for tuning and review.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="Threat Detection"></category><category term="Application Security"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="DevSecOps"></category></entry><entry><title>JA4 and JA4+ Network Fingerprinting</title><link href="https://www.peakhour.io/blog/overview-of-ja4-network-fingerprinting/" rel="alternate"></link><published>2023-10-25T13:00:00+11:00</published><updated>2023-10-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-25:/blog/overview-of-ja4-network-fingerprinting/</id><summary type="html">&lt;p&gt;How JA4 constructs a TLS client fingerprint, what JA4+ names, and which details sorting and hashing discard.&lt;/p&gt;</summary><content type="html">&lt;p&gt;JA4+ is the name FoxIO uses for a family of network fingerprinting methods. JA4 itself is the TLS ClientHello method. It
builds on lessons from JA3, but the wider family also contains separate methods for servers, HTTP, certificates, TCP,
SSH and other observations.&lt;/p&gt;
&lt;h2&gt;JA4 and JA4+&lt;/h2&gt;
&lt;p&gt;JA4 produces an &lt;code&gt;a_b_c&lt;/code&gt; value. Its readable &lt;code&gt;a&lt;/code&gt; section records selected connection properties and counts. The &lt;code&gt;b&lt;/code&gt; and
&lt;code&gt;c&lt;/code&gt; sections are truncated SHA-256 values derived from normalised ClientHello fields. Analysts can compare selected
components, such as &lt;code&gt;JA4_ac&lt;/code&gt;, when the complete fingerprint is too narrow for the question being asked. Other JA4+
methods have their own inputs and specifications; they should not be treated as extra fields inside core JA4.&lt;/p&gt;
&lt;p&gt;JA4+ consists of various components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;JA4&lt;/strong&gt;: TLS Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4S&lt;/strong&gt;: TLS Server Response&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4H&lt;/strong&gt;: HTTP Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4L&lt;/strong&gt;: Light Distance/Location&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4X&lt;/strong&gt;: X509 TLS Certificate&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4SSH&lt;/strong&gt;: SSH Traffic&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For a more thorough breakdown, the &lt;a href="https://blog.foxio.io/ja4-network-fingerprinting-9376fe9ca637"&gt;JA4 blog&lt;/a&gt; provides
the announcement and describes the fingerprints.&lt;/p&gt;
&lt;p&gt;JA4+ brings useful improvements, but a few aspects and quirks deserve closer attention.&lt;/p&gt;
&lt;h2&gt;What sorting changes&lt;/h2&gt;
&lt;p&gt;JA4 sorts cipher identifiers and most extension identifiers before hashing them. This was especially useful after
Chrome began permuting TLS extension order. Sorting puts those permutations back into one cohort. It also discards the
order as evidence. That is the trade-off: a more stable identifier retains less information about how the ClientHello
was serialised.&lt;/p&gt;
&lt;p&gt;Where investigation matters, retain the raw JA4 form as well as the compact value. &lt;code&gt;JA4_r&lt;/code&gt; exposes the normalised
cipher, extension and signature-algorithm lists, which makes a difference easier to inspect.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.peakhour.io/blog/tls-fingerprinting/"&gt;overview of TLS fingerprinting&lt;/a&gt; provides a more in-depth explanation of how a TLS signature is formed.&lt;/p&gt;
&lt;p&gt;Chrome's change was intended to stop servers and middleboxes from depending on one fixed extension order. In our
&lt;a href="/blog/tls-extension-randomisation/"&gt;extension-randomisation analysis&lt;/a&gt;, the number of order-sensitive TLS fingerprints
rose sharply after the rollout. Sorting reduced that artificial fragmentation. It did not make the resulting value a
client identity, and it did not preserve every distinction in the original handshake.&lt;/p&gt;
&lt;h2&gt;JA3 and Mercury took different paths&lt;/h2&gt;
&lt;p&gt;Before digging further into JA4+'s features and limitations, it helps to separate two related lineages. The
&lt;a href="https://github.com/salesforce/ja3"&gt;original JA3&lt;/a&gt; established a portable TLS fingerprint that was easy to share and
match. Cisco Mercury developed a richer protocol representation and a separate destination-context classification
system. Mercury is not a predecessor in the JA3-to-JA4 naming line. Our &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;history of the two lineages&lt;/a&gt;
explains where their work overlaps and where it does not.&lt;/p&gt;
&lt;h2&gt;Implementation differences still matter&lt;/h2&gt;
&lt;p&gt;While sharing signatures through SHA is appealing, it has limits, most notably potential compatibility issues. As Fastly
&lt;a href="https://www.fastly.com/blog/the-state-of-tls-fingerprinting-whats-working-what-isnt-and-whats-next"&gt;noted&lt;/a&gt;, differences
in the implementation can be hidden behind the SHA hash, causing issues when searching for and correlating signatures
between different services. Record the implementation and version that generated a value; a shared format name does not
prove that two sensors handled every field identically.&lt;/p&gt;
&lt;h2&gt;Check the method, implementation and licence&lt;/h2&gt;
&lt;p&gt;The &lt;a href="https://github.com/FoxIO-LLC/ja4"&gt;official JA4+ repository&lt;/a&gt; contains the current specifications and implementations.
