Contrary to Google claims, open Chromium is also following you


    Google has a lot of great services, the quality of which is truly impressive. However, his mania of spying on everything and everything often crosses the border. Comic, but very intelligible about this tells the video Google Toilet , which, for sure, many have already seen here. And probably everyone remembers the story of collecting open Wi-Fi traffic. This short article will talk about the Chromium browser .

    So, many of us like the Chrome browser. But not everyone has his privacy policy, which allows you to use almost any information about the sites you are viewing "in order to improve the quality of Google services." But we have a Chromium! It is Open Source, which means that there should not be spyware code there. This hunchconfirmed by the English Wikipedia , saying that the difference between Chrome and Chromium in the absence of Google-branding, auto-update and, cheers, the absence of sending "spy" data to Google!

    Let's see if this is really so!

    So, launch the sniffer, launch the browser, and ... You guessed it, right? First of all, the browser crawls on Google to get an identification cookie (note, I do not perform any actions in the interface):
    HEAD / HTTP/1.1
    Host: www.google.com
    Connection: keep-alive
    Content-Length: 0
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
    AppleWebKit/534.6 (KHTML, like Gecko) Chrome/6.0.489.0 Safari/534.6
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
    Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.3

    HTTP/1.1 302 Found
    Location: www.google.ru
    Cache-Control: private
    Content-Type: text/html; charset=UTF-8
    Set-Cookie:
    PREF=ID=632128af861ebb83:TM=1281420591:LM=1281420591:S=ELyyEhjZ2JNSeGMV;
    expires=Thu, 09-Aug-2012 06:09:51 GMT; path=/; domain=.google.com
    Set-Cookie: NID=37=r81qA-
    WGJc3SVSCovGM80YSzQb0LXRe39SHMzqClX_9reL_jYI7q3Y3UKfXAdVtkv8m5fZl1W6XR-
    of4k10wGAw4LQYK5LTatCv3BOGwcmOc5V_1yhWjo9Hj6qbX2acc; expires=Wed, 09-
    Feb-2011 06:09:51 GMT; path=/; domain=.google.com; HttpOnly

    Date: Tue, 10 Aug 2010 06:09:51 GMT
    Server: gws
    Content-Length: 218
    X-XSS-Protection: 1; mode=block


    And then Google pings financial analytics service:
    GET /tools/pso/ping?
    as=chrome&brand=&pid=&hl=en&rep=2&rlz=I7:1I7GGLL_ru,W1:1W1GGLL_ru,T4:1T4GGL­L_ru,C1:1C1_____enRU392RU392,C2:1C2_____enRU392,R7:1R7GGLL_ru&dcc=T
    HTTP/1.1
    Accept: text/*
    User-Agent: Mozilla/4.0 (compatible; Win32)
    Host: clients1.google.com

    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Date: Tue, 10 Aug 2010 06:10:07 GMT
    Expires: Tue, 10 Aug 2010 06:10:07 GMT
    Cache-Control: private, max-age=0
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Transfer-Encoding: chunked

    rlzT4: 1T4GGLL_ru
    rlzR7: 1R7GGLL_ru
    rlzW1: 1W1GGLL_ru
    rlzC1: 1C1_____enRU392RU392
    rlzC2: 1C2_____enRU392
    rlzI7: 1I7GGLL_ru
    dcc: T
    set_dcc:
    T4:1T4GGLL_ru,R7:1R7GGLL_ru,W1:1W1GGLL_ru,C1:1C1_____enRU392RU392,C2:1C2_____enRU392,I7:1I7GGLL_ru
    events:
    stateful-events:
    crc32: 7c33310f


    That this is a financial server, and not some super-mega-very coded useful service can be very easily verified by looking at the sources of the RLZ library , kindly published by Google itself. Below I give the most interesting piece of code to us:

    //
    // Ping information.
    //

    // rep=2: includes the new stateful events.
    const char kProtocolCgiArgument[] = "rep=2";

    const char kEventsCgiVariable[] = "events";
    const char kStatefulEventsCgiVariable[] = "stateful-events";
    const char kEventsCgiSeparator = ',';

    const char kRlzCgiVariable[] = "rlz";
    const char kRlzCgiSeparator[] = ",";
    const char kRlzCgiIndicator[] = ":";

    const char kProductSignatureCgiVariable[] = "as";
    const char kProductBrandCgiVariable[] = "brand";
    const char kProductLanguageCgiVariable[] = "hl";
    const char kProductIdCgiVariable[] = "pid";

    const char kDccCgiVariable[] = "dcc";
    const char kRlsCgiVariable[] = "rls";
    const char kMachineIdCgiVariable[] = "id";
    const char kSetDccResponseVariable[] = "set_dcc";

    //
    // Financial server information.
    //

    const char kFinancialPingPath[] = "/tools/pso/ping";
    const char kFinancialServer[] = "clients1.google.com";
    const char kFinancialPingType[] = "GET";

    const int kFinancialPort = 80;

    // Ping times in 100-nanosecond intervals.
    const int64 kEventsPingInterval = 24LL * 3600LL * 10000000LL; // 1 day
    const int64 kNoEventsPingInterval = kEventsPingInterval * 7LL; // 1 week

    const char kFinancialPingUserAgent[] = "Mozilla/4.0 (compatible; Win32)";
    const char* kFinancialPingResponseObjects[] = { "text/*", NULL };


    Moreover, I remind you that Google itself claims that this code is used ONLY for marking branded downloads and it is not even in Chrome downloaded from offsite, not to mention "take a free", white and fluffy Chromium.

    I raised the discussion of this problem in the official Google group Chromium-discuss , where confirmation of the anomalous nature of this behavior was obtained. Interestingly, Google again “by mistake” decided to collect more data about users?

    Also popular now: