Behavioral models need history to judge a user, so first-session and new-account verdicts are structurally weak. Traces how vendors bootstrap with population models, device signals, and progressive trust, and where each fallback breaks.
Traces why TLS added post-quantum key exchange, how ML-KEM (FIPS 203) works, how the X25519MLKEM768 hybrid construction is built, and how the 2024-2026 browser rollout grew the ClientHello past one packet.
Traces how the 1,216-byte X25519MLKEM768 key share splits the ClientHello across packets, why classic TLS libraries without it now stand out, and what matching a 2026 Chrome handshake actually requires.
A message-by-message walk of the RFC 8446 handshake: ClientHello, HelloRetryRequest, ServerHello, EncryptedExtensions, Certificate, and Finished, marking exactly which bytes a passive observer can read and which the key schedule has already locked away.
Traces how Certificate Transparency turns CA mis-issuance into a public, append-only Merkle-tree record: SCTs, the gossip and audit model, how browsers enforce it, and why the same logs hand attackers a free subdomain map.
Traces how certificate revocation works on the web: CRLs, the OCSP request/response, stapling in the TLS handshake, must-staple, the privacy leak of plain OCSP, and why Let's Encrypt shut its responders off in 2025.
Traces how Mozilla, Apple, Microsoft, and Chrome curate the root CAs that anchor every HTTPS connection, the governance machinery behind inclusion and removal, and the Symantec, TrustCor, and Entrust distrust events that show the system enforcing itself.
How mutual TLS works at the message level, the CertificateRequest, Certificate, and CertificateVerify exchange in TLS 1.3, where client certificates are deployed, and why a private key beats every behavioral signal.
Traces what a CDN really does on a request: how anycast and BGP pick a point of presence, how the edge/shield/origin cache tiers fit together, how cache keys decide what is a hit, and where TLS terminates.
Traces how the same IP prefix advertised from hundreds of locations lets BGP route every user to a nearby instance, how DNS roots and CDNs use it, how failover works, and where TCP state breaks the model.
Traces a single DNS lookup from the stub resolver in your OS through the recursive resolver, root, TLD and authoritative servers, then explains caching, TTLs, negative answers, and the record types that make it work.
Traces how DoT (RFC 7858) and DoH (RFC 8484) encrypt the stub-to-resolver hop, what privacy they actually buy, why DoH inside the browser collided with enterprise filtering and parental controls, and where the deployment debate landed by 2026.
A reference on steering traffic through DNS answers: round-robin, weighted, latency and geo-based responses, health checks, EDNS Client Subnet, and the TTL and caching limits that make DNS an approximate load balancer.
Traces what a CDN actually puts in its cache key, how unkeyed headers and parser discrepancies turn a shared cache into an exploit delivery system, and the defenses that hold up against poisoning and deception.
Traces how BGP carries reachability between autonomous systems: prefixes, AS_PATH, eBGP versus iBGP, the route-selection algorithm, and why convergence after a failure can take seconds to minutes.
Traces how the internet's routing protocol came to trust whatever it is told, the incidents that exploited that trust from 1997 to today, and the RPKI, ROV, and MANRS work trying to close the gap.
Traces two targeted BGP hijacks that stole cryptocurrency: the 2018 Amazon Route 53 attack on MyEtherWallet and the 2022 KlaySwap incident, and how a short hijack plus a fraudulent certificate intercepts HTTPS traffic.
A primary-source reference tracing how Cloudflare Workers, AWS Lambda@Edge and CloudFront Functions, and Fastly Compute isolate tenants, what their cold-start numbers actually mean, and which workloads each runtime can run.
Traces what happens when a CDN or load balancer terminates TLS at the edge: which certificate the client validates, what fingerprint the origin actually sees, how traffic is re-encrypted to origin, and who you are trusting with the cleartext.
A reference on the core load-balancing algorithms: round-robin and weighted variants, least-connections, least-response-time, power-of-two-choices, and IP/consistent hashing, with the math and production tradeoffs of each.
Traces consistent hashing from Karger's 1997 ring to virtual nodes, jump hash, Maglev tables, and the bounded-load variant that Vimeo shipped in HAProxy, with the minimal-remapping math that ties them together.
A primary-source reference for HTTP caching: how Cache-Control directives, Expires, ETag and Last-Modified revalidation, Vary, and the stale-* extensions actually behave in private and shared caches under RFC 9111.
Traces the HTTP cookie from a 1994 shopping-cart hack to the web's identity layer: how SameSite reshaped it, why the third-party-cookie phase-out collapsed in 2024-2025, and what partitioning leaves behind.
A primary-source walk through CHIPS: the Partitioned cookie attribute, the double-keyed cookie jar, the cross-site ancestor chain bit, the 10 KiB per-partition budget, and where it sits now that Privacy Sandbox is gone.