Firefox 2 sends Google's cookie with requests related with ENABLED BY DEFAULT antiphishing

(Go back to my Firefox page.)

(Related bug in Mozilla's Bugzilla.)

(BTW - feel free to use another packet analyzer instead of ngrep.)

HOW THIS LOG WAS CREATED (Linux):

1. download FF2.0.0.1, unpack it (here I tested the following: http://releases.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.1/linux-i686/pl/firefox-2.0.0.1.tar.gz) (of course, language version doesn't matter, all official releases from Mozilla should work basically in the same manner)
2. install ngrep (http://ngrep.sourceforge.net)
3. let's start with completely fresh and new profile (default settings, so it is used in this state by, hmm, 90% of all FF users out there?):

      $ mv ~/.mozilla ~/.backup-mozilla
   

4. close/disable all programs that could make network activity (especially HTTP traffic)
5. start second xterm (or other xterminal), become superuser (for raw network access for ngrep), run ngrep:

      $ su -
      # ngrep -tMpqld eth0 -S 1000 -W byline '((OPTIONS|HEAD|POST|GET|PUT|DELETE|TRACE|CONNECT).*HTTP)|(HTTP.*[0-9][0-9][0-9])' | tee ngrep-http.log
   

   (see documentation of ngrep for description of all options)

6. run FF2.0.0.1; in dir where you unpacked (step 1.):

      $ cd firefox
      $ ./firefox
   

7. close it after a while after first-run (just to be sure that sending cookie is not connected with first-run AND that cookie is saved between sessions [ actually, it is obvious, but let's test it this way ])
8. run spyw^Wfirefox once again:

      $ ./firefox
   

9. write about:blank in address field (just in case...); wait about 2h or more; DON'T USE Firefox nor other network applications, because log-file will be harder to analyze (actually, you can use other protocols, just not plain HTTP or similar); you will observe at least:
   • a) traffic related with RSS feeds (there is included one feed by default, at least in version that I've tested); this traffic appears right after starting firefox and then after each 1 hour
   • b) traffic related with antiphishing (updating of local lists) - IIRC - first request is rigt after starting the browser, next one is after random period between 15 and 45 minutes and all consecutive requests occur after each half hour; THERE IS COOKIE (unique in global scale and related with particular profile, so more or less -- with particular user) WITH EACH REQUEST, so Google is able to gather quite interesting data in global scale (and then eg. sell it, aggregated; see their Privacy Policy; also, remember that cookie is related with all Google services (searches, GMail, ...))

10. after 2 hours or so close FF2.0.0.1
11. switch to xterm with ngrep running, press Ctrl + c to stop it
12. analyze (you have to be familiar with HTTP protocol and cookie spec.) log-file (ngrep-http.log) and draw your own conclusions;
    some ideas:
    • search log for "sb.google.com", analyze requests and responses related with this server
    • pay attention to "Cookie: " / "Set-Cookie: " in headers
    • pay attention to redirects, search for "Location: " (use RFC2616 as your guide to HTTP (excluding cookies; for this topic see eg. RFC2109))
    • disable (i.e. remove) RSS feeds in FF, repeat steps 5. to 12., compare with previous results (actually, you can remove RSS feeds after step 6., it will make log-file a little bit cleaner)
13. after making tests you can restore your old settings (backed-up in step 3.) (actually, I've used separate user account for testing...):

       $ rm -rf ~/.mozilla
       $ mv ~/.backup-mozilla ~/.mozilla
    

(Actually, you can omit steps 7. and 8., it shouldn't change anything regarding issues with cookies etc.)

Below is traffic related with issue described in 9.b):

(First, Google's cookie is set on first run (after redirection from mozilla.com to google.com)...):

T 2006/12/20 23:37:57.830252 209.85.129.147:80 -> 10.0.0.2:4258 [AP]
HTTP/1.1 302 Found.
Location: http://www.google.pl/firefox?client=firefox-a&rls=org.mozilla:pl:official.
Cache-Control: private.
Set-Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com.
Content-Type: text/html.
Server: GWS/2.1.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Wed, 20 Dec 2006 22:37:48 GMT.
.
e6.
..........L..j.0.EwA.Ah.f.i...*.qq!.P.d...%."U~..~}.&C.s..{x.i.{)...I...5.1...^J..3..3.....J.pEn..MgT....u..$..{......=..............j..+3...=.n...5j.~..Q...~+.bUp>MS...;....&....9.x.1S...MrC.R...c.SEtE..vV9&.$.......'5k,.X._......
a.
..L........
0.
.

