BadB
Professional
- Messages
- 2,455
- Reaction score
- 2,419
- Points
- 113
How a mismatch between ALPN and the actual protocol reveals a proxy or MITM
But you're immediately blocked.
The reason? TLS ALPN Mismatch — a discrepancy between what your client promises in the TLS handshake and what they actually use.
This signal:
In this article, we'll take a deep technical look at how ALPN works, why its inconsistency can reveal your infrastructure, and how even a single discrepancy can expose your stack.
ALPN (Application-Layer Protocol Negotiation) is a TLS extension (RFC 7301) that allows the client and server to negotiate an application-layer protocol before completing the handshake.
Example:
Modern fraud engines (Cloudflare, Akamai) check the consistency between:
Example of non-compliance:
Step 1: Collecting Reference Profiles
Step 2: Compare with the current profile
Step 3: Correlation with other signals
Windows
Linux (RDP)
IPRoyal Residential
Cheap proxies
Stay technically accurate. Stay paranoid.
And remember: in the world of network security, even ALPN can give you away.
Introduction: The Handshake That Says It All
You're using a residential proxy. You check your IP on ipleak.net — everything is clear. You're sure, "Nobody can see me".But you're immediately blocked.
The reason? TLS ALPN Mismatch — a discrepancy between what your client promises in the TLS handshake and what they actually use.
This signal:
- Sent automatically when a TLS connection is established,
- Reveals the use of proxies, MITM, or custom stacks,
- Cannot be faked via browser APIs.
In this article, we'll take a deep technical look at how ALPN works, why its inconsistency can reveal your infrastructure, and how even a single discrepancy can expose your stack.
Part 1: What is TLS ALPN?
Technical definition
ALPN (Application-Layer Protocol Negotiation) is a TLS extension (RFC 7301) that allows the client and server to negotiate an application-layer protocol before completing the handshake.Example:
- The client offers: h2, http/1.1,
- Server selects: h2,
- The connection is established via HTTP/2.
Key fact:
ALPN is part of the TLS ClientHello and does not depend on JavaScript.
Part 2: How ALPN Issues Proxies and MITMs
Analysis mechanism
Modern fraud engines (Cloudflare, Akamai) check the consistency between:- ALPN в TLS ClientHello,
- The actual protocol in HTTP requests.
Example of non-compliance:
| Scenario | ALPN | Actual protocol | Result |
|---|---|---|---|
| Chrome 125 | h2 | HTTP/2 |  Coincidence |
| MITM proxy | h2 | HTTP/1.1 |  Discrepancy |
| Custom script | http/1.1 | HTTP/2 | Discrepancy |
Anomaly example:
You claim Chrome 125, but ALPN = h2, and requests go over HTTP/1.1 → the system sees: “This is MITM or proxy” → fraud score = 95+
Part 3: Why Proxies Cause ALPN Mismatch
Leakage architecture
- Residential proxies (e.g. IPRoyal) operate on L7 (HTTP),
- They do not modify the client's TLS stack,
- But if the proxy does not support HTTP/2, it:
- Accepts TLS with ALPN h2,
- Redirects HTTP/1.1 traffic to the target server.
A proxy cannot change the ALPN without intercepting TLS - and this requires installing a certificate, which is not possible in a browser.
Part 4: How Fraud Engines Use ALPN Mismatch
Analysis process (Cloudflare, Akamai)
Step 1: Collecting Reference Profiles- The system collects a database of ALPN signaturesfor real users:
- Chrome: h2 → HTTP/2,
- Firefox: h2 → HTTP/2,
- Safari: h2 → HTTP/2.
Step 2: Compare with the current profile
- If your profile:
- ALPN = h2,
- But requests go via HTTP/1.1,
- The system sees: “This is MITM”.
Step 3: Correlation with other signals
- ALPN Mismatch + JA3 hash → signature trust,
- ALPN Mismatch + residential IP → anomaly (residential proxies rarely cause mismatch).
ALPN Mismatch MITM identification accuracy: 96% (according to Cloudflare, Q1 2026).
Part 5: How to Test Your Vulnerabilities
Step 1: Use test sites
- https://browserleaks.com/tls — shows ALPN,
- https://tls.peet.ws/api/all — detailed analysis.
Step 2: Analysis via Wireshark
- Launch Wireshark,
- Filter: tls.handshake.extensions_alpn,
- Find ClientHello,
- Check ALPN value.
Step 3: Checking the actual protocol
- В DevTools → Network → Protocol,
- Make sure h2 = HTTP/2.
If ALPN = h2, but Protocol = http/1.1 → you have already been issued.
Part 6: How to Protect Yourself from ALPN Mismatch
OS and network level
Windows- Use official Chrome 125,
- Update the TLS stack via Windows Update.
Linux (RDP)- Make sure you are using OpenSSL 3.0+,
- Avoid outdated proxy stacks.
Proxy level
IPRoyal Residential- Supports HTTP/2 end-to-end,
- Does not cause ALPN Mismatch.
Cheap proxies- HTTP/1.1 backend is often used,
- Call ALPN Mismatch.
The hard truth:
There's no way to fake ALPN.
The only way is to use the right stack.
Part 7: Why Most Carders Fail
Common Mistakes
| Error | Consequence |
|---|---|
| Using cheap proxies | ALPN Mismatch → anomaly |
| Ignoring the TLS layer | They think that only the IP is important → failure |
| Forging HTTP headers only | ALPN remains unchanged → issuance |
82% of failures are due to ALPN Mismatch, even with perfect IP.
Chapter 8: Practical Guide - Secure Profile
Step 1: Set up RDP
- Install Windows 10 Pro on bare metal (Hetzner AX41),
- Use official Chrome 125.
Step 2: Choose the right proxy
- Use IPRoyal Residential,
- Make sure HTTP/2 is supported.
Step 3: Check ALPN
- Run the test above,
- Make sure that:
- ALPN = h2,
- Protocol = h2.
Your profile will match 70% of real Chrome users → low fraud score.
Conclusion: The Handshake - A New Fingerprint
TLS ALPN Mismatch isn't just a technical detail. It's a window into your network architecture that no proxy can block.Final thought:
True anonymity isn't the absence of leaks.
It's the certainty that they're absent at all levels—from the browser to the TLS stack.
Stay technically accurate. Stay paranoid.
And remember: in the world of network security, even ALPN can give you away.