Check the licence for the individual method before adopting it: core JA4 is BSD-3-Clause, while most other JA4+ methods
use the FoxIO Licence and place additional conditions on commercial use.&lt;/p&gt;
&lt;p&gt;For a field-level example rather than a format summary, our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;same-ClientHello lab&lt;/a&gt;
records JA3, JA4, &lt;code&gt;JA4_r&lt;/code&gt; and Mercury NPF output from one packet and pins the implementations that generated them.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="TLS"></category><category term="SOC 2"></category><category term="Threat Detection"></category></entry><entry><title>Web scraping another Business' website</title><link href="https://www.peakhour.io/blog/is-it-legal-to-scrape-a-competitors-website/" rel="alternate"></link><published>2023-10-11T13:00:00+11:00</published><updated>2023-10-11T13:00:00+11:00</updated><author><name>Legalvision</name></author><id>tag:www.peakhour.io,2023-10-11:/blog/is-it-legal-to-scrape-a-competitors-website/</id><summary type="html">&lt;p&gt;Scraping competitor websites is a common practice, but is it legal? Read on to find out.&lt;/p&gt;</summary><content type="html">&lt;p&gt;As businesses continue to build their presence online, screen scraping is becoming more prevalent. Screen scraping is
the use of software or code to take data from another website. For example, popular platforms like Skyscanner or
booking.com usually take price data on flights and accommodation and display it on their websites. However, Australian
copyright laws or the website owner’s terms and conditions may forbid you from screen scraping. This article explains
the legal aspects of scraping data from another business’ website and the precautions you should take.&lt;/p&gt;
&lt;h2&gt;Am I Violating the Law by Screen Scraping?&lt;/h2&gt;
&lt;p&gt;Australian &lt;a href="https://legalvision.com.au/copyright/"&gt;copyright law&lt;/a&gt; safeguards ‘original creative works’, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;written works;&lt;/li&gt;
&lt;li&gt;visual images;&lt;/li&gt;
&lt;li&gt;music; and&lt;/li&gt;
&lt;li&gt;moving images.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Copyright can also protect documents such as government reports and legal forms. When determining whether copyright
protects a creative work, the work does not need to be intricate or of high quality. It only needs to demonstrate
originality and not be copied from another source.&lt;/p&gt;
&lt;h2&gt;Is Data an ‘Original Work’?&lt;/h2&gt;
&lt;p&gt;Data is usually fact-based and primarily consists of statistics or numbers. As a result, copyright usually does not
protect data.&lt;/p&gt;
&lt;p&gt;Examples of such data include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;the consumer price index for a particular quarter;&lt;/li&gt;
&lt;li&gt;monthly house price increases in a city;&lt;/li&gt;
&lt;li&gt;the number of students in a class; or&lt;/li&gt;
&lt;li&gt;the count of films released in a year.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Generally, the law does not consider this an &lt;a href="https://legalvision.com.au/protect-your-idea/"&gt;original work&lt;/a&gt; because it
merely represents real-world information.&lt;/p&gt;
&lt;h2&gt;What Data is an ‘Original Work’?&lt;/h2&gt;
&lt;p&gt;However, data can be an original work in some circumstances. For example, if you organise data in a unique manner
that reflects someone's creativity, the law might consider that data an ‘original work’.&lt;/p&gt;
&lt;p&gt;Examples of organised data that copyright protects include;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;accounting forms;&lt;/li&gt;
&lt;li&gt;sequences of numbers or letters for a bingo game; or&lt;/li&gt;
&lt;li&gt;a car parts catalogue.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Consequently, screen scraping data from a website is unlikely to infringe copyright unless it involves protected,
creatively organised data. Infringing someone’s copyright means using their copyright-protected material without their
permission.&lt;/p&gt;
&lt;h2&gt;Are There Exceptions to Copyright Law?&lt;/h2&gt;
&lt;p&gt;In the rare event that your screen scraping infringes copyright, your use could fall under an exception to copyright
infringement. Australian copyright law refers to these exceptions as 'fair dealing.'&lt;/p&gt;
&lt;p&gt;The four ‘fair dealing’ exceptions include using copyright-protected materials for:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;research or study;&lt;/li&gt;
&lt;li&gt;review or critique;&lt;/li&gt;
&lt;li&gt;parody or satire; and&lt;/li&gt;
&lt;li&gt;reporting the news.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For instance, a journalist scraping original data sets to report potential price-gouging among airlines could
potentially rely on the exception for reporting the news. However, if you are scraping data for business purposes, the
fair dealing exceptions may not apply.&lt;/p&gt;
&lt;h2&gt;What if a Website Explicitly Bans Screen Scraping?&lt;/h2&gt;
&lt;p&gt;Even if screen scraping is not always illegal under Australian copyright law, website owners can use their terms of
use to prohibit data scraping. These terms of use often appear as website pop-ups. The pop-ups typically state that by
continuing to use the website, you accept the terms of use.&lt;/p&gt;
&lt;p&gt;These terms can explicitly forbid:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;data scraping;&lt;/li&gt;
&lt;li&gt;copying;&lt;/li&gt;
&lt;li&gt;hacking; or&lt;/li&gt;
&lt;li&gt;any form of data extraction.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Violating these terms would result in you breaching the website’s
&lt;a href="https://legalvision.com.au/what-is-a-websites-terms-of-use-document/"&gt;terms of use&lt;/a&gt;. As a result, the website owner
may take legal action against you. If the data on the website qualifies as original work, copyright infringement claims
may also arise.&lt;/p&gt;
&lt;p&gt;Therefore, it is advisable not to screen scrape from websites with explicit terms of use against that activity. If you
do engage in screen scraping, ensure you only extract factual information.&lt;/p&gt;
&lt;h2&gt;Key Takeaways&lt;/h2&gt;
&lt;p&gt;Screen scraping is generally lawful if you extract strictly factual information from other websites. However, if a
website's terms of use prohibit screen scraping, even for factual data, it is advisable to avoid data scraping.
Otherwise, you could face potential breach of contract and copyright infringement claims.&lt;/p&gt;
&lt;p&gt;For assistance with your legal obligations, LegalVision’s experienced &lt;a href="https://legalvision.com.au/it-lawyer/"&gt;IT lawyers&lt;/a&gt;
can assist as part of their membership. For a low monthly fee, you will have unlimited access to lawyers who can
answer your questions and draft and review your documents. Call LegalVision today on 1800 296 912 or visit their
&lt;a href="https://legalvision.com.au/membership/"&gt;membership page&lt;/a&gt;.&lt;/p&gt;</content><category term="Interest"></category><category term="Browser Fingerprinting"></category><category term="Residential Proxies"></category></entry><entry><title>Interaction to Next Paint (INP)</title><link href="https://www.peakhour.io/blog/interaction-to-next-paint/" rel="alternate"></link><published>2023-09-11T13:00:00+10:00</published><updated>2023-09-11T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-09-11:/blog/interaction-to-next-paint/</id><summary type="html">&lt;p&gt;Google is introducing a new Core Web Vital to replace First Input Delay, read on to learn all about it.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Google has announced that &lt;a href="https://web.dev/inp/"&gt;Interaction to Next Paint (INP)&lt;/a&gt; will replace First Input Delay (FID) as a
&lt;a href="/blog/web-vitals/"&gt;Core Web Vital&lt;/a&gt;
as of March 2024. Introduced as a metric in 2022, INP covers gaps in FID by measuring more of what happens after a user
interacts with a page.&lt;/p&gt;
&lt;p&gt;To help site owners prepare for its introduction as a Core Web Vital, INP is already included in the
&lt;a href="/blog/what-is-the-chrome-ux-report-crux/"&gt;Chrome User Experience Report (CrUX)&lt;/a&gt;.
