Slashdot Mirror
Earthlink's Extra HTTP Header
Steve Gibson was apparently the first one to look into this browser serial number. I'm a little hesitant to link to that page, since its contents have changed dramatically twice in the last 24 hours. Gibson initially had a page claiming it was privacy-invading unique ID. He changed it to include a disclaimer in a large red box, and has now changed it again to display the information Earthlink provided about the serial number. Earthlink provided much the same information to slashdot after our query.
The header information sent is similar to the codes below. Depending on how logging is set up on a given webserver, they may or may not be logged, but enough server logs are accessible across the net that typing ELNSB50 into any search engine will find examples. (ELNSB50, by the way, apparently stands for "Earthlink Sandbox 5.0".)
ELNSB50::0000411003200258029a012800000000050300280 0000000ELNSB50::0000411003200258029a012d000000000503002a0 0000000
ELNSB50::0000411003200258029a013200000000050300280 0000000
ELNSB50::0000411003200258029a0132000000000503002a0 0000000
ELNSB50::0000411003200258029a013b000000000503002a0 0000000
ELNSB50::0000411003200258029a013d000000000503002a0 0000000
ELNSB50::0000411003200258029a014700000000050300280 0000000
Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.
This is what Earthlink sent us about the codes:
reserved: 14 future growth monitorDepth: 8 monitor bit depth browserFontSize: 3 browser font -- small to large connectionSpeed: 3 One of 4 categories connectionType: 4 Modem, high speed, etc. monitorHorz: 16 horizontal area monitorVert: 16 max vertical area browserViewHorz: 16 views horizontal area browserViewVert: 16 views vertical area popID: 32 numerical POP ID sandboxVersion: 32 what version of the sandbox sent this?Most items should be self-explanatory. ConnectionSpeed has four possible values: slow dialup (<56K), fast dialup (56K), slow broadband, and fast broadband. The POP ID refers to which of Earthlink's Point-of-Presences you are dialed up to - which bank of modems you called. The rest should be clear. If you assume the codes are a number in hexidecimal, and the above are the number of bits dedicated to each bit of information, they appear to agree well. This table differs slightly from Steve Gibson's version. The differences appear to be minor and reconcilable - Earthlink doesn't seem to like the use of the word "Sandbox" in external publications, but it's their own term for their software and it seems quite appropriate: a closed environment which has all the toys you need and which you don't want to/are not able to escape from. (A screenshot of Earthlink's Sandbox is available.)
While I was looking into this, I also noted (Ethereal strikes again) that Earthlink's Sandbox sends a good chunk of data back to Earthlink's servers upon initial installation - this data is PGP-encrypted, or at least it is preceded by a header indicating that it is. This data is sent whether or not the user is signing up for a new account or just re-installing the software on an old machine. There is no easy way to determine what information is being sent back without performing a comprehensive disassembly of the software. As of press time, Earthlink has not provided any information about what is being sent to Earthlink's servers when their software is installed.
So, there you have it. Is Earthlink's code a unique ID? Apparently not. Does it reveal more information about you when you are browsing the web than is revealed by any other web browser? Yes. Can you turn it off? No, but you could use another browser. Will 99% of Earthlink's users ever know about it? No.
I mean fine, I'm willing to believe earthlink here, but your suggestion that it's not long enough to be a GUID seems specious. If you look at the numbers we can clearly see that each number can be at least 0-d which implies that it is probably either an 8 bit character or a 4 bit character (i.e. hexidecimal). So, you say:
Microsoft's GUID had 128 bits; a good hash function might have 160 bits;
Well, if each character in that string was a 4 bit number, then you are talking 4 bits in 48 places which means it is at least a 192 bit number. So, your logic seems somewhat faulty.
---
This sig has been temporarily disconnected or is no longer in service
...with targeted ads. One of the most desired features from current advertisers is the ability to target ads based on the users location. Doing this by IP is very spotty, the POPID would solve that problem fairly safely.
// EvilJohn
// Java Geek
Less Talk, More Beer.
These utilities sound very useful. Could you please post links to their websites?
I'm not the original poster, but...
SysInternals has the goods...
Si
Coming soon - pyrogyra
"Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers."
I think you will find most good web designers do care about these things...It's the marketing droids that want the shiny spinning stuff and the locked layouts
AdFuel
Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"
Its possible that based on the connection speed, you could default modem users to the HTML site and broadband customers to the flash site (of course, with links to the opposite choice). You could also arrange the tables so people with smaller screen sizes are scrolling left to right and people with large screen sizes aren't forced to scroll down a website that fits into the first three inches of their screen.
I do think there is something else they should flag...system color scheme. I use a darker scheme where my text is white and my workspace is black. On many websites with hardcoded white background I can't read a thing. I usually end up having to disable them. It would be nice if a website could ask my browser what my default text color is and send out the appropriate background.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
There needs to be a law on the books that prevents the transmission of any information without the user's express consent. I'm not talking about the "If you install this software, you agree to these terms" type of consent, but the "we are sending the following information to our central database: connection speed, monitor type, ..." with a OK/Cancel popup. This becomes important when you start sending things like "We are sending the following to the Microsoft database: Your hard drive's serial number, your mother board's serial number, your up-to-date billing statement ensuring you have paid for this week's use of Windows XP,..."
Of course, the odds of such a law happening are slim; the odds of a well-crafted law passing are about zero. We need some Slashdotters in Congress, I guess...
Online wrestling as a trading card game? WWF With Authority.
Yeah, but 90% of /.ers wouldn't believe them anyway.
--
> As a web designer, I'd love to have this information
As a web user, I'd love to smash your head with a 21" monitor.
> Then you could do the high/low quality links for them
Please don't. If I want to download a high quality link on a 56k modem, it is my business. If I want only the lowres from my DSL line, it is my business too.
Web designer should stop trying to think for the users, like google that insist that I have the french version of the page.
Of course, you're going to tell me that you would provide a link to the other version of the site, but the truth is that you wouldn't.
Try broswing ati.com with mozilla. Isn't that nice, a 'Web Designer' that make decisions for its users ? (The site sort-of works with Mac OS X Server Omniweb, or lynx, so it is just becasue they are lazy assholes)
If such headers were commons, it'll take a couple of year until:
1/ Users will have only one link and the server will choose what content is best for him
2/ Users with browsers that don't give the info will be redirected to a please-use latest IE page.
It have been that way for most web [mis]features.
Cheers,
--fred
1 reply beneath your current threshold.
> In my experience Google decides which page to give you based on your browser preferences
4 ; domain=.google.com; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT
You experience don't map mine.
See the log below. It is just a telnet to google port 80. I only sent a 'GET / HTTP/1.0' and google redirects me to the french page. Hardly a user preferences.
This is recent behaviour, started a couple of weeks ago.
15:36:10|152 [ladybug:~] fred% telnet www.google.com 80
Trying 216.239.37.100...
Connected to google.lb.google.com.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Moved Temporarily
Date: Tue, 20 Mar 2001 14:59:24 GMT
Server: GWS/1.10
Connection: close
Set-Cookie: PREF=ID=19fe6a8304c33946:TM=985100364:LM=98510036
Location: http://www.google.fr/
Cache-Control: No-Cache
Content-Length: 161
Content-Type: text/html
<HTML><HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<BODY>
<H1>302 Moved</H1>The document has moved
<A HREF="http://www.google.fr/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
15:36:24|153 [ladybug:~] fred%
Cheers,
--fred
1 reply beneath your current threshold.
I'm an Earthlink user, and it isn't required that you install the Sandbox software. You just have to be able to set-up a Dial-up networking connection in Windows. Which, even for slightly novice users, isn't particuraly difficult between the Dial-up networking wizard and Earthlink's instructions. My fiance uses the Sandbox stuff. The only thing I see that she gets from using it is a prettier display while the modem is dialing up.
As far as the potential unique serial number not being true, I'm not surprised. Earthlink did stand up against the FBI when it came to installing Carnivore.
BigCat79
BigCat79
"The dead have risen and are voting Republican!" --Bart Simpson
Secondly, as long as they don't make me use their in house software as a condition of using their service, I don't care what they develop. I like Earthlink because they do actively support LINUX/PPP connections with very little hassle. I understand that these folks are having support issues, especially that they just ate a number of the remaining clueless lusers from mindspring and onemain.com. Oh, and another thing, that Sandbox screenshot is old. Member start pages (that blue page) were changed in Jan/Feb.
Third, has anyone stopped to think that perhaps the PGP encryption during install might be a new subscribers CC number and other personally identifiying information? Wouldn't that make sense?
This is another view of the world.
I had this same problem when dealing with an "application" that insisted on sending information about my computer out.
What I end up doing was having a registry monitoring program called regmon to to monitor all registry access, then I loaded up the program and then stopped monitoring registry... I found that they wanted to send a LOT of VERY personal info out.
No real disassembly is needed... load up regmon or filemon (file access monitoring program) and note what it looks at... betcha you would be surprised...
There needs to be some sort of law to prevent these criminals from encrypting our personal information. This is why encryption should be outlawed - since clearly, only outlaws use encryption.
This has got to be a historic first. I... I feel faint...
The problem doesn't seem to be the id string that the browser uses, but that PGP-encrypted data that gets sent back to Earthlink upon installation.
Earthlink could do themselves a big favour by revealing exactly what is being sent.
As a web designer, I'd love to have this information. I only wish more browsers immediately told me what speed the person was at. Then you could do the high/low quality links for them.
This isn't an extra HTTP header, as is correctly stated at the article. It's a modification of a value of an existing one.
An HTTP header is e.g., Content-type: text/html; this is just changing the value of an existing one.
And, what is more, the User-Agent header is an informative header, so it's just adding more information about the user agent. So what?