Slashdot Mirror

← Back to Stories (view on slashdot.org)

Earthlink's Extra HTTP Header

Posted by michael on from the snooping-for-fun-and-profit dept.

HerrHair had the first reader submission of this, but it took a few days to look into it. If you use Earthlink's customized browser/email/chat/kitchen sink application, which Earthlink recommends for all of its new customers, you are sending an extra HTTP header called HTTP_ELNSB50 with every HTTP request (every download of a file or image), and the data for this header is a lengthy alphanumeric string, which readers took to be a unique ID of some sort. This does not appear to be the case.

Steve Gibson was apparently the first one to look into this browser serial number. I'm a little hesitant to link to that page, since its contents have changed dramatically twice in the last 24 hours. Gibson initially had a page claiming it was privacy-invading unique ID. He changed it to include a disclaimer in a large red box, and has now changed it again to display the information Earthlink provided about the serial number. Earthlink provided much the same information to slashdot after our query.

The header information sent is similar to the codes below. Depending on how logging is set up on a given webserver, they may or may not be logged, but enough server logs are accessible across the net that typing ELNSB50 into any search engine will find examples. (ELNSB50, by the way, apparently stands for "Earthlink Sandbox 5.0".)

ELNSB50::0000411003200258029a012800000000050300280 0000000
ELNSB50::0000411003200258029a012d000000000503002a0 0000000
ELNSB50::0000411003200258029a013200000000050300280 0000000
ELNSB50::0000411003200258029a0132000000000503002a0 0000000
ELNSB50::0000411003200258029a013b000000000503002a0 0000000
ELNSB50::0000411003200258029a013d000000000503002a0 0000000
ELNSB50::0000411003200258029a014700000000050300280 0000000

Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.

This is what Earthlink sent us about the codes:

reserved: 14 future growth monitorDepth: 8 monitor bit depth browserFontSize: 3 browser font -- small to large connectionSpeed: 3 One of 4 categories connectionType: 4 Modem, high speed, etc. monitorHorz: 16 horizontal area monitorVert: 16 max vertical area browserViewHorz: 16 views horizontal area browserViewVert: 16 views vertical area popID: 32 numerical POP ID sandboxVersion: 32 what version of the sandbox sent this?

Most items should be self-explanatory. ConnectionSpeed has four possible values: slow dialup (<56K), fast dialup (56K), slow broadband, and fast broadband. The POP ID refers to which of Earthlink's Point-of-Presences you are dialed up to - which bank of modems you called. The rest should be clear. If you assume the codes are a number in hexidecimal, and the above are the number of bits dedicated to each bit of information, they appear to agree well. This table differs slightly from Steve Gibson's version. The differences appear to be minor and reconcilable - Earthlink doesn't seem to like the use of the word "Sandbox" in external publications, but it's their own term for their software and it seems quite appropriate: a closed environment which has all the toys you need and which you don't want to/are not able to escape from. (A screenshot of Earthlink's Sandbox is available.)

While I was looking into this, I also noted (Ethereal strikes again) that Earthlink's Sandbox sends a good chunk of data back to Earthlink's servers upon initial installation - this data is PGP-encrypted, or at least it is preceded by a header indicating that it is. This data is sent whether or not the user is signing up for a new account or just re-installing the software on an old machine. There is no easy way to determine what information is being sent back without performing a comprehensive disassembly of the software. As of press time, Earthlink has not provided any information about what is being sent to Earthlink's servers when their software is installed.

So, there you have it. Is Earthlink's code a unique ID? Apparently not. Does it reveal more information about you when you are browsing the web than is revealed by any other web browser? Yes. Can you turn it off? No, but you could use another browser. Will 99% of Earthlink's users ever know about it? No.

8 of 271 comments (clear)

  1. I would love this feature if it was improved by JoeShmoe · · Score: 5

    Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"

    Its possible that based on the connection speed, you could default modem users to the HTML site and broadband customers to the flash site (of course, with links to the opposite choice). You could also arrange the tables so people with smaller screen sizes are scrolling left to right and people with large screen sizes aren't forced to scroll down a website that fits into the first three inches of their screen.

    I do think there is something else they should flag...system color scheme. I use a darker scheme where my text is white and my workspace is black. On many websites with hardcoded white background I can't read a thing. I usually end up having to disable them. It would be nice if a website could ask my browser what my default text color is and send out the appropriate background.

    --
    -- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
    1. Re:I would love this feature if it was improved by gowen · · Score: 5
      Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"
      Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers.

      I want the old internet back.

      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  2. More proof we need government intervention by blueskyred · · Score: 5
    The big companies will always be ahead of crusade sites like Slashdot. Even though we will eventually find out what is going on, it is always after some form of privacy trampling has taken place.

    There needs to be a law on the books that prevents the transmission of any information without the user's express consent. I'm not talking about the "If you install this software, you agree to these terms" type of consent, but the "we are sending the following information to our central database: connection speed, monitor type, ..." with a OK/Cancel popup. This becomes important when you start sending things like "We are sending the following to the Microsoft database: Your hard drive's serial number, your mother board's serial number, your up-to-date billing statement ensuring you have paid for this week's use of Windows XP,..."

    Of course, the odds of such a law happening are slim; the odds of a well-crafted law passing are about zero. We need some Slashdotters in Congress, I guess...

    --
    Online wrestling as a trading card game? WWF With Authority.
  3. Re:The real issue by andy@petdance.com · · Score: 5
    Earthlink could do themselves a big favour by revealing exactly what is being sent.

    Yeah, but 90% of /.ers wouldn't believe them anyway.

    --

  4. Re:The real issue by Lostman · · Score: 5

    I had this same problem when dealing with an "application" that insisted on sending information about my computer out.

    What I end up doing was having a registry monitoring program called regmon to to monitor all registry access, then I loaded up the program and then stopped monitoring registry... I found that they wanted to send a LOT of VERY personal info out.

    No real disassembly is needed... load up regmon or filemon (file access monitoring program) and note what it looks at... betcha you would be surprised...

  5. Great googly-moogly, a Slashdot editor researches? by mblase · · Score: 5

    This has got to be a historic first. I... I feel faint...

  6. As A Web Designer by clinko · · Score: 5

    As a web designer, I'd love to have this information. I only wish more browsers immediately told me what speed the person was at. Then you could do the high/low quality links for them.

  7. Not an HTTP header by Yoshi+Have+Big+Tail · · Score: 5

    This isn't an extra HTTP header, as is correctly stated at the article. It's a modification of a value of an existing one.

    An HTTP header is e.g., Content-type: text/html; this is just changing the value of an existing one.

    And, what is more, the User-Agent header is an informative header, so it's just adding more information about the user agent. So what?