Slashdot Mirror
Wildcard DNS, Session Management And Prior Art
Alowishus asks: "A company called sevenval has an interesting, but obvious, use of Wildcard A-Records in the DNS to encode Web session management IDs in the hostname of the site. Interesting, because if you are using relative URLs on your site, you do not need to do anything (i.e. setting a cookie or appending GET parameters) after the initial redirect to maintain a user session. See www.fahrschulportal.de for an example. Sevenval is applying for a patent on this technique, and Kristian Kohntopp, the author of a PHP session management library, is looking for prior art. He would like to find uses of hostnames that encode state or session information. Has anyone seen this before? It's an exceptionally useful technique, and I'd hate to see its use restricted by another improper software patent.
"
two things that haven't been mentioned so far:
the whole Location Poisoning scheme is a mighty tracking system. since your ID stays the same among various sites, they can cooperate and pool the data you entered. your address here, your buying habbits there, a questionaire over there and the words you entered in that search engine - doubleclick was nothing, they only get the sites you visit, not what you enter there.
7val claims that they'll require customers to sign a contract that they won't do that. which to me has the base purpose of removing *7val* from responsibility. this SCREAMS abuse. I bet it will be used for profiling as described above.
now since (2nd thing not mentioned) 7val is in germany and applying for european patent, the EUROPEAN patent law applies, NOT the US which has been quoted here. in european patent law, patents can be refused if they are overtly abusive. for example, you couldn't patent something if it's only use is illegal. since Location Poisoning begs to be abused, and the "advantage" of following visitors even when they leave your site is one of its strong marketing points, I do believe a point can be made for the patent to be abusive in nature.
Assorted stuff I do sometimes: Lemuria.org
This is a demonstration of having a dynamic subdomain to be the input of a program on the web. What this also demonstrates is that you really can send weird stuff on the url even in a subdomain name. (Note: There's no cgi-param-passing-here or path-info.)
It's a demonstration of technology this broad: dynamic subdomain being the input of a program. Well, that's exactly what 7val is doing. So what if the program does something specific - it's still a web program that "tracks sessions" instead of a web program that "does math". Web programs that "track sessions" are nothing new. The only new part is the dynamic subdomain, for which there is prior art.
The author of the domain math software was aware of other potential uses for this ground breaking technology, clear from his description in italics above, and only used the calculator example to demonstrate that it could be the input to any program. Ergo prior art.
QED!
The real Paul Vallee is slashdot userid 2192, and, what do you mean it's not cool to point out your low userid?
I think you need to work on your deductive reasoning skills. An image that lampoons frivolous patents does not by extension lampoon all patents as frivolous.
I've finally had it: until slashdot gets article moderation, I am not coming back.
Damn, I've been meaning to se about hacking the code to give me this kinda functionality for a while :(
On the sites I host, I usually have a template that I use with a assload of variations incase someone types crap in wrong, I want them to still get into the machine.
Example:
www.*.com ww.*.com w.*.com wwww.*.com
It gets to be a pain. I watch my DNS servers error records to see what people put in and if its a new variation that I haven't seen, I usually update my records with the new one. Having a wildcarded DNS would have made this a lot easier.
Now if I could only apply this feature to my personal server SoniKmatter.com so if they spelled it soniCmatter.com it would send them over to me without having to register another damn domain.
clif marsiglo
Brilliant point. Forgot about this.
What these i... are claiming is to "revolutionize web commerce". What are they talking about? What commerce without sertificates and encryption? Relying on HTTP-Referrer which is supplied by the browser so any kid can fake it maybe?
If this gets enough publicity they are not getting any money. Which is good (TM).
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Good points, good article. I'm not sure I agree with all of the points it raises, though.
The author states that "Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic." This is true, but the situation isn't as dire as you might think at first blush. Without having any numbers to back up my claim, I'm going to assert that in the average web transaction (from DNS lookup to the last request fulfillment on a single page), transmission of images takes up the vast majority of the bandwidth used. If the page author serves images from a central location (<img src="http://images.etcetra.org/blah.gif">) they'll still be cached normally by web proxies. So, it's bad, but it can be mitigated somewhat by clever design.
On the other hand, I detest what this does to bookmarks. Bleah.
