Residential IPs are no longer a savior. In 2026, the leading anti-bot systems — Cloudflare, Akamai, AWS WAF — learned to identify automated traffic even before the server delivers the first byte of HTML. The decision on whether you are a bot or a human is made at the TLS handshake stage, based on the digital "fingerprint" of your client. If this fingerprint does not match the characteristics of a real browser, no clean residential IP will save you. Scraping has transformed from a "proxy game" into an "identity game."
What Happened: JA4+ Became the Industry Standard
Just a couple of years ago, the standard for TLS fingerprinting was JA3 — a hash that condensed the TLS version, cipher suite list, extensions, and elliptic curves from the ClientHello message into a single MD5 string. This method worked until Chrome 110 (January 2023), when Google intentionally introduced randomization of the order of TLS extensions as a measure against fingerprinting. After that, the JA3 hash began to change with every connection, even for the same browser — making it impossible to reliably identify clients by it.
The answer was JA4+ from FoxIO: before hashing, cipher suites and extensions are sorted, so Chrome's randomization no longer disrupts the fingerprint. By 2026, JA4 became the de facto standard and serves as the primary signal in bot management for Cloudflare, AWS WAF, VirusTotal, and Akamai. The three-part format (a_b_c) remains stable across browser versions: for example, Chrome 120–131 returns t13d1516h2_8daaf6152771_02713d6af862, while Chrome 133–136 returns t13d1516h2_8daaf6152771_d8a2da3f94cd.
The scale of this detection is hard to overstate. Cloudflare analyzes over 15 million unique JA4 fingerprints collected from more than 500 million user agents, and its eighth-generation ML model processes around 46 million HTTP requests per second. DataDome, according to its own data, runs over 5 trillion signals daily with a latency of less than 2 ms, maintaining over 85,000 client ML models. Akamai reports bot classification accuracy in the range of 92–98% due to cross-layer analysis.
Post-Quantum TLS: A New Trap for Scrapers
The main change in 2026, known to few, is the transition of browsers to post-quantum cryptography. This is currently exposing outdated scraping tools.
The timeline is straightforward. In April 2024, Chrome 124 by default enabled the hybrid key exchange X25519MLKEM768 (classical X25519 plus ML-KEM-768, formerly Kyber). In November 2024, Firefox 132 added support, and in October 2025, Apple followed on iOS and macOS. On January 31, 2026, Akamai made post-quantum connections the default for all clients. According to F5 Labs, already 57.4% of all browser connections carry post-quantum key shares; among Chrome traffic, 93% are PQ-compatible.
The problem for scrapers is that the post-quantum key share adds 1088 bytes to the ClientHello — the message swells from the usual ~300–500 bytes to over 1400 bytes and can no longer fit into a single TCP packet. This gives the detector three immediate clues:
- Binary Signal. A request that presents itself as Chrome 131 but lacks the post-quantum key share is a "red flag that triggers even before the first byte of HTTP traffic."
- ClientHello Fragmentation. The bloated message is split into several TCP packets, and the segmentation pattern differs from that of a real browser.
- Extended JA4. A research paper (arXiv, March 2026) demonstrated 98% accuracy in distinguishing between classical and post-quantum TLS based solely on handshake data.
A separate issue is the vulnerabilities in the uTLS library, on which many Go scrapers are built. Two CVEs (CVE-2026-26995 and CVE-2026-27017) went unnoticed for over two years and resulted in a 25–50% detection probability per connection due to a missing padding extension and GREASE/ECH mismatch. This can be resolved by updating uTLS to 1.8.2+. The moral: a rigid reliance on old fingerprints like HelloChrome_120 has turned from a useful trick into a burden literally with one browser update.
Not Just TLS: HTTP/2 and Layered Detection
The TLS handshake is just the first line of defense. Immediately following it is fingerprinting HTTP/2: each browser sends a characteristic set of SETTINGS parameters and its order of pseudo-headers. For Chrome, it is masp, for Firefox — mpas, for Safari — mspa. The order of pseudo-headers for a standard curl (mpsa) does not match any real browser — meaning curl is instantly detected.
In 2026, detection is structured into a clear chain where signals are checked for consistency with each other:
- TCP/IP fingerprinting — determining the OS even before encryption;
- TLS ClientHello (JA4) — during the handshake;
- HTTP/2 SETTINGS — the first frame after TLS;
- the order of HTTP headers in the request;
- cross-checking: all signals must "add up" to one coherent identity.
This is why matching only by JA3 today is worse than nothing: the system sees "Chrome of the wrong shape" and ranks it as a bot. As engineers put it: matching TLS fingerprint is no longer about a static hash but about the holistic identity of the client across all layers at once.
What This Means in Practice
The conclusion echoed by all serious sources in 2026 is: "an ideal TLS spoof is devalued if requests suddenly come from five different locations within two minutes." Proxies and fingerprints now work only in tandem. Let's break down what this changes.
1. The Fingerprint Must Be Real, Not "Drawn On"
For HTTP requests without JavaScript execution, key signals of importance include: correct JA4, proper HTTP/2 SETTINGS and order of pseudo-headers, correct sequence of headers, and consistency across all layers. Native Python requests, standard curl, and Go net/http cannot reproduce this. The working tools of 2026 are curl_cffi, curl-impersonate, uTLS, tls-client, which maintain the TLS fingerprint at the BoringSSL level. For browser automation, the strongest open solution is Camoufox: it replaces the fingerprint at the C++ level rather than through noticeable JS patches. But remember about CVEs — libraries need to be updated.
2. Proxies Solve What the Fingerprint Cannot
Even a flawless TLS spoof won't help if the IP address has a bad reputation and the ASN is known as a data center. The network is a separate layer of trust: geolocation consistency, ASN reputation, speed, and request distribution. This is where residential proxies come into play — traffic goes through real ISP addresses of home users, making you indistinguishable from a regular visitor based on network signals. For the most aggressive platforms (social media mobile apps, banks, anti-fraud), mobile proxies are even more resilient: IPs from cellular operators with NAT sharing provide the highest level of trust and are rarely banned in bulk.
3. The Combination Wins, Not Individual Tricks
The most effective (and honestly, the most expensive) approach in 2026 consists of four components working simultaneously: real browser automation (Chromium/Firefox), routing through residential or mobile ISP addresses, stealth plugins that remove automation telemetry, and randomization of human-like behavior. The rule is simple: "fix the handshake, keep the residential IP — and the success rate rises sharply." None of these elements alone can carry the weight in 2026 anymore.
If you are just choosing what to build your infrastructure on, it is worth starting with the basics — understanding transport protocols and how HTTP/HTTPS proxies differ from SOCKS5 for various scraping tasks. We covered this in a separate guide: HTTP, HTTPS, and SOCKS5 — which proxy to choose.
Conclusion
2026 has definitively closed the era when simply "buying residential proxies and rotating IPs" was enough for scraping. Now you are identified by the shape of the TLS handshake, by post-quantum keys, by the order of HTTP/2 headers — and all these signals are cross-referenced with each other and with the network from which you came. The winner is the one whose identity is coherent across all layers: a plausible fingerprint, updated libraries, human-like behavior, and a quality residential or mobile network beneath it. Proxies have not become unnecessary — they have become the foundation upon which everything else is built.
