CONTINUOUS INTERNET TELEMETRY24H DRIFT1,909 material changesacross 1,731 domains · -50 vs yesterdayDNS DRIFT19 domains changed DNS providertop destination cloudflare.comEMAIL DRIFT8 domains switched email providertop destination outlook.com · +5 vs yesterdayNOW8,081 curated domains not answering+4,652 vs yesterdayERRORS8,524 responded with an errorlast probe · 5xx / 404 / TLSTHROTTLED2,335 throttled or blocked our scanner429 rate-limit / 403 bot-block24H DRIFT1,909 material changesacross 1,731 domains · -50 vs yesterdayDNS DRIFT19 domains changed DNS providertop destination cloudflare.comEMAIL DRIFT8 domains switched email providertop destination outlook.com · +5 vs yesterdayNOW8,081 curated domains not answering+4,652 vs yesterdayERRORS8,524 responded with an errorlast probe · 5xx / 404 / TLSTHROTTLED2,335 throttled or blocked our scanner429 rate-limit / 403 bot-block
Verify a DomainDrift bundle
Paste any DomainDrift signed bundle below. Every receipt is verified in your browser using the public Ed25519 keys. Nothing is sent to a server. This page works offline once loaded.
Formats: connor.signed-bundle.v1 (full) · connor.signed-bundle-compact.v2 (Merkle rollup) · Algorithm: Ed25519 · Verified locally against DomainDrift's published keys
or paste below
How verification works
  1. Each observation carries a receipt_json (a commitment: the hash of what was observed, a signature, and the public_key that produced it) and, alongside it, signed_outputs — the exact data that was hashed and signed. The receipt itself holds no data; that is why the observed bytes are archived next to it.
  2. This page calls DRM3Provenance.verifySignature(receipt) from the open-source drm3-provenance WASM SDK loaded with this page. That proves attribution (DomainDrift produced this receipt) and integrity (it has not been altered).
  3. Where signed_outputs is present, the page also canonicalizes it, computes hashValue(), and confirms it equals receipt.output_hash. That is the data-binding check: it ties the signature to the observed data itself. Observations recorded before DomainDrift began archiving the signed payload show binding n/a — their signatures are still valid; the optional check simply cannot be run on them.
  4. The page also fetches DomainDrift's published key registry at /.well-known/connor-keys.json and grades every signing key's lifecycle: current keys verify, rotated keys verify for receipts inside their validity window (marked "key since rotated"), and compromised, revoked, or unregistered keys FAIL even when the signature math passes. If the registry is unreachable the result is reported as signature-only.
  5. Want to verify with your own tools? The SDK is on npm: @drm3/sdk. Run npm i @drm3/sdk, then @drm3/sdk/receipts checks the signature and the hash and @drm3/sdk/keys grades the key registry, the same checks this page runs.