In the end, I don't see this technology as having much value, even if you strip out all the negatives. Even if you don't have to screw around with passing cookies or GET args as session identifiers, you still need to change state in your database for any reasonably useful application (read: shopping cart). If you can set something like that up, then there's no reason you couldn't have set up some other, less objectionable form of session management.
If anyone has info on this tech that doesn't require me to brush up on my long forgotten knowledge of German I'd love to see it. Hell, I'd like to see any info that WAS in German. Sevenval's news page appears to only contain the word news repeated several times with some plus signs thrown in for variety.
--Shoeboy
How about we all make sites that use this technology? And set our copyright dates to last year as well. Then we can prove that this is prior art (but faking prior may be illegal though, not too sure about that)
x /Computers_and_Internet
Actually maybe I can change GPLTrans to use this...something like http://helloworld.english2spanish.translator.cx/
or maybe http://www.yahoo.com.english2spanish.translator.c
(note those URL's do not work in reality)
US businesses that currently accept chip and PIN/signature
Actually, its worse than that, it searches for the first instance of really heh. OOPS. maybe i should fix it.
First one to send me php code to split into a string array wins... well... hrm. nothing.
Regardless of my stance on patent issues, this goes contrary to what the internet is about.
IF this kind of attitude was used in previous years, we would be nowhere right now. The Internet would not have happened.
Nobody patented the use of putting stateful information in the path portion of a URL, why should they be able to do it in the host portion?
NO PATENTS! PATENTS should be for REAL RESEARCH, that costs REAL DOLLARS.
One could argue that this is no different than a web server differentiating between virtual websites based on the hostname. The 'state' that is stored in the hostname is the one that determines which site is being visited, (as opposed to a simple IP lookup). This is not something patentable, and should not be patented.
I'm not quite sure how broadly or narrow you need to interpret the word "state". I know that contorting the URI to do wierd things is not unusual. In a PhD a long time ago I used a combination of techniques to effectively pass commands encoded within the URI to an interactive state engine embedded within a simple web server (experiments in doing simulation on demand on a multiprocessor). The use of altering the DNS has a couple of tradeoffs though, it involves a layer outside the HTTP server-server level but it is faster as one step in the parsing is removed. Thus some portability is sacrificed for performance which in the overall scheme of things I'm not sure is superior because a lot of the lower level network will get hardwired (eventually) into network boxes which is permanent infrastructure whereas you want to have flexibility in modifying the interactions. Sorta the difference between ripping out a wall and repainting the wallpaper.
The internet pace does have a disadvantage in that it is impossible to weed out *bad* or useless ideas out of the volume generated every day. How many inventions actually become a commercial success? Building a better mousetrap does not always equate to getting rid of more mice.
LL
DNA is a Turing machine. You, however, being dynamic and emergent, are not.
I understand it's all in the name of humor (and the icon is indeed very funny), but I also think that the icon unconsciously biases any posters or readers to think of any patent to be trivial, or frivolous.
Patent laws need to be fixed, but that doesn't mean all patents are bad. If I had a patent on some groundbreaking device, I would hate to get the attention of Slashdot, who would pigeonhole my creation with an icon of patenting knifes and forks.
akamai does something simmilar with thier image caching ... check out yahoo's front page and the images on it.
I still have the source code for the little DNS server I wrote that received and decoded that traffic back into its consitituent components. I'll sign an affidavit if need be.
BTW, as a hacker, I've already found several ways of breaking this scheme after a few moments of trying. (Heck, one of the flaws I already solved in my implementation mentioned above; stupid of them). Therefore, you can attack the patent. Their implementation is still rough, so simply find flaws in it and patent the solutions ($500). When they fix their implementation, sue 'em.
I came up with that as a solution to our load balancing issues over a year ago, unfortunately our network architecture didn't really support the concept.
:/
However on this basis I note that it must be "obvious", certainly it never occured to me that others might not have thought of it. Unfortunately this isn't enough I guess, and I never implemented anything to test the idea, so..no prior art from me. Sorry
You can't win a fight.
How do you know it's not obvious, Andrew Cady?
RYan
If I understand your request, then you might want to check www.href.com.
They make a server side web development toolkit for Delphi developers, that uses state management, wild card ids, no cookies, and supports server clustering (among their own app servers). They have been doing this since Delphi 2 as far as I can tell. They are not the only either, but I can't remember the names of the other companies doing this.
I think it used mod_rewrite, but I could be mistaken.