(... and then cookie is sent with each request for update of antiphishing lists):

(...)

T 2006/12/20 23:43:26.489598 10.0.0.2:1593 -> 72.14.221.95:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7578,goog-black-enchash:1:14917 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/20 23:43:26.533368 72.14.221.95:80 -> 10.0.0.2:1593 [AP]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Content-Length: 0.
Date: Wed, 20 Dec 2006 22:43:17 GMT.
.


T 2006/12/21 00:06:58.464915 10.0.0.2:2106 -> 72.14.221.95:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7578,goog-black-enchash:1:14917 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 00:06:58.509171 72.14.221.95:80 -> 10.0.0.2:2106 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Wed, 20 Dec 2006 23:06:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
832.
..........$.........}...l...^.r.9....H.$.<.....tW.|..f....}^v.....o....b$.....g.W......p.L..KAQ.9."..R....g.?...-.R.......6*..Iw..[...
lV(J..t.8Bt$.j.......B0..%..pY.!..8.2@. ..+A^..K....](.x.KV. ...-p.vLG.P..r.B.r..1.bi.9;.S..J..e"..!S..V....r....R..E.D...3d.......v8...F...?......E...4......G.,...V!.,<I...Zt.X.).0>..6m?.F...B.xmK...+.....X..0.....A...../..|..+.=KIb....gL..hf.......E......`.~.N.[.:..z.. ........f...LD....L<..xNp....pK^..2rO......uS...L/mJ....m.tlA2.'..|.".s...#...Q.Qg.$
..olR.N9.)........
.Y_....H...LZ...h..9......)..I...d.y..=!'Wf.K.5..!%M.....6V@}.'...\}.d?P.........K1..Z.#E.a.C14.E.8R..Wd0....O..^.c^J.L........Dk.7...Q.....x.A...}..K....O.:...-...~.m....X........(.lF/+G.Q.S.K.....;.nus..(9..Q'M......o.........8-[wC4.&y.....`..(. ..m..N..p....y.........5.o.d...8....

T 2006/12/21 00:36:58.426793 10.0.0.2:4817 -> 72.14.221.95:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7578,goog-black-enchash:1:14918 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 00:36:58.470740 72.14.221.95:80 -> 10.0.0.2:4817 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Wed, 20 Dec 2006 23:36:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
18ef.
...............L........=..E/....L.......;.."$.........8..N.8m...i.......P
...OY...........A....0O...Q....!......d.7;..,;......0q......4..!.:A@E.@=`.......h.U-.!'6}..k~./....8..,$.4.....,.#('.4.......T....q...g..;0......",....N..XR.K...Q..../QC.....<,._.qc;....P4v....jY..BH........H.Fi..a..!..9.cPP`....w.cCZ...U....*...h....*..z.......V.8.l..F.p.-....1-0...'nlLk......8r}.L."+./H.....0Q+~ou...B0....[$ ........p..a.....0I......1.......p9D..+O.M..Q..r..@ulcmJ......q.vF..~!..d-..K"...........x......%...`.cQ....%)....Ca..x.Aq.$..].....`.....Jq.......G...&W{.....lSWC......f-W..E;.r%I%.i....J.H+.....`..y...
.H....fy.....p...D....5~_..j...=(..s9.....x...M.......;.([.....R....$:......C.#.c.t}(.^.....V..tv.......'.D?...7..
.)...Z. .. ..0..x..9...WKm4.=v{bG..B.6....Y5U.J...ghX8/.8A...7h........

(...)