By analysing the CrUX data, website owners can see their current INP performance and make targeted optimisations ahead
of the March 2024 change.&lt;/p&gt;
&lt;h2&gt;A better metric than First Input Delay&lt;/h2&gt;
&lt;p&gt;First Input Delay, as its name suggests, only measures the delay between an input, such as a keypress or mouse click, and
the point where the browser begins to handle that event. It does not include the time spent processing the input. It only
measures how long the browser was blocked before it could start handling it.&lt;/p&gt;
&lt;p&gt;That leaves two issues: it only considers the FIRST event, and it does not measure how long it takes for the user to see
the result of their input.&lt;/p&gt;
&lt;p&gt;INP is designed to cover both issues. It measures the latency of ALL 'interactions' through to the visual response for
that interaction. As explained by Google, an interaction like a tap on a touch screen device can consist of several input
events.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;"An interaction's latency consists of the single longest duration of a group of event handlers that drives the
interaction, from the time the user begins the interaction to the moment the next frame is presented with visual feedback."&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;After measuring all interactions, the final INP score is the longest interaction observed, ignoring any outliers.&lt;/strong&gt;&lt;/p&gt;
&lt;h2&gt;What Constitutes a Good Score&lt;/h2&gt;
&lt;p&gt;INP is measured in milliseconds (ms), with lower scores indicating better performance:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Good: &amp;lt; 200 ms&lt;/li&gt;
&lt;li&gt;Needs Improvement: 200-500 ms&lt;/li&gt;
&lt;li&gt;Poor: &amp;gt; 500 ms&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="text-center"&gt;
    &lt;img src="/static/images/blog/inp.jpg" alt="Interaction To Next Paint" style="max-width: 700px"/&gt;
&lt;/div&gt;

&lt;h2&gt;How to ensure you have a good INP score&lt;/h2&gt;
&lt;h3&gt;Minimise Main-Thread Work&lt;/h3&gt;
&lt;p&gt;Long-running JavaScript can block the main thread and increase INP times. Break these tasks into smaller parts and run
them asynchronously to reduce delays.&lt;/p&gt;
&lt;h3&gt;Efficiently Use Browser APIs&lt;/h3&gt;
&lt;p&gt;APIs that trigger layout recalculations can be expensive. Use them sparingly and look for alternatives that put less
pressure on the browser.&lt;/p&gt;
&lt;h3&gt;Defer Non-Essential CSS and Scripts&lt;/h3&gt;
&lt;p&gt;Postpone the loading of non-critical CSS and JavaScript. Use techniques like asynchronous loading to improve INP scores.&lt;/p&gt;
&lt;h3&gt;Monitor Third-Party Scripts&lt;/h3&gt;
&lt;p&gt;Heavy third-party scripts can degrade INP performance. Use asynchronous or deferred loading for these scripts to limit
their impact.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Google estimates that 90% of a user's time on a page is after it has finished loading. FID focused on first impressions,
with the assumption that a fast start meant the page would stay responsive. Interaction to Next Paint addresses that gap
and gives a more accurate view of user experience. If you want to know your current INP score, you can use our free
&lt;a href="/pages/website-competitor-speed-test/"&gt;website speed comparison tool&lt;/a&gt; to view it alongside your other Web Vitals, and see
how your website compares to your competitors.&lt;/p&gt;</content><category term="Learning"></category><category term="Core Web Vitals"></category><category term="Web Performance"></category><category term="Analytics"></category><category term="Caching"></category><category term="Browser Fingerprinting"></category><category term="Features"></category></entry><entry><title>Down But Not Out - JXL Will Return on Safari</title><link href="https://www.peakhour.io/blog/jpeg-xl-down-but-not-out/" rel="alternate"></link><published>2023-06-04T00:00:00+10:00</published><updated>2023-06-04T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-06-04:/blog/jpeg-xl-down-but-not-out/</id><summary type="html">&lt;p&gt;What Apple's announcement of JPEG-XL support means for the web ecosystem.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Just as we were &lt;a href="/blog/the-death-of-jxl/"&gt;coming to terms&lt;/a&gt; with the controversial decision by Google to drop support for JPEG-XL (JXL) in Chrome,
Apple announced support for JXL during the WWDC June 5th livestream. That is a meaningful shift. JXL was down, but not
out.&lt;/p&gt;
&lt;p&gt;Google's decision to stop JXL support in Chrome surprised us at Peakhour, along with plenty of others who care about
web performance and image delivery. Google Chrome, as the most used browser globally, often sets the course for web
standards. In deciding to drop JXL, Google appeared to be exercising its dominance over those standards, and the decision
drew real debate in the web community.&lt;/p&gt;
&lt;p&gt;Apple's announcement changes the picture. Apple has long pushed high dynamic colour and high-resolution features, and
Safari support is a useful signal for image delivery. By bringing JXL support to Safari, Apple is giving this promising
image format a fair go.&lt;/p&gt;
&lt;p&gt;This move also hints at wider JXL support across the entire Apple ecosystem, which includes iPad, iPhone, Mac, and Apple
TV. While there are still some limitations - embedded colour profiles and animations are not yet supported in the
current MacOS Sonoma beta - we hope these gaps are fixed soon.&lt;/p&gt;
&lt;p&gt;At Peakhour, this is good news. We look forward to welcoming Apple users to our websites, where they will be able to see
the quality benefits of JXL images as soon as their operating systems support it.&lt;/p&gt;
&lt;p&gt;This turn of events gives JXL a much-needed boost. It does not undo Google's Chrome decision, but it keeps the format in
play and makes the future of web image formats less settled than it looked a short while ago.&lt;/p&gt;</content><category term="Interest"></category><category term="Core Web Vitals"></category><category term="Browser Fingerprinting"></category><category term="CDN"></category></entry><entry><title>Chrome's TLS Extension Randomisation Experiment</title><link href="https://www.peakhour.io/blog/tls-extension-randomisation/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-extension-randomisation/</id><summary type="html">&lt;p&gt;Does TLS extension randomisation assist in hiding Chrome?&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="/blog/tls-fingerprinting/"&gt;Transport Layer Security (TLS) fingerprinting&lt;/a&gt; is a commonly used
technique for identifying client processes. To reduce the
