Curl-impersonate: Special build of curl that can impersonate the major browsers

Original Article ↗ Hacker News Discussion ↗

Project purpose and motivation

  • curl-impersonate is a curl build whose TLS and HTTP/2 handshakes mimic major browsers (Chrome, Firefox, etc.), bypassing servers that gate content on “real browser” fingerprints.
  • Several commenters note this is specifically about TLS/HTTP fingerprinting; simply setting User-Agent and headers with stock curl does not suffice.

TLS/HTTP fingerprinting and bot detection

  • Fingerprinting derives from protocol details (cipher suites, extensions, ordering, TLS library quirks), not an explicit “fingerprint” field.
  • Using NSS/BoringSSL lets curl-impersonate match browser TLS behavior closely enough to get through systems like Cloudflare’s JA3/JA4-based detection.
  • Some suggest Chrome should “send less fingerprint,” others argue that practical interoperability and differing TLS stacks make a single universal fingerprint unrealistic.

Responsibility, abuse, and costs

  • One camp blames companies that fingerprint and discriminate against non‑mainstream clients, seeing this as gatekeeping that harms openness and privacy.
  • Another emphasizes massive abuse: aggressive scrapers, LLM crawlers, and DDoS‑like traffic that can swamp small sites or commercial services, arguing that operators must use stronger detection.
  • There is disagreement over how costly scrapers really are: some claim typical blogs can’t realistically be “swamped,” others cite concrete cases of severe load and CI/free‑trial abuse.

Technical nuances and remaining fingerprint vectors

  • Discussion covers JA3/JA4, JavaScript challenges (DOM, screen size, WebGL), and behavioral fingerprinting as layered defenses.
  • IP/TCP stack fingerprinting (e.g., initial TTL, TCP options) is noted as another potential signal, though harder to use than TLS/HTTP fingerprints.
  • Some speculate about “official Chrome verification” via attestation; others argue that without hardware-backed schemes, anything Chrome does at the byte level can be replicated.

Use cases, forks, and ecosystem impact

  • Reported uses include red‑team recon, accessing Cloudflare‑guarded APIs from scripts, and making non‑browser clients viable in a fingerprint-hostile web.
  • A more active fork and Python bindings are mentioned; integration with Python requests is available.
  • Several express sadness that such tools are necessary at all, framing them as part of an arms race that makes life harder for alternative browsers, CLI tools, and non‑conforming clients.