Eric
Want to work at Transmeta? Hedgefund.net? Priceline?
Can your IM do this?
Indeed, I'm not too concerned about this being patented since the URL http://bgfv3wz0.software-patents-are-bad.com/ has no obvious advantage over http://www.software-patents-are-bad.com/bgfv3wz0/.
A few weeks ago I was on a talker (toth.org.uk) discussing ways of storing client information, and someone suggested "storing a session ID at the start of the URL", meaning the second URL above. We, of course, joked that he had meant at the start of the domain name and that could be done using DNS wildcards but - ho! ho! ho! - what a damned stupid idea that would be.
Not exactly prior art since it wasn't that long ago and in any case toth doesn't log, but still that makes it obvious in my book. Same problem as ever though: what's "obvious" to a bunch of web developers who read RFCs is not generally "obvious" to bunch of patent clerks who read the National Enquirer.
--
This comment was brought to you by And Clover.
I think that the above examples of using the hostname to encode search strings, or parameters to a function, should be good enough for prior art, this really is a good idea. It's not (only) about customer tracking as in shopping carts. From the web page:
...bietet eine absolut neue Möglichkeit des Customer-Trackings, die unkompliziert auf einem Webserver zu installieren ist und für den Benutzer kein Sicherheitsrisiko darstellt, wie z.B. ein Cookie. Jedem Besucher einer Website wird bei der Anfrage der Webseite ein eigener (virtueller) Webserver zugeteilt: www.ID-Nummer.Domain.de und gleichzeitig ein Hostname vergeben.
"...offers an absolutely new possibility in customer tracking, that is simple to install on the webserver, and poses no security risk to the user, like, e.g. a cookie. Every visitor will be assigned their own personal hostname upon visiting the page."
I don't see this as a being for the purpose of knowing who you are dealing with when you are actually serving the pages (allthough no doubt it could be used for that), but rather that you can make this change to your webserver, and then you have a very simple method of looking at what individual users did from your log files. For example, how many pages does the average user visit? It would require a lot of overhead in cookies and stuff while the user is doing the reading to be able to tell that. Add sevenval's software, and you just have to change the places where the user enters, then you can more easily analyse your log files.
I didn't read the whole page because my german sucks, so maybe this is just a side point, but it seems like it would be a cool ability to have.
--Kevin
Try: dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d That's the neatest hack I have seen in a long time! (I won't explain it as half the fun is figuring it out!)
-- SIGFPE
This is such a bad tecnology that only the really clueless will buy it. Anyone tried editing the "server name" string? No problem. Oops I'm suddenly a different customer in 7val's eyes.
Session tracking is not evil by itself. Abused tracking is, of course, but this is such a clumsy method that it is not likely to spread.
All opinions are my own - until criticized
The distinction I would draw is whether the 3 things stuck together are doing something new or not: the ball in the mouse is just a ball, but it's doing a very un-ball-like thing (ok, sometimes I drag'em across the desk, but... ha ha) So, is an answering machine patentable? maybe a little piece having to do with answering the phone with a switch, maybe some of the "algorithms" (mechanical or otherwise) for juggling the tape... but I would pretty much think that once tape recording is invented, it's obvious that it can tape phone calls.
I realize I'm talking about a fuzzy standard, but I'm just moving the fuzzy line that will always exist. Here's how I think of obviousness: I don't think the idea "phone answering machine" is patentable on it's own (and I think the patent office agrees). So, if you as an engineer are given the task "build phone answering machine" and you think "tape recorder" and anyone would think "tape recorder", well that's obvious. If I tell you "the UI has too many clicks to buy a book" and you show me how you'd do one click using cookies, it's hard to imagine that how you did it would be anything but obvious. The idea is not patentable.
This wildcard DNS seems more clever than one-click ordering, but really only because it's weirder. The feature was sitting there, and the multihosting webservers are just sitting there. Here's one for you: let's patent one-click ordering using wildcard DNS! You see, all the technologies exist but we'd be combining them in a novel way, using no cookies! We could even use it for an affiliate bookstore program!
There's some similarity between engineers piecing together parts to build things and lawyers building their cases. They don't allow patents on novel legal defenses. Unfortunately, they seem to hold sway over the rest of us and they are as a rule stupider than engineers and they don't give us the same protection for our toolboxes that they give themselves. Oh, IANAL.
