A Quick Look into ChatGPT’s Network Traffic
ChatGPT is making waves as the Internet’s favorite chatbot. Apart from being hailed as the replacement for conventional Search Engines, its text generation capabilities are surprising everyone. To demonstrate how good it is, I have asked it to write the Introduction for this blog. Take a look:
In this blog, we will try to look at the network communications that happens in the background while people gleefully wait for the ChatGPT to respond to their questions. We also investigated the hostnames that it uses, custom HTTP headers, and its API traffic.
Network Traffic Analysis
We have analyzed the ChatGPT web application traffic and found some interesting insights, which can be helpful for other researchers.
Here are the findings for different actions -
1. Login:
We have observed that when a user clicks “ Login” on the ChatGPT webpage, it sends a POST request to the server including the username (email address) and the password in URL-encoded format ( x-www-form-urlencoded) inside the payload.
Since the hostname related to this traffic is “ auth0.openai.com” and “ x-auth0-requestid” is used as one of the custom headers inside the Response, it seems that ChatGPT is using “ Auth0 “ service (provided by Okta) to authenticate and authorize the user.
2. Open ChatGPT Chat Session:
After the successful login, a new ChatGPT session starts using the “chat.openai.com “ host and the traffic looks like this -
After that it sends a GET request to the conversation API of the server to get a list of the existing conversations setting the max limit to 20.
Then the server replies with the list in JSON format including creation date, title, and a unique id (Version 4 UUID) for each.
Next, the client also sends a GET request to the server to get the list of available AI models.
And the server replies with the list of AI models like “ text-davinci-002-render “ in JSON format
3. Chat with Chatbot:
We have seen that ChatGPT is using QUIC Version 1 ( RFC 9000) for the actual chatting with the Chatbot.
For each of the chat message we ask to the ChatGPT chatbot, it first sends a POST request to the conversation API of the chat.openai.com server
Also, in the payload part it sends the message in text format, the AI models that the client chooses from the previous request, a unique message id and the parent message id in JSON format.
Then, the message is sent to the moderation api through a POST request to check whether the message content complies with the set of predefined rules.
The response is also sent through the moderation API again for checking the same.
4. Logout:
When the user clicks logout, it first sends GET request to the chat.openai.com server followed by another GET to the auth0.openai.com server.
Originally published at https://www.keysight.com.
