Slashdot Mirror
Earthlink's Extra HTTP Header
Steve Gibson was apparently the first one to look into this browser serial number. I'm a little hesitant to link to that page, since its contents have changed dramatically twice in the last 24 hours. Gibson initially had a page claiming it was privacy-invading unique ID. He changed it to include a disclaimer in a large red box, and has now changed it again to display the information Earthlink provided about the serial number. Earthlink provided much the same information to slashdot after our query.
The header information sent is similar to the codes below. Depending on how logging is set up on a given webserver, they may or may not be logged, but enough server logs are accessible across the net that typing ELNSB50 into any search engine will find examples. (ELNSB50, by the way, apparently stands for "Earthlink Sandbox 5.0".)
ELNSB50::0000411003200258029a012800000000050300280 0000000ELNSB50::0000411003200258029a012d000000000503002a0 0000000
ELNSB50::0000411003200258029a013200000000050300280 0000000
ELNSB50::0000411003200258029a0132000000000503002a0 0000000
ELNSB50::0000411003200258029a013b000000000503002a0 0000000
ELNSB50::0000411003200258029a013d000000000503002a0 0000000
ELNSB50::0000411003200258029a014700000000050300280 0000000
Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.
This is what Earthlink sent us about the codes:
reserved: 14 future growth monitorDepth: 8 monitor bit depth browserFontSize: 3 browser font -- small to large connectionSpeed: 3 One of 4 categories connectionType: 4 Modem, high speed, etc. monitorHorz: 16 horizontal area monitorVert: 16 max vertical area browserViewHorz: 16 views horizontal area browserViewVert: 16 views vertical area popID: 32 numerical POP ID sandboxVersion: 32 what version of the sandbox sent this?Most items should be self-explanatory. ConnectionSpeed has four possible values: slow dialup (<56K), fast dialup (56K), slow broadband, and fast broadband. The POP ID refers to which of Earthlink's Point-of-Presences you are dialed up to - which bank of modems you called. The rest should be clear. If you assume the codes are a number in hexidecimal, and the above are the number of bits dedicated to each bit of information, they appear to agree well. This table differs slightly from Steve Gibson's version. The differences appear to be minor and reconcilable - Earthlink doesn't seem to like the use of the word "Sandbox" in external publications, but it's their own term for their software and it seems quite appropriate: a closed environment which has all the toys you need and which you don't want to/are not able to escape from. (A screenshot of Earthlink's Sandbox is available.)
While I was looking into this, I also noted (Ethereal strikes again) that Earthlink's Sandbox sends a good chunk of data back to Earthlink's servers upon initial installation - this data is PGP-encrypted, or at least it is preceded by a header indicating that it is. This data is sent whether or not the user is signing up for a new account or just re-installing the software on an old machine. There is no easy way to determine what information is being sent back without performing a comprehensive disassembly of the software. As of press time, Earthlink has not provided any information about what is being sent to Earthlink's servers when their software is installed.
So, there you have it. Is Earthlink's code a unique ID? Apparently not. Does it reveal more information about you when you are browsing the web than is revealed by any other web browser? Yes. Can you turn it off? No, but you could use another browser. Will 99% of Earthlink's users ever know about it? No.
The only thing that it would seem to me is that it is because Earthlink has poor web page design (not browser, their internal web pages!) that they require to know 1) what speed you can handle , as to adjust A/V content as to suit your connection speed, 2) what your screen layout is as to probably used fixed width tables effectively in the HTML layout, and 3) where you are located in the country (via the POP bank info). Neither of which is even necessary if you follow HTML 4 specs, with effective use of the OBJECT tag, relative table sizes, and use of the standard HTTP header and/or cookies, respectively.
In other words, their customized browser appears to be covering up for lame web page designers.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
The sad thing is, the law actually goes the other way and protects THEM from YOUR possible DECRYPTING of the information.
They invade your computer, grab some personal information and encrypt it, then send it back to their servers (without your knowledge). You find out about this, and find a way to decrypt it. You find out they've taken a LOT more than anyone would want them to, so you publish your findings. They don't like this (it's bad press) so they sue you under the terms of the DMCA (the material was "protected" by encryption, and decrypting it for any reason is illegal...)