risk of server and middlebox fingerprinting of Chrome's current
ClientHello and to make the TLS ecosystem more resilient to changes,
Google Chrome ran an experiment to randomise a portion of
the TLS fingerprint. This experiment was included in Chrome version 108,
which was released on December 8, 2022. You can read the status of the
current experiment on the &lt;a href="https://chromestatus.com/feature/5124606246518784"&gt;chrome status site&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;The aim of this experiment was to make it more difficult for server
implementers to fingerprint Chrome and assume specific implementation
behaviour from a fixed extension order. By randomly ordering
extensions (subject to the pre_shared_key constraint in the RFC),
Chrome hoped to reduce the risk of server and middlebox fixating on
details of its current ClientHello.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-over-time" src="/static/images/blog/tls-unsorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to the Chrome experiment and subsequent
release of the feature. The number of unique TLS signatures dramatically
increased.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;From Peakhour data, we can see a large number of unique
fingerprints appearing since the date of the experiment, making it
very difficult to identify the Chrome network stack by a TLS
fingerprint alone. However, &lt;a href="https://hnull.org/2022/12/01/sorting-out-randomized-tls-fingerprints/"&gt;an analysis&lt;/a&gt; by
David McGrew,
a Cisco Fellow, cast doubt on the effectiveness of this experiment. In his
article, McGrew proposed a lexicographical sorting of TLS extensions and
found that 98.8% of signatures were unique after sorting. He argues that
the canonical ordering of the TLS extensions in the TLS fingerprint can
achieve nearly the same level of entropy as randomising them and still
be effective at client identification. Furthermore, he claims that the
RFC should be amended to state that extensions SHOULD be sent in an
ordered fashion in the ClientHello packet. McGrew also highlights the
potential dangers of allowing unordered extension lists, as it could
create a \"subliminal channel\" that could be used for tracking or
transmitting information. Let's now graph, over the same period, the number
of TLS signatures with TLS extension sorting.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-sorted-extensions-over-time" src="/static/images/blog/tls-sorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to David's assertion that sorting TLS
extensions has minimal impact on TLS fingerprinting.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;It appears that David's assertion is correct: sorting TLS extensions has
minimal impact on the number of unique TLS fingerprints. Let's now look
at in-the-wild Chrome 109 data:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;strong&gt;Hashed sorted TLS Fingerprint&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Unique unsorted TLS fingerprints&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Browser&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Version&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of clients&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of hits&lt;/strong&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Chrome Mobile WebView&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.14&lt;/td&gt;
&lt;td&gt;1.01&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3313291307&lt;/td&gt;
&lt;td&gt;8566&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;1.83&lt;/td&gt;
&lt;td&gt;1.54&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;26587&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.05&lt;/td&gt;
&lt;td&gt;4.64&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3944870384&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Chrome Mobile iOS&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;4.31&lt;/td&gt;
&lt;td&gt;5.35&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;51594&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;16.9&lt;/td&gt;
&lt;td&gt;14.43&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;121346&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;15.66&lt;/td&gt;
&lt;td&gt;20.7&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;156405&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;35.52&lt;/td&gt;
&lt;td&gt;37.79&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;em&gt;It's interesting that the experiment does not run on WebView.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;While Chrome's experiment may have reduced the risk of
server and middlebox fingerprinting of Chrome's current ClientHello, it
seems that randomising TLS extensions alone is not enough to
prevent TLS fingerprinting, and may be a useful indicator that
it is The Real Chrome.&lt;/p&gt;
&lt;p&gt;This experiment became one of the reasons newer formats normalise extension order. Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;JA3, JA4 and Mercury lab&lt;/a&gt; shows exactly where each format keeps, sorts or discards ClientHello detail. The accompanying &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;history of the two TLS fingerprinting lineages&lt;/a&gt; explains why Cisco Mercury and JA4 made related but different design choices.&lt;/p&gt;
&lt;p&gt;The remaining research question is whether discarded order ever helps distinguish an imitator or evasive client. &lt;a href="/blog/tls-fingerprint-canonicalisation-attacker-variation/"&gt;Does TLS fingerprint canonicalisation hide useful attacker variation?&lt;/a&gt; defines the labelled corpus and holdout study needed to answer it without confusing uniqueness with detection accuracy.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="TLS"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="API Security"></category></entry><entry><title>TLS Fingerprinting</title><link href="https://www.peakhour.io/blog/tls-fingerprinting/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-fingerprinting/</id><summary type="html">&lt;p&gt;What is fingerprinting, and in particular TLS fingerprinting?&lt;/p&gt;</summary><content type="html">&lt;h2&gt;What is Fingerprinting?&lt;/h2&gt;
&lt;p&gt;Fingerprinting is a technique that may be used to identify the specific device, web browser,
and operating system making a request, regardless of what the client says in its user-agent header.
By helping organisations identify and characterise the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;Fingerprinting can also refer to techniques for following or uniquely identifying individual users across the web.
That is a separate set of techniques and is not discussed in this article.&lt;/p&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-tls-fingerprinting/"&gt;Transport Layer Security (TLS) Fingerprinting&lt;/a&gt; determines the specific characteristics of a client's TLS
implementation by examining the initial TLS handshake packet, known as the "Client Hello." This packet
contains fields and parameters such as supported cipher suites, extensions, and the client's preferred order of
those parameters, which can be used to create a unique "fingerprint" of the client's TLS implementation.&lt;/p&gt;
&lt;h2&gt;Why is it used?&lt;/h2&gt;
&lt;p&gt;Fingerprinting has several uses, including &lt;a href="/products/bot-management/"&gt;bot protection&lt;/a&gt;, DDoS protection, and client
identification. By identifying and characterising the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;h2&gt;How does TLS Fingerprinting work?&lt;/h2&gt;
&lt;p&gt;TLS Fingerprinting examines the initial TLS handshake packet, known as the "Client Hello".
The Client Hello packet is sent by the client during the initial phase of the TLS handshake, which establishes a secure
connection between the client and the server. It contains information about the client's preferred encryption methods,
extensions, and parameters, including:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Protocol Version: The version of the TLS protocol desired by the client.&lt;/li&gt;
&lt;li&gt;Random: A 32-byte random value generated by the client, used in key generation and derivation.&lt;/li&gt;
&lt;li&gt;Session ID: An optional session identifier for resuming a previous session.&lt;/li&gt;
&lt;li&gt;Cipher Suites: A list of supported encryption algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Compression Methods: A list of supported compression algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Extensions: Optional extensions that can negotiate additional parameters, such as Server Name Indication (SNI) and
   Elliptic Curve Supported (ECS).&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The Client Hello packet is central to the operation and security of the TLS connection because it provides information
the server uses to select encryption algorithms and parameters. The packet also enables the client and server to
negotiate an appropriate encryption method for their communication. The Client Hello's variable
content, based on the TLS version, library, cipher suites, extensions, and settings supported by the client, makes it
a strong candidate for fingerprinting.&lt;/p&gt;
&lt;p&gt;Common components used to create a TLS fingerprint include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Cipher Suites: The order of cipher suites supported by the client.&lt;/li&gt;
&lt;li&gt;Extensions: Supported extensions included in the Client Hello packet, such as SNI and ECS.&lt;/li&gt;
&lt;li&gt;TLS Point Formats: Encoding of cryptographic parameters in a format that can be transmitted as part of the TLS
   protocol, used in elliptic curve cryptography (ECC).&lt;/li&gt;
&lt;li&gt;TLS Curves: The specific elliptic curves used in ECC, a type of public-key cryptography used in the TLS protocol.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;TLS fingerprinting has been a topic of research for several years, with a number of tools and techniques developed
from that work. Notable examples include &lt;a href="/learning/fingerprinting/what-is-ja3-fingerprinting/"&gt;JA3&lt;/a&gt;, developed by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce,
which uses a hash of the client's SSL/TLS parameters as a unique identifier for tracking and analysing
SSL/TLS traffic. Another tool, Mercury by David McGrew and Blake Anderson, can be used to fingerprint client connections
and identify the device, operating system, and application making the connection.&lt;/p&gt;
&lt;p&gt;TLS fingerprinting has a variety of uses, including bot protection, DDoS protection, malware identification and
client identification. By enabling organisations to identify and characterise the attributes of a client's TLS
implementation, TLS fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;In production, TLS fingerprints are most useful when combined with &lt;a href="/products/ip-intelligence/"&gt;IP intelligence&lt;/a&gt; and &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt;, rather than treated as a standalone verdict.&lt;/p&gt;
&lt;h2&gt;Representation of a TLS Fingerprint&lt;/h2&gt;
&lt;p&gt;A TLS fingerprint is commonly represented as a string or hash that summarises the important components of the Client
Hello packet. The most common components used to create a TLS fingerprint include the supported cipher suites,
extensions, and TLS point formats. The cipher suites are represented as a list of hexadecimal values in the order
they are presented by the client, while extensions and point formats are represented as a list of hexadecimal values
or a unique identifier.&lt;/p&gt;
&lt;p&gt;Raw JA3 signatures are represented by the following fields, which are then hashed with MD5:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example raw signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt; 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An MD5 hash is then applied, resulting in the final signature.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="mf"&gt;579&lt;/span&gt;&lt;span class="n"&gt;ccef312d18482fc42e2b822ca2430&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Mercury signatures are represented by:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&amp;quot;tls/1&amp;quot; (TLS_Version) (TLS_Ciphersuite) [ Extension* ]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;tls/1/
(0303)
(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)
[
   (0000)
   (000a000c000a001d0017001e00190018)
   (000b000403000102)
   (000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)
   (0016)
   (0017)
   (0023)
   (002b0009080304030303020301)
   (002d00020101)
   (0033)
]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Hash Functions for Representing TLS Fingerprints&lt;/h2&gt;
&lt;p&gt;Hashing algorithms, such as MD5, are commonly used to create a unique representation of a TLS fingerprint.
These hash functions take the client's TLS parameters as input and produce a fixed-length output, which serves as
a unique identifier for the client. The hash value can be compared against a database of known TLS fingerprints to
help determine the identity of the client.&lt;/p&gt;
&lt;p&gt;Other techniques for representing TLS fingerprints include base64 encoding of the client's TLS parameters, such as in the
Mercury fingerprint.&lt;/p&gt;
&lt;h2&gt;Challenges with TLS fingerprinting&lt;/h2&gt;
&lt;p&gt;TLS fingerprinting is not a foolproof method for identifying clients and their attributes. It has several limitations
that need to be considered.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;False Positives: TLS fingerprinting relies on the assumption that the client's Client Hello packet uniquely
   identifies a connecting process by its TLS implementation. However, it is possible for a client to alter the Client
   Hello packet by customising TLS parameters, which affects the Client Hello packet and can result in a false
   positive
   identification. This makes it important to use multiple methods for identifying clients. For example, Mercury takes
   into account destination ports to add additional context.&lt;/li&gt;
&lt;li&gt;False Negatives: While TLS fingerprinting can identify many different clients and their attributes, it is not capable
   of identifying all clients. Some clients may have a unique or unusual TLS implementation that cannot be accurately
   fingerprinted. Additionally, some clients may actively attempt to evade fingerprinting by customising
   TLS parameters or using tools to anonymise their connections.&lt;/li&gt;
&lt;li&gt;Forging of TLS Fingerprints: It is possible for attackers to deliberately forge or modify the information contained
   in their Client Hello packet to appear as a different client. This makes it difficult for fingerprinting tools to
   accurately identify the true identity of a client and can be used for malicious purposes, such as evading security
   measures or disguising the origin of an attack.&lt;/li&gt;
&lt;li&gt;Incomplete Data: TLS fingerprinting is limited by the information contained in the Client Hello packet, which may not
   contain all of the necessary data to accurately identify a client. For example, a client may not send a full list of
   supported cipher suites or extensions, may use a modified version of the TLS protocol that is not recognised by
   the fingerprinting tool, or the fingerprint may not be present in available databases.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Different fingerprinting implementations can result in different hashes for the same TLS connection, even though the
underlying SSL/TLS protocol remains unchanged. This happens due to the various algorithms, parameters, and
representations used by different fingerprinting tools.&lt;/p&gt;
&lt;p&gt;For instance, implementation differences when generating the TLS fingerprint may cause hashes found in public databases
to be inconsistent with a locally generated hash.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Be aware of the limitations and differences between fingerprinting implementations, and choose the right tool and
representation for your specific use case. Standardising the representation of fingerprints and using common hash
algorithms can help avoid confusion and improve interoperability between databases.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="TLS"></category><category term="HTTP"></category><category term="DDoS"></category></entry><entry><title>What is the Chrome UX Report (CrUX), and why should you care?</title><link href="https://www.peakhour.io/blog/what-is-the-chrome-ux-report-crux/" rel="alternate"></link><published>2021-02-26T13:00:00+11:00</published><updated>2026-07-06T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2021-02-26:/blog/what-is-the-chrome-ux-report-crux/</id><summary type="html">&lt;p&gt;Learn what the Chrome UX Report is, how CrUX field data feeds Core Web Vitals reporting, and how to use it alongside lab tools.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A faster website is better for clients: they buy more, and they engage more with your content.
However &lt;strong&gt;there's someone else that rewards fast websites: Google.
Fast websites rank higher in organic search results than slower websites. They will also achieve higher quality scores in Google Ads,
resulting in lower ad spend.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;We've previously written about &lt;a href="/blog/web-vitals/"&gt;Google's Web Vitals&lt;/a&gt;. The practical question is where the real-world data comes from. It is not gathered by Googlebot. Google uses field data from the Chrome User Experience Report, usually shortened to CrUX, to show how eligible Chrome users actually experienced a page or origin.&lt;/p&gt;
&lt;p&gt;That matters because a fast lab score is not the same thing as a fast customer experience. &lt;a href="/blog/testing-website-speed-webpagetest/"&gt;WebPageTest&lt;/a&gt; and Lighthouse help diagnose a controlled test run. CrUX shows the field data behind PageSpeed Insights, Search Console's Core Web Vitals report, and Peakhour's &lt;a href="/pages/website-competitor-speed-test/"&gt;website speed comparison tool&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Introducing the Chrome UX Report (CRuX)&lt;/h2&gt;
&lt;p&gt;The CrUX report is a public data set of real-user measurements (RUM) of &lt;a href="/blog/testing-sitespeed-lighthouse/"&gt;website performance&lt;/a&gt; across millions of sites. The report has been around since 2017 and is updated regularly, but the value is still often missed: it shows what real users experienced, not what a synthetic test predicted.&lt;/p&gt;
&lt;p&gt;The data is collected from real Chrome browser users who have opted in to send browsing information back to Google.
This opt-in requires that the user has:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Opted in to syncing browser history&lt;/li&gt;
&lt;li&gt;Not set up a sync passphrase&lt;/li&gt;
&lt;li&gt;Usage statistic reporting enabled&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Despite these conditions, millions of Chrome users still report statistics back to Google. A given website still needs
to be fairly busy before there are useful statistics in the report.&lt;/p&gt;
&lt;h3&gt;Gathered Metrics&lt;/h3&gt;
&lt;p&gt;The current Core Web Vitals are:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Largest Contentful Paint (LCP)&lt;/strong&gt;: how quickly the main content appears.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Interaction to Next Paint (INP)&lt;/strong&gt;: how responsive the page is to real user interactions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cumulative Layout Shift (CLS)&lt;/strong&gt;: how visually stable the page is while it loads.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;CrUX also exposes supporting performance metrics and dimensions that help explain those headline scores. Older metrics such as First Input Delay (FID) still appear in older reports and tools, but INP is now the responsiveness metric to watch.&lt;/p&gt;
&lt;h3&gt;Dimensions&lt;/h3&gt;
&lt;p&gt;Because performance can vary widely, the metrics are divided into the following dimensions to help segment and understand the user experience.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Country&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Device Type&lt;/strong&gt;: Tablet, Phone, Desktop&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Connection Speed&lt;/strong&gt;: slow 2g, 2g, 3g, 4g, or offline&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Viewing data in the report&lt;/h2&gt;
&lt;p&gt;There are several ways to see how &lt;a href="/learning/performance/how-to-pass-core-web-vitals/"&gt;your website&lt;/a&gt; performs in the report. These include:&lt;/p&gt;
&lt;h4&gt;Pagespeed insights&lt;/h4&gt;
&lt;p&gt;Google's website analysis tool provides summary CRuX data for the analysed URL and, if data is available, for the entire site.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/page-speed-insights-field-data.jpg" alt="&lt;a href="/solutions/use-case/improve-web-vitals/"&gt;Page Speed&lt;/a&gt; Insights Field Data" style="max-width: 100%;margin-bottom: 20px"/&gt;&lt;/p&gt;
&lt;h4&gt;Google BigQuery&lt;/h4&gt;
&lt;p&gt;The most flexible option is to access it directly via &lt;a href="https://console.cloud.google.com/bigquery?project=chrome-ux-report"&gt;BigQuery&lt;/a&gt;.
