🌐Connection Fingerprint

What is a connection fingerprint and why does it matter for OSINT?

Every time your browser connects to a website, it exposes a set of technical attributes collectively known as a connection fingerprint. This includes your public IP address, the TLS version and cipher suite your client negotiates, which HTTP protocol version is used, and metadata that reveals your approximate geographic location, internet service provider, and whether you're routing through a VPN or proxy. Understanding your own fingerprint is the foundation of operational security (OPSEC) — as described in the NIST SP 800-53 security controls framework, knowing what information you expose is the first step in controlling it.

How does Connection Fingerprint detect VPN and proxy usage?

This tool uses a multi-layered detection approach across 10 independent providers. Cloudflare's /cdn-cgi/trace returns WARP/Gateway/RBI status. ip-api.com adds proxy, VPN, and datacenter IP flags. Mullvad detects its own VPN exit nodes and IP blacklist status. check.torproject.org provides definitive Tor detection. ipwhois flags anonymous proxies and known attacker IPs. howsmyssl.com analyzes your full TLS cipher suite for vulnerabilities including BEAST, while ja3er.com computes your JA3 TLS fingerprint hash — a signature that can track your client across sites. edns.ip-api.com reveals whether your DNS resolver leaks your subnet to authoritative nameservers via EDNS Client Subnet. ipinfo.io provides reverse DNS hostnames and bogon detection. http2.pro independently verifies HTTP/2 support from outside the Cloudflare network. By comparing IPs across all 17 endpoints, the tool catches transparent proxies and split-horizon DNS.

What do IATA codes in the trace response reveal about network routing?

The colo field in Cloudflare's trace response contains the IATA airport code of the Cloudflare edge data center that handled your request. This reveals your actual network routing path — which may differ significantly from your geographic location. For instance, a user in a rural area might route through a distant metro, or a VPN user might show an edge node in a completely different country. Comparing IATA codes across multiple endpoints can reveal split-horizon DNS or asymmetric routing, as documented in Cloudflare's anycast network documentation.

What does SNI encryption status mean for privacy?

Server Name Indication (SNI) is a TLS extension that transmits the requested hostname in plaintext during the TLS handshake — before encryption begins. This means network observers (ISPs, firewalls, surveillance systems) can see which domains you visit even over HTTPS. The sni field in Cloudflare's trace indicates whether your connection uses Encrypted Client Hello (ECH), which hides the SNI from observers. As the IETF TLS Encrypted Client Hello draft explains, ECH is a critical privacy improvement still in deployment. The SANS Institute recommends monitoring SNI exposure as part of network security assessments.

Connection Fingerprint

The composite set of technical attributes — IP, TLS version, cipher suite, HTTP version, geolocation, ASN — that remote servers observe when you connect. Unique enough to identify most users.

Self-Reflecting Endpoint

A web service that responds with information about the requesting client rather than serving content. Examples include Cloudflare's /cdn-cgi/trace, ipinfo.io, ip-api.com, and Mullvad's connection check. Also called "client echo" or "what is my IP" APIs.

IATA Code (colo)

Three-letter airport code identifying the Cloudflare edge data center that processed your request. Reveals your actual network routing path via anycast.

Encrypted Client Hello (ECH)

A TLS extension that encrypts the Server Name Indication field, preventing network observers from seeing which domain you're connecting to during the handshake.

Autonomous System Number (ASN)

A unique identifier assigned to networks (ISPs, cloud providers, enterprises) that exchange routing information via BGP. Reveals your ISP or hosting provider.

Reverse DNS (rDNS)

A PTR record mapping an IP address back to a hostname. Often reveals the hosting provider (e.g., ec2-... for AWS) or ISP name. Retrieved from ipinfo.io.

Bogon IP

An IP address in a private or reserved range (RFC 1918, RFC 6598). Seeing a bogon IP on the public internet typically indicates carrier-grade NAT or local testing.

JA3 Fingerprint

An MD5 hash of specific fields from the TLS Client Hello (TLS version, cipher suites, extensions, elliptic curves, EC point formats). Unique per client and used to track browsers, bots, and malware across different IPs. Created by Salesforce's threat research team.

EDNS Client Subnet (ECS)

A DNS extension (RFC 7871) where your DNS resolver forwards part of your IP address to authoritative nameservers. Improves CDN routing but leaks your approximate location to domain operators even when using a privacy-focused resolver.

Tor Exit Node

The final relay in the Tor network that connects to the destination server. Your traffic appears to originate from the exit node's IP, providing anonymity but flagging you on many threat intelligence feeds.