But this DNS trick, like Amazon and cookies and confirms, doesn't invent anything. The feature of the DNS they are using was invented by someone else. Cookies were invented by someone else. Am I rambling here? I'm just trying to explore the space. A few years ago, I heard about a patent that was something like "using a hard disk to store digitized telephone messages". I hear that and think, "give a patent to the hard disk guy, to the A/D guy, and to the telephone guy. But using technologies in combination to do what they were invented to do is not patentable, even if it's clever."
Isn't that exactly what the Fox project's IP-over-DNS thing does? (As referenced in the Firewall Piercing Mini-HOWTO, 27 November 1998.)
--Dave
1st of all, who are you to be assuming who we are, getting upset about these issues.
2nd of all, I developed a system for user management (not session, but very similar) based on wildcard DNS aliases (A Records). In my system, a user comes to the site via username.mysite.com and then logs in to his/her personal section. This is prior art! As soon as I get my client's permission, I'll post more info on the SIMPLE, OBVIOUS process I used. Furthermore, this is not hindsight, I devised the system on my own, with no external help.
Oh shit! I forgot to click "Post Anonymously"...
The Sevenval system is useful, because
- it makes pages fairly uncacheable in a central proxy while at the same time retaining local cacheability of the pages, thus keeping the back button alive
- you do not have to propagate the session id manually, but only have to use relative links in your pages. This will even would on static pages.
- you can easily log by host and get customer tracking with current tools
Sevenval implements this with a wildcard A-record in the DNS system, which has been around for quite some time, and an initial 302 redirect to a unique hostname. That hostname is long (a 128 bit value) and randomly generated, making it unguessable. Changing the hostname will simply restart your session, as with any other session tracking systems.
© Copyright 1999 Kristian Köhntopp
According to the DNS record for sevenval.com, how exactly are the dynamic A records held? I'm fairly sure there is an implementation of DDNS in the latest version of BIND (ala Windows dynamic WINS updates in DNS), but how is this stored?
I don't see anything even remotely dynamic below, but their hostname is extremely dynamic when viewing their webpage. I would assume its the * record, but what sort of application generates the hostname?
2000011802 ; serial
8H ; refresh
2H ; retry
1W ; expiry
1D ) ; minimum
1D IN NS ns.buy-world.de.
1D IN NS ns.r-tec.net.
1D IN MX 1 wilson.office.sevenval.de.
1D IN A 195.122.187.3
* 1D IN HINFO "IBM-PC" "UNIX"
1D IN A 195.122.187.3
cvsserver 1D IN A 62.96.224.212
1D IN HINFO "IBM-PC" "UNIX"
*.cologne 1D IN A 62.96.224.211
1D IN HINFO "IBM-PC" "UNIX"
wilson.office 1D IN A 62.96.224.210
1D IN HINFO "IBM-PC" "UNIX"
tim.office 1D IN A 62.96.224.222
1D IN HINFO "IBM-PC" "UNIX"
EraseMe
There's a web site http://www.lemuria.org/Software/unpoison that calls this technique "URL Poisoning" and mentions that this could be considered a Bad Thing, because using this technique, people cannot easily "opt out" from being profiled, as you can by, say, disabling cookies in your browser.
Refer to the above link for an explanation of URL Poisoning, and for a pointer to a Squid redirector plugin that can be used to disable URL poisoning.
I personally don't have any opinion on this; I can see how it can be used, as well as how it could be abused. [shrug]
--
"May I have ten thousand marbles, please?"
-----------
"You can't shake the Devil's hand and say you're only kidding."
Hostname information encoding has been done here as well. ;)
This site works with all text I have tried, separated by periods. I don't know how long it's been up, but it has been there for quite a while.
Geeky modern art T-shirts
--
News for Geeks in Austin, TX
Freshmeat already has a program registered called 'depoison' that will remove this session management information. I'm sure it was for a different web site, so perhaps THAT is prior art in itself?
Slashdot? Oh, I just read it for the articles.
My mistake. It's actually called unpoison and is written by Tom Vogt.
... (which in all liklihood is the same deal as sevenval.de now I've woken up enough to remember how to spell my numbers)
Freshmeat Application Page reads as follows:
unpoison.pl is a simple Squid redirector plugin that disables (and returns the favor of) a new customer-tracking scheme developed by 7val.com that the author has labeled "Location Poisoning". The Web page explains how Location Poisoning works and why the author considers it a Bad Thing(tm).
