

Ask HN: Would like a 2nd set of eyes to look over some http traffic captures - jbz

http traffic capture: http://pastebin.com/bzKeMtJi<p>I had 1 open chrome window set to the new tab page, but network activity was blinking pretty steady. Paranoia leads to inspection and I found this strange connection posting back and forth from facebook. It appears it opened while I was reading a story on money.cnn.com but it never closed. Note that the capture start time is after i closed all browser windows and cleared all browsing data in chrome (habit of mine to do that before i close chrome completely).<p>I wasnt aware this was possible, to keep the connection going completely outside the context of any webpage, and beyond that theres some strange data thats a bit new to me. Specifically the X-Cnction: field that they put in, and some of the options placed in the Cache: field (must-revalidate?).<p>This is mostly a curiousity as im trying to decipher purpose, and also generally if my concept of JavaScript security is way off (I was under the impression closing a website where the JavaScript was loaded would terminate it?). My best guess so far is that theyre trying to compile data on what people read, whatever they can wring the browser into telling them via JS, but i may be way off so if youre familiar with HTTP traffic and ajax/xmlhttp id appreciate your thoughts. I put it up on pastebin - http://pastebin.com/bzKeMtJi
======
jbz
Was going to delete this item but maybe someone will find this useful. I
assumed JS was active since the query string contained the variable
"post_form_id_source=AsyncRequest" which to me seemed like an obvious nod the
now ubiquitous xmlHTTPRequest being used. While it doesn't prove conclusively
that there wasn't JS running, it does make it plausible that it was purely an
HTTP connection kept alive by X-Cnoection header. Im still fuzzy as to how
this works or how its done but ill post a quick excerpt of what i found after
some searching:

"Missed Cneonctions

This header:

Cneonction: close and its variant:

nnCoection: close were two of the headers which first spurred my interest in
HTTP headers.

imdb.com, amazon.com, gamespy.com, and google.com have all at various times
used these or similar misspellings of connection, and I’m not by any means the
first to have noticed. My first thought was that this was just a typo. After
more consideration, however, I now believe this is something done by a hackish
hardware load balancer trying to “remove” the connection close header when
proxying for an internal server. That way, the connection can be held open and
images can be transmitted through the same TCP connection, while the backend
web server doesn’t need to be modified at all. It just closes the connection
and moves on to the next request. Ex-coworker and Mudd alumus jra has a
similar analysis."

source: [http://www.nextthing.org/archives/2005/08/07/fun-with-
http-h...](http://www.nextthing.org/archives/2005/08/07/fun-with-http-headers)

------
jbz
You can see it in the logs but ill point it out specifically, origination
point seems to be money.cnn.com which I was reading at one point. I do not
visit facebook directly or have a facebook account if its relevant.

