Hacker News new | ask | show | jobs
Ask HN: Would like a 2nd set of eyes to look over some http traffic captures
1 points by jbz 5770 days ago
http traffic capture: http://pastebin.com/bzKeMtJi

I had 1 open chrome window set to the new tab page, but network activity was blinking pretty steady. Paranoia leads to inspection and I found this strange connection posting back and forth from facebook. It appears it opened while I was reading a story on money.cnn.com but it never closed. Note that the capture start time is after i closed all browser windows and cleared all browsing data in chrome (habit of mine to do that before i close chrome completely).

I wasnt aware this was possible, to keep the connection going completely outside the context of any webpage, and beyond that theres some strange data thats a bit new to me. Specifically the X-Cnction: field that they put in, and some of the options placed in the Cache: field (must-revalidate?).

This is mostly a curiousity as im trying to decipher purpose, and also generally if my concept of JavaScript security is way off (I was under the impression closing a website where the JavaScript was loaded would terminate it?). My best guess so far is that theyre trying to compile data on what people read, whatever they can wring the browser into telling them via JS, but i may be way off so if youre familiar with HTTP traffic and ajax/xmlhttp id appreciate your thoughts. I put it up on pastebin - http://pastebin.com/bzKeMtJi
2 comments
jbz 5770 days ago
Was going to delete this item but maybe someone will find this useful. I assumed JS was active since the query string contained the variable "post_form_id_source=AsyncRequest" which to me seemed like an obvious nod the now ubiquitous xmlHTTPRequest being used. While it doesn't prove conclusively that there wasn't JS running, it does make it plausible that it was purely an HTTP connection kept alive by X-Cnoection header. Im still fuzzy as to how this works or how its done but ill post a quick excerpt of what i found after some searching:

"Missed Cneonctions

This header:

Cneonction: close and its variant:

nnCoection: close were two of the headers which first spurred my interest in HTTP headers.

imdb.com, amazon.com, gamespy.com, and google.com have all at various times used these or similar misspellings of connection, and I’m not by any means the first to have noticed. My first thought was that this was just a typo. After more consideration, however, I now believe this is something done by a hackish hardware load balancer trying to “remove” the connection close header when proxying for an internal server. That way, the connection can be held open and images can be transmitted through the same TCP connection, while the backend web server doesn’t need to be modified at all. It just closes the connection and moves on to the next request. Ex-coworker and Mudd alumus jra has a similar analysis."

source: http://www.nextthing.org/archives/2005/08/07/fun-with-http-h...

link
jbz 5770 days ago
You can see it in the logs but ill point it out specifically, origination point seems to be money.cnn.com which I was reading at one point. I do not visit facebook directly or have a facebook account if its relevant.
link