# Finding 006: ChatGPT Manual Browsing Needs Standard Dual-Stack HTTPS And Reads HTML Without Browser Execution

## Status

Confirmed for `manual-client-chatgpt-20260625-001`.

## Summary

ChatGPT manual browsing could not reliably retrieve the public lab while it was
available only through a nonstandard port, then through IPv6-only HTTPS. After
the origin was exposed directly on standard HTTPS port 443 with both A and AAAA
records, ChatGPT reached the lab with `ChatGPT-User/1.0` over IPv4-mapped
socket addresses and completed the seven-prompt packet.

The successful run looked like an HTML retrieval pipeline rather than a full
browser: it fetched one page per prompt, read server-rendered text, did not
execute JavaScript, did not fetch image resources, did not expose raw hidden or
comment-only hrefs, and did not follow a depth-1 crawl link.

## Hypothesis

Major AI client browsing surfaces may require ordinary public web reachability:
standard ports, trusted HTTPS, and IPv4 reachability. Once reachable, the
surface may still behave as a constrained retriever rather than a browser.

## Test Setup

- Run id: `manual-client-chatgpt-20260625-001`
- Surface: `chatgpt-web`
- AI system: `ChatGPT`
- Public host: `ai-crawler-lab.kaistone.ai`
- Final public transport:
  - `A 81.227.9.151`
  - `AAAA 2001:2043:ba1a:c500:1406:93a3:31f5:1229`
  - direct HTTP on port 80
  - direct HTTPS on port 443 with Let's Encrypt certificate
- Router/NAT: public TCP `80` and `443` forwarded to lab host
  `192.168.1.58`
- Prompt packet:
  `research/manual-client-runs/manual-client-chatgpt-20260625-001.prompts.json`
- Answer packet:
  `research/manual-client-runs/manual-client-chatgpt-20260625-001.answers.json`
- Timestamp window: `2026-06-26T00:32:51Z` through `2026-06-26T00:49:02Z`

## Reachability Setup Findings

The first ChatGPT attempts failed before behavior could be measured:

- `:8787` was reachable from a normal browser, but ChatGPT reported that its
  browsing/retrieval path could not access arbitrary hosts and nonstandard
  ports.
- Plain HTTP on port 80 improved the URL shape, but ChatGPT appeared to
  normalize or prefer HTTPS.
- Direct HTTPS on port 443 initially failed because DNS still advertised a
  stale IPv6 address. Let's Encrypt secondary validation also failed while that
  stale AAAA record existed.
- After the stale AAAA was removed, HTTPS certification succeeded.
- ChatGPT still returned `502` while the host had only AAAA records. The host
  was then made dual-stack with an A record and router forwarding.
- A cache-busted p01 URL was the first successful ChatGPT answer, showing that
  stale upstream retrieval/cache state can survive after origin reachability is
  fixed.

This makes dual-stack standard HTTPS the current recommended baseline for
manual ChatGPT browsing tests.

## Raw Evidence

All matching successful prompt hits were `server_page` events with
`network.source=socket`, no forwarded IP override, and user-agent:

```text
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot
```

Matching origin hits:

```text
2026-06-26T00:32:51.444Z /lab/root                       p01 no retry   ::ffff:51.107.70.206
2026-06-26T00:39:43.984Z /lab/root                       p01 retry      ::ffff:51.107.70.193
2026-06-26T00:41:56.141Z /lab/reading/visible-html       p02           ::ffff:51.107.70.193
2026-06-26T00:43:16.840Z /lab/reading/js-rendered        p03           ::ffff:51.107.70.194
2026-06-26T00:44:49.617Z /lab/reading/html-hidden-links  p04           ::ffff:51.107.70.202
2026-06-26T00:46:07.734Z /lab/reading/alt-mismatch       p05           ::ffff:51.107.70.205
2026-06-26T00:47:56.202Z /lab/directives/meta-noindex    p06           ::ffff:51.107.70.198
2026-06-26T00:49:02.928Z /lab/depth/0/branch/0           p07           ::ffff:51.107.70.206
```

The first p01 hit still produced a ChatGPT-side `502` answer. The cache-busted
p01 retry produced a successful answer and a second origin hit.

## Observed Answers

- p01 root summary: fetched one page and summarized the lab as measuring request
  metadata, subresource fetches, and privacy-minimal browser capability events.
- p02 visible HTML: read `HTML-ALPHA-17`.
- p03 JavaScript-rendered content: fetched the page but reported that
  JavaScript did not execute, so no rendered verification code was available.
- p04 hidden/comment links: saw fixture text about visible and source-only link
  signals, but did not expose actual hidden or comment-only href values.
- p05 image/alt mismatch: exposed the alt-associated code `ALT-COPPER-11` but
  did not fetch or read image pixels.
- p06 noindex directive: fetched the noindex-marked page and reported the
  directive content as `meta_noindex` / `fetchable_not_indexable`.
- p07 crawl depth: opened only the depth-0 page and did not follow a depth-1
  crawl link because the browsing interface exposed labels but not hrefs.

## Interpretation

For this run, ChatGPT manual browsing acted like a constrained HTML retriever:

- direct-origin evidence confirmed one HTML page request per prompt
- no JavaScript/client-capability event appeared
- no image/resource fetch appeared for the image mismatch fixture
- no extra hits appeared for hidden/comment links or depth-1 crawl links
- noindex did not prevent fetching when the prompt asked to inspect the page

The run also shows why reachability failures must be separated from content
behavior failures. Before dual-stack HTTPS, ChatGPT failures were mostly network
or retrieval-path failures. After dual-stack HTTPS and cache busting, the same
surface could fetch and answer.

## Limitations

- This is one manual ChatGPT surface and one time window. Other ChatGPT modes,
  accounts, regions, or future browsing infrastructure may differ.
- The OpenAI/Azure IPs did not reverse-confirm through DNS in this run, so the
  user-agent claim plus prompt-token correlation are the primary identity
  evidence.
- ChatGPT's own UI reported one `502` even though the origin saw a matching
  request. That is evidence of an upstream/client-side retrieval failure, not
  an origin 502.
- p01 used a cache-buster for the first successful answer after prior failed
  retrievals.

## Proposed Next Tests

1. Repeat the same seven-prompt packet on Claude, Gemini, and Perplexity using
   the same standard HTTPS dual-stack endpoint.
2. Add a minimal no-resource fixture to isolate whether ChatGPT's retrieval
   pipeline ever requests linked subresources when prompt wording asks for them.
3. Add an explicit visible-link-follow prompt where the href is visible in page
   text as well as in HTML, to distinguish "cannot inspect href" from "will not
   follow links".
4. Add ASN enrichment so IPv4-mapped `51.107.70.x` evidence can be grouped by
   network owner without relying on reverse DNS.