The App home page gives more information, including the patent request by 7val.com
Slashdot? Oh, I just read it for the articles.
AOL has been encoding session info into the DNS names given to its users' ip addresses for years.
-- Colin Steele
Why is this technique so useful compared to session-id tracking? I don't believe that it really is, or why such a fuss should be kicked up about it :
...)
:) Do correct my bullshit if it is that, please.
If I understand it correctly, it simply replaces the session ID normally stored in as a cookie/get-var in the hostname.
This would lead to extremely user-unfriendly domain names, and surely it would really bugger up users trying to bookmark the site (stale sessions could stay in bookmarks for a LONG time).
Also, its simply not as efficient as session IDs, which after one unfriendly GET, tend to store their results in a cookie which is transparently passed around. Surely dynamic DNS would all have to have really low TTLs and generally slow down site access if you have to do a large number of DNS lookups (which can be the slowest stage in an http access cycle?)
As I see it, the only problem with the session-id method is that it complicates serverside scripting, but with simply superb tools like PHPLIB all those details are abstracted away from the user. And also PHP4 has built in session handling to simplify things further. IIS has similar modules for ASP developers, and I'm sure others exist forother scripting languages (mod_perl? dunno
So while this might be of interest to some specific applications, I can't see it revolutionising the whole ecommerce industry with its cunning "new" user tracking system.
But then again, I might be talking bull
It IS obvious. One of my projects is a web search engine and I have given dns-based session control quite a bit of thought. As a spider designer, it gives me the heebie-jeebies.
No one uses dns encoding because it poisons dns caches. Remember, dns lookups that aren't cached on a nearby server require sending a request/response from at least two other machines. Here's what a session might look like.
////////////////////
First query the local server. Very fast since the connection is probably ethernet.
me -> dns.ryans.dhs.org
Now my local dns goes off and searches for the ip address.
Local dns queries the root servers.
dns.ryans.dhs.org -> b.root-servers.net
dns.ryans.dhs.org ns1-auth.sprintlink.net
dns.ryans.dhs.org - ns1-auth.sprintlink.net
Local dns sends me the answer
me - dns.ryans.dhs.org
Start tcp session
////////////
As you can see, the name lookup needed one short-haul and two long-haul roundtrips. If it was cached only one short-haul conversation would have been needed.
Ryan
http://x42.com/urlcalc/ looks a lot like prior art to me.
SSL site certificates are bound to a very specific host name, so this session tracking soution would work only for non-secure sites.
This has been one of the features I've been trying to hype for our new Web server cluster. I love wildcard A records. There not only useful for non-cookie sessions (I *hate* cookies.) but I have been playing with them to support being able to "log out" an HTTP authenticated connection. (So you'd authenticate with auth1234.foo.com and then the server could invalidate your authentication with that specific host name.)
I have public examples of my use of wildcard A records through purdue.org:
Not session tracking, but a similar idea:
http://type.something.here.real ly.fuckingsucks.net/
(and sorry for the sailor talk).
Replace "type.something.here" with, say, a company name.
...j
http://$urlcalc(about).x42.com/
According to the copyright notice on the page, this has been up since 1998-06-23, and has won the "Useless site of the year award" for 1998.
Perhaps it wasn't so useless after all.
Check out this article for a counter argument to this approach.
Quoting from that page:
Why you should oppose Location Poisoning as a customerAs customer, you are paying, so that the company owning the web-pages can profile you. Not only is tracking the default, there also is no way out, no "I don't wanna be tracked" button.
With "paying" I do literally mean money and time. Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic. More traffic means waiting longer for pages to appear, and if you pay for your traffic (most small businesses do) it also means you are paying money that you shouldn't have to pay.
Location Poisoning also abuses HTTP and DNS standards. The reply to an initial request is a 302 error code, reserved for "Temporarily Moved" documents. Giving this reply is somewhat akin to a lie by the remote webserver.
Abusing standards for one-sided gains should not be endorsed. It undermines the standards and punishes those who try to respect them.
Location Poisoning also undermines the purpose of DNS and hostnames. Instead of using DNS to give human-readable names of server machines ("www.lemuria.org" instead of 195.244.121.251), it abuses the DNS to identify a client machine - i.e. you, the customer.