Sad state of affairs in this country. Very, very sad.
print join("\t", qw(reserved monitorDepth browserFontSize connectionSpeed connectionType monitorHorz monitorVert browserViewHorz browserViewVert popID sandboxVersion)), "\n";
while(<>) {
($misc, $monx, $mony, $browsx, $browsy,
$popid, $sand) = map {hex} unpack("A8 A4 A4 A4 A4 A8 A8", $_);
$res = ($misc & 0xffc0000) >> 18;
$dep = ($misc & 0x003fc00) >> 10;
$fon = ($misc & 0x0000380) >> 7;
$spe = ($misc & 0x0000070) >> 4;
$typ = ($misc & 0x000000f);
print join("\t", $res, $dep, $fon, $spe, $typ, $monx, $mony, $browsx, $browsy, $popid, $sand), "\n";
}
I mean fine, I'm willing to believe earthlink here, but your suggestion that it's not long enough to be a GUID seems specious. If you look at the numbers we can clearly see that each number can be at least 0-d which implies that it is probably either an 8 bit character or a 4 bit character (i.e. hexidecimal). So, you say:
Microsoft's GUID had 128 bits; a good hash function might have 160 bits;
Well, if each character in that string was a 4 bit number, then you are talking 4 bits in 48 places which means it is at least a 192 bit number. So, your logic seems somewhat faulty.
---
This sig has been temporarily disconnected or is no longer in service
...with targeted ads. One of the most desired features from current advertisers is the ability to target ads based on the users location. Doing this by IP is very spotty, the POPID would solve that problem fairly safely.
// EvilJohn
// Java Geek
Less Talk, More Beer.
These utilities sound very useful. Could you please post links to their websites?
I'm not the original poster, but...
SysInternals has the goods...
Si
Coming soon - pyrogyra
It's probably rightfully considered an HTTP header indicating that what follows is HTML. HTML is only considered in the payload of the transmission, and that occurs in the HTTP header before you get to the payload. Otherwise, it would make little sense to have text/plain as a Content-type, since you can transmit that over HTTP with no HTML coming in at all. Content-type: text/html just indicates that what's about to come over the wire is in HTML form.
They just don't want to get sued by France (as yahoo did) if you, or other users, look up sites containing Certain Illegal(in France) Information. Try doing a google search (from the redirect) on that info. Bet it won't allow it.
Best Slashdot Co
"Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers."
I think you will find most good web designers do care about these things...It's the marketing droids that want the shiny spinning stuff and the locked layouts
AdFuel
Web Designer: What do you want?
Customer: Information!
Web Designer: You won't get it!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"
Its possible that based on the connection speed, you could default modem users to the HTML site and broadband customers to the flash site (of course, with links to the opposite choice). You could also arrange the tables so people with smaller screen sizes are scrolling left to right and people with large screen sizes aren't forced to scroll down a website that fits into the first three inches of their screen.
I do think there is something else they should flag...system color scheme. I use a darker scheme where my text is white and my workspace is black. On many websites with hardcoded white background I can't read a thing. I usually end up having to disable them. It would be nice if a website could ask my browser what my default text color is and send out the appropriate background.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Screen size is a matter of "form". A "short fat screen" has a different form factor than a "tall skinny screen", right? A properly designed web page is not constrained to any one resolution or window size. CSS has provisions for layout boxes defined as a %-age of the parent element and for floating elements. If I resize my browser window, the web page should reflow into the available content area, not be locked to a particular presentation.
Do you really want to build a site 4 times to accommodate 4 different ways a user might access it? What happens if a 5th method is developed — do you retrofit all your existing sites? No! Build the site correctly and you only have to do it once!
There never was a duality, except when lazy web designers were involved. Web content is primarily textual. If you have inline images or other media, you're expected to provide ALT text and similar fallback mechanisms. Graceful degradation and device independence are the key, but the concept seems to have flown right over the heads of an entire generation of dee-zyne-ers.