You query it with SQL (database query language).&lt;/p&gt;
&lt;p&gt;The downside is that you need to understand SQL and have a Google account.&lt;/p&gt;
&lt;h4&gt;Google's Search Console (formerly Webmaster Tools)&lt;/h4&gt;
&lt;p&gt;The search console now has a section 'Core Web Vitals' that shows whether URLs pass the Core Web Vitals,
as well as a historical graph of performance for both mobile and desktop.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/search-console.jpg" alt="Google Search Console Web Vitals" style="max-width: 100%;margin-bottom: 20px"/&gt;&lt;/p&gt;
&lt;h4&gt;Looker Studio&lt;/h4&gt;
&lt;p&gt;Looker Studio, formerly Google Data Studio, can be used to build dashboards on top of CrUX data and other sources. It lets you visualise the performance of your website, or a competitor's website, over time.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/data-studio.jpg" alt="Google data studio" style="max-width: 100%;margin-bottom: 20px"/&gt;&lt;/p&gt;
&lt;h4&gt;Third party tools&lt;/h4&gt;
&lt;p&gt;Like our own &lt;a href="/pages/website-competitor-speed-test/"&gt;website speed comparison tool&lt;/a&gt;. It uses the
&lt;a href="https://developers.google.com/web/tools/chrome-user-experience-report/api/reference"&gt;Chrome UX API&lt;/a&gt; to retrieve the
information.&lt;/p&gt;
&lt;h2&gt;CrUX vs lab tools vs RUM&lt;/h2&gt;
&lt;p&gt;CrUX is field data. It is useful because it reflects real Chrome users, but it only reports where there is enough eligible traffic. It can also be slower to reveal the cause of a problem because it is aggregated.&lt;/p&gt;
&lt;p&gt;Lab tools such as &lt;a href="/blog/testing-website-speed-webpagetest/"&gt;WebPageTest&lt;/a&gt; are better for diagnosis. They show waterfalls, redirects, blocked resources, caching issues, image weight, and third-party requests. Your own real user monitoring can go further again, because it can include business context that CrUX does not know: customer type, template, campaign, cache state, bot pressure, origin load, and release timing.&lt;/p&gt;
&lt;h2&gt;Conclusion - Why you should care&lt;/h2&gt;
&lt;p&gt;The data in the Chrome UX Report is one of the clearest public views of how Google sees the performance of your website. It is also a free source of real-world user measurements that helps you understand how visitors experience your pages.&lt;/p&gt;
&lt;p&gt;Use CrUX to see whether your site is passing Core Web Vitals, use lab tools to find the technical cause, and use traffic visibility to understand whether bots, crawlers, bursts, cache misses, or expensive requests are putting the experience under pressure. If the first question is "how do we compare?", start with the &lt;a href="/pages/website-competitor-speed-test/"&gt;website speed comparison tool&lt;/a&gt;. If the question is "what is slowing us down?", start with &lt;a href="/solutions/use-case/traffic-control/"&gt;Traffic Management&lt;/a&gt;.&lt;/p&gt;</content><category term="Learning"></category><category term="Web Performance"></category><category term="SEO"></category><category term="Core Web Vitals"></category><category term="Analytics"></category><category term="Browser Fingerprinting"></category><category term="Magento"></category></entry><entry><title>Test Your Website Performance With Google Lighthouse</title><link href="https://www.peakhour.io/blog/testing-sitespeed-lighthouse/" rel="alternate"></link><published>2020-09-14T13:00:00+10:00</published><updated>2020-09-14T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2020-09-14:/blog/testing-sitespeed-lighthouse/</id><summary type="html">&lt;p&gt;This installment on website performance introduces Google Lighthouse as a measuring tool. Read on to see how we use it here at Peakhour.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Today we're introducing our other favourite tool for testing website performance: Google Lighthouse &lt;em&gt;(from here we'll just
call it Lighthouse)&lt;/em&gt;. Lighthouse measures page experience across accessibility, performance, SEO, and
Progressive Web Apps for desktop and mobile devices.&lt;/p&gt;
&lt;p&gt;Lighthouse is the engine behind web.dev/measure and PageSpeed Insights. It is also available in Chrome DevTools,
via npm, or as a browser extension in Chrome and Firefox. At time of writing Lighthouse is up to version 6, which introduced
&lt;a href="/blog/web-vitals/"&gt;Web Vitals&lt;/a&gt; as the basis for &lt;a href="https://googlechrome.github.io/lighthouse/scorecalc/"&gt;scoring&lt;/a&gt;.
If you are unsure which version of the tool you are using, then scroll right to the bottom of the report it generates
where it will state the version.&lt;/p&gt;
&lt;p&gt;Lighthouse generates its report by simulating a specific device and network speed, rather than running at the full speed
of your computer. That matters because speed issues are more noticeable on slower devices, and users are not all on newer
devices or fast internet connections. You should test for a good load experience across that range.
The current simulated mobile device is a Moto G4 on a ~1.5 megabit connection. For reference, it would take over 5s to
download 1mb of data at this speed. If your page weight is typical, ie over 2.5mb, you should not expect a strong score.&lt;/p&gt;
&lt;h2&gt;How to use Google Lighthouse&lt;/h2&gt;
&lt;p&gt;There are two ways you can run a Google Lighthouse report:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;In your local browser;&lt;/li&gt;
&lt;li&gt;Online via web.dev/measure or PageSpeed Insights.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;We recommend running Google Lighthouse in your local browser because the online versions operate out of the US. If your website
and customers are elsewhere, that extra network latency can pull the score down.&lt;/p&gt;
&lt;p&gt;Here we'll focus on running Lighthouse from within Chrome DevTools.