Flamebait != Disagree
Constitutionally Correct
There needs to be a law on the books that prevents the transmission of any information without the user's express consent. I'm not talking about the "If you install this software, you agree to these terms" type of consent, but the "we are sending the following information to our central database: connection speed, monitor type, ..." with a OK/Cancel popup. This becomes important when you start sending things like "We are sending the following to the Microsoft database: Your hard drive's serial number, your mother board's serial number, your up-to-date billing statement ensuring you have paid for this week's use of Windows XP,..."
Of course, the odds of such a law happening are slim; the odds of a well-crafted law passing are about zero. We need some Slashdotters in Congress, I guess...
Online wrestling as a trading card game? WWF With Authority.
Yeah, but 90% of /.ers wouldn't believe them anyway.
--
[This is partly-offtopic]
4 ; domain=.google.com; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT
Since a couple of weeks ago, my home page, which is www.google.com is displayed in french. More precisely, www.google.com send me a redirect to www.google.fr. My browser is set to request only english documents, so I suspected they base the redirect on thIP address.
A quick direct connection show it:
15:36:10|152 [ladybug:~] fred% telnet www.google.com 80
Trying 216.239.37.100...
Connected to google.lb.google.com.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Moved Temporarily
Date: Tue, 20 Mar 2001 14:59:24 GMT
Server: GWS/1.10
Connection: close
Set-Cookie: PREF=ID=19fe6a8304c33946:TM=985100364:LM=98510036
Location: http://www.google.fr/
Cache-Control: No-Cache
Content-Length: 161
Content-Type: text/html
<HTML><HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<BODY>
<H1>302 Moved</H1>The document has moved
<A HREF="http://www.google.fr/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
15:36:24|153 [ladybug:~] fred%
I beleive they crossed the line here. I really feel that the fact my ISP is in France is none of their business.
Cheers,
--fred
PS: while I am here, is there any way for me to get back www.google.com ?
1 reply beneath your current threshold.
> As a web designer, I'd love to have this information
As a web user, I'd love to smash your head with a 21" monitor.
> Then you could do the high/low quality links for them
Please don't. If I want to download a high quality link on a 56k modem, it is my business. If I want only the lowres from my DSL line, it is my business too.
Web designer should stop trying to think for the users, like google that insist that I have the french version of the page.
Of course, you're going to tell me that you would provide a link to the other version of the site, but the truth is that you wouldn't.
Try broswing ati.com with mozilla. Isn't that nice, a 'Web Designer' that make decisions for its users ? (The site sort-of works with Mac OS X Server Omniweb, or lynx, so it is just becasue they are lazy assholes)
If such headers were commons, it'll take a couple of year until:
1/ Users will have only one link and the server will choose what content is best for him
2/ Users with browsers that don't give the info will be redirected to a please-use latest IE page.
It have been that way for most web [mis]features.
Cheers,
--fred
1 reply beneath your current threshold.
> In my experience Google decides which page to give you based on your browser preferences
4 ; domain=.google.com; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT
You experience don't map mine.
See the log below. It is just a telnet to google port 80. I only sent a 'GET / HTTP/1.0' and google redirects me to the french page. Hardly a user preferences.
This is recent behaviour, started a couple of weeks ago.
15:36:10|152 [ladybug:~] fred% telnet www.google.com 80
Trying 216.239.37.100...
Connected to google.lb.google.com.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Moved Temporarily
Date: Tue, 20 Mar 2001 14:59:24 GMT
Server: GWS/1.10
Connection: close
Set-Cookie: PREF=ID=19fe6a8304c33946:TM=985100364:LM=98510036
Location: http://www.google.fr/
Cache-Control: No-Cache
Content-Length: 161
Content-Type: text/html
<HTML><HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<BODY>
<H1>302 Moved</H1>The document has moved
<A HREF="http://www.google.fr/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
15:36:24|153 [ladybug:~] fred%
Cheers,
--fred
1 reply beneath your current threshold.
I'm an Earthlink user, and it isn't required that you install the Sandbox software. You just have to be able to set-up a Dial-up networking connection in Windows. Which, even for slightly novice users, isn't particuraly difficult between the Dial-up networking wizard and Earthlink's instructions. My fiance uses the Sandbox stuff. The only thing I see that she gets from using it is a prettier display while the modem is dialing up.
As far as the potential unique serial number not being true, I'm not surprised. Earthlink did stand up against the FBI when it came to installing Carnivore.
BigCat79
BigCat79
"The dead have risen and are voting Republican!" --Bart Simpson
Secondly, as long as they don't make me use their in house software as a condition of using their service, I don't care what they develop. I like Earthlink because they do actively support LINUX/PPP connections with very little hassle. I understand that these folks are having support issues, especially that they just ate a number of the remaining clueless lusers from mindspring and onemain.com. Oh, and another thing, that Sandbox screenshot is old. Member start pages (that blue page) were changed in Jan/Feb.
Third, has anyone stopped to think that perhaps the PGP encryption during install might be a new subscribers CC number and other personally identifiying information? Wouldn't that make sense?
This is another view of the world.
I had this same problem when dealing with an "application" that insisted on sending information about my computer out.
What I end up doing was having a registry monitoring program called regmon to to monitor all registry access, then I loaded up the program and then stopped monitoring registry... I found that they wanted to send a LOT of VERY personal info out.
No real disassembly is needed... load up regmon or filemon (file access monitoring program) and note what it looks at... betcha you would be surprised...
There needs to be some sort of law to prevent these criminals from encrypting our personal information. This is why encryption should be outlawed - since clearly, only outlaws use encryption.
This has got to be a historic first. I... I feel faint...
The problem doesn't seem to be the id string that the browser uses, but that PGP-encrypted data that gets sent back to Earthlink upon installation.
Earthlink could do themselves a big favour by revealing exactly what is being sent.
As a web designer, I'd love to have this information. I only wish more browsers immediately told me what speed the person was at. Then you could do the high/low quality links for them.
You can detect with JavaScript:
- horizontal and vertical screen resolution/ usable resolution
- monitor depth
What you can't find out with default JavaScript funcions is:
- connection speed
- font size (maybe.. dunno)
- POP ID
- Sandbox Version
What you can find out whith a little use of brain:
- connection speed (not hardware.. but true speed)
- font size (not sure about this.. signed scripts should make it possible)
- POP ID - well, they provide your service, so they surely know about it
- sandbox version - if you don't use it, they can't find it out.
What they in fact do, is to pool their incoming information into one channel. That's much easier then to collect, analyze and join all the logs from their different dialups and proxies.
So it's not really a bad thing they do. Just a little bit naughty. Not more evil then banner- and counterhosts detecting your resolution and stuff..
Don't answer me. Moderate. Slashdot is about moderation, not discussion.
I'd hate to play devil's advocate here, but to be honest I rather like this idea. The information isn't any more identifiable than, say, an IP address. One big benefit is if other browsers begin to include this type of information: PHP could use this information to choose the "best" version of a webpage, video stream, etc to send you. I know I personally get annoyed when a webpage is designed for a much higher resolution than I have set. Similarly, inexperienced internet users shouldn't be allowed to attempt to stream 1Mb/Sec of video through a 56K modem. Sure, it'll look like crap and it's all the end-user's fault but marketing people will tell you that if the end-user screws up you can lose customers because of it (they can go elsewhere, you can't).
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
This isn't an extra HTTP header, as is correctly stated at the article. It's a modification of a value of an existing one.
An HTTP header is e.g., Content-type: text/html; this is just changing the value of an existing one.
And, what is more, the User-Agent header is an informative header, so it's just adding more information about the user agent. So what?
I use Earthlink and had been aware of this for a while, but had been unable to find any solid information regarding the extra header.
I have an Earthlink connection; it's the best I can do because of my location. Anyway, I had written an HTTP proxy Perl script, simply for my own educational purposes. You can imagine my surprise when I noticed this extra header! I could not find a reference to HTTP_ELNSB50 in any of the rfc's or manuals I consulted and I noticed that it never changed.
I did in fact email Earthlink about this, because I feared it might be an invasive identifier. I am disappointed, though, to report that even after repeated emails, I received no answer regarding my queries. I do not grudge Earthlink for this, but I do not think it is the best customer service. I nearly cancled my account when I could not discover what this mysterious header was.
Suffice to say, though, I am very grateful to Slashdot for answering my questions!
"The night is long that never finds the day." -- William Shakespeare