To do this, click on the three vertical dots in the top right-hand corner, then select 'More Tools', then 'Developer Tools'.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/dev-tools.jpg" alt="open dev tools" style="max-width: 100%"/&gt;&lt;/p&gt;
&lt;p&gt;The developer tools will then be displayed. Along the top of the tools window are a number of tabs. Select the 'Lighthouse'
tab.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/dev-tools-2.jpg" alt="open lighthouse tab" style="max-width: 100%"/&gt;&lt;/p&gt;
&lt;p&gt;Since we're only interested in performance, make sure only the Performance category is ticked. You also want to make sure
'Clear storage' is ticked &lt;em&gt;(in the top left)&lt;/em&gt; to simulate a first load of your site. Finally, choose the device you want
to report on, mobile or desktop, and click 'Generate report'.&lt;/p&gt;
&lt;p&gt;While the report is being generated, avoid doing anything else on your computer, and don't leave it busy with background
tasks. Otherwise, the score can be affected.&lt;/p&gt;
&lt;h2&gt;Understanding the Score&lt;/h2&gt;
&lt;p&gt;Once the report has finished you'll see a performance summary, like this mobile one we ran on Peakhour.io while we
were developing the website:&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/lighthouse-score-summary.jpg" alt="open lighthouse tab" style="max-width: 100%"//&gt;&lt;/p&gt;
&lt;p&gt;Scoring in version 6 is based on Google's &lt;a href="/blog/web-vitals/"&gt;web vitals&lt;/a&gt;, which are metrics that indicate a good user
experience, and Webpagetest's speed index, which measures visual loading performance.
Each metric is colour coded as good, ok, or bad. If the measurement is good you get a green
circle to the left, if it's ok you get an orange square, if it is bad you get a red triangle.&lt;/p&gt;
&lt;p&gt;Each raw metric &lt;em&gt;(the number listed in the report)&lt;/em&gt; is compared to real website performance data sourced from the
&lt;a href="https://httparchive.org/"&gt;HTTP archive&lt;/a&gt; and converted into a score out of 100. This is done by grading the reference data
on a curve, so if your website performs in the top 8% of websites, it gets a score of 90. Similarly, if it scores in the top 25%, it
gets a score of 50. If you are interested in the technical details, Google has in-depth explanations of the scoring at
&lt;a href="https://web.dev/performance-scoring/"&gt;web.dev&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Each metric is assigned a weight, and the scores are tallied into one overall number based on the weighting. Here is a
breakdown of the test we just ran &lt;em&gt;(in the screen shot above)&lt;/em&gt;, obtained by clicking on the 'See Calculator' link between
the Metrics section and the screen shots:&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/lighthouse-calculator.jpg" alt="open lighthouse tab" style="max-width: 100%"//&gt;&lt;/p&gt;
&lt;h3&gt;Score Variability&lt;/h3&gt;
&lt;p&gt;79 is a good result for a mobile device. However, we ran it several times and obtained scores between 60 on the low end
and 85 on the high end. Scores can fluctuate widely, even when testing on the same device repeatedly. Reasons for this
include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Small differences in internet performance.&lt;/li&gt;
&lt;li&gt;Your computer CPU load when performing the test.&lt;/li&gt;
&lt;li&gt;Web server variability.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Again, Google has &lt;a href="https://github.com/GoogleChrome/lighthouse/blob/master/docs/variability.md"&gt;in-depth documentation&lt;/a&gt; around what
might be causing this.&lt;/p&gt;
&lt;h2&gt;Opportunities&lt;/h2&gt;
&lt;p&gt;If your site loads slowly then Lighthouse will list addressable reasons in the opportunities section of the report.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/lighthouse-opportunities.jpg" alt="Lighthouse Opportunities" style="max-width: 100%"/&gt;&lt;/p&gt;
&lt;p&gt;This is the part we generally find most useful. It identifies items that slow the initial load and items that
affect the rendering of a website once it is downloaded. A page can be downloaded very quickly, but the end user still sees a slow site
because CSS and Javascript are blocking rendering. This is a common problem in Wordpress and Magento themes.
These themes include large amounts of third party code that ultimately never gets used for a particular site, but which
the browser still has to download and parse before it can display anything.&lt;/p&gt;
&lt;p&gt;In this case, the main bottleneck appears to be a font loaded from Google Fonts. This is delaying the rendering of our
page by 1.3s.&lt;/p&gt;
&lt;h2&gt;Diagnostics&lt;/h2&gt;
&lt;p&gt;The diagnostics section provides additional information you can use to improve load times.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/lighthouse-diagnostics.jpg" alt="Lighthouse Diagnostics" style="max-width: 100%"/&gt;&lt;/p&gt;
&lt;p&gt;Here we have a few small problems, mainly associated with the development status of our site.&lt;/p&gt;
&lt;h2&gt;web.dev and PageSpeed Insights&lt;/h2&gt;
&lt;p&gt;If you do choose to run your report online, we recommend using &lt;a href="https://developers.google.com/speed/pagespeed/insights/"&gt;PageSpeed Insights&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;In addition to the generated report, PageSpeed Insights also shows you &lt;strong&gt;Field Data&lt;/strong&gt; for the page you are testing,
and an &lt;strong&gt;Origin Summary&lt;/strong&gt; for all pages on the website.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/page-speed-insights-field-data.jpg" alt="Page Speed Insights Field Data" style="max-width: 100%"/&gt;&lt;/p&gt;
&lt;p&gt;This is real-world data gathered from Chrome users who have
opted in to allowing Google to gather their data. If your site isn't very busy then Google might not have any data to
share. It is not truly representative, but it is useful information and can often tell a very different story
to your Lighthouse score.&lt;/p&gt;
&lt;h2&gt;Summary&lt;/h2&gt;
&lt;p&gt;Regular measurement matters because performance issues are often specific and easy to miss. Lighthouse is useful for
identifying issues that affect website performance, and when used in conjunction with
&lt;a href="/blog/testing-website-speed-webpagetest/"&gt;Webpagetest.org&lt;/a&gt;, you'll be in a better position to provide a good experience
for your users. Next we'll cover &lt;a href="/blog/common-issues-that-impact-site-speed/"&gt;common issues that can impact site speed&lt;/a&gt;,
so read on.&lt;/p&gt;</content><category term="Performance"></category><category term="Web Performance"></category><category term="Analytics"></category><category term="Core Web Vitals"></category><category term="Caching"></category><category term="Rate Limiting"></category><category term="Browser Fingerprinting"></category></entry></feed>