T 2006/12/21 01:06:58.571483 10.0.0.2:3920 -> 72.14.221.93:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7578,goog-black-enchash:1:14919 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 01:06:58.615370 72.14.221.93:80 -> 10.0.0.2:3920 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 00:06:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
14bc.
...............F.Ec.+.SZ......lm.......(.*...w...m...;..b....m......1...:.e.W....p.....a
gx^.Y.Ey..8.e.
...Z........{..}..
.7..-.}..-...n.c..3..5;.'......~.m.....na.h.T.......-u.Y.S\,...oG...dc.';..........U.rmNK1^8...h...%.......l......C.,.!.@a(....C4...'.......b...}L.h.Ux.=59..|.'p.C.=.>.cF.^"..U...h.=h.%y...>I.o3&....<M..bK.M....).*..........A|nL....&.Y^..d.>&..iH.....f........0^r...h..7Ew.....S...bZ.9...'. .#.0,..M...R.'.4B..H ..G*.S...hj...Q...
c.<G.....G.G.2.t....MGV ..bQ...
Y.f.:FRN.a\[...3...V1nLf.2l.......c..<..H.6I...T.60cAf<......%.(N"$...J $...H.,.c.."..G..k2.........4..{.`A.....A.Gf...)pZ..XEH )-..\b.]G.O|5.q.......MW.....`Q..q0...:&]&...J.....Q. .q....1XR.#.\(.......e..$...5. ...8.H.............f.^..]..z..F...
.B..N\.iZ@....K.w.w......|.L?S......M....~..~%.. `t|...6f4+.

T 2006/12/21 01:36:58.378729 10.0.0.2:4745 -> 72.14.221.91:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7580,goog-black-enchash:1:14920 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 01:36:58.433790 72.14.221.91:80 -> 10.0.0.2:4745 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 00:36:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
6bb.
..........$UI..:.]....=....$..H.q.Q&Q.z!.. (.....w..".:........'....O...}_........=n.~(....L8............\".
F.....U5.7.M.%..Th....P...u....$Z4...k......u..HAz.N...Rd..AH..{.m..-..d.>..aeT..}...m...(y.|h.Za.12.>3.._....3*.......$.Y.%t....'.=.B.Z(..G....6g.....`.,...;.Y.x..k.......z.T...K......5...XVW.....i...}O'..rr....z..KU.N....v...i$...I .HH.....2.2$...D)..OX.m...."..sf.....P.,l..c&..%....p...Q.....H.8...v..ih.-j..q3......i.C....8..u../.q.n.7u.~=..p...F...........a.z....j8....&.G..=5....Q...d:T....,E,[.,...........A..U..V....|..Yv.v..A.....s..<.#.".6-b/9.............y.....L....-.5,..1.X.j....B.~.k..U.K..[.neVk......x...X_Y..f..c...........|&o.n....W..~..G....=......}.H....].-'$...g.*....R..[..*.V.......\2A..,...z......F.1...p.y.p..K.'0C.....t..YL62y1.(....)....>...9..wymfet..uv....

(...)

T 2006/12/21 02:06:58.408848 10.0.0.2:2795 -> 72.14.221.91:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7580,goog-black-enchash:1:14921 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 02:06:58.452077 72.14.221.91:80 -> 10.0.0.2:2795 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 01:06:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
7c9.
..........LV.....\..)......Ru....`0..........O..,R.K.n}..........Y......^.?..h(.........?.%02..B.d -"Z.D.0..T......K.&y.....<+Q..*...Y. ..e.S.*....."Nm.......F...)..1..\-.2.G.TVq....Us....!.E.D.r....W...XH.*.X....*....k.~......4.)dfJ#..).T...)..[.e..l9fI...V.g.YA....l.8.......T.....|I....O....#>...7~._........K.e..f...2F.E]}..F..L~Tk..tC*....(.F.9.u8......2.2z....\.....n...2/..e..i.#.?..V.p9U.......,....,.......3snp.}..O....a.......S.;......*.....=7.....}._.S8..8...'@R...s.R...nz.i....52.gm...Bz&..[..B...A8.H7..r.....G..~.1.....x..Rw.`ui..~+....:...j.DlXN'......h..^..z..jLXc...9NWn....\.~D.(..9.....BF.}D....FkPy..`o`......".,..3.'.l...B...%..Z.._.:.5.#+.._z..>...q..U.U`=.....!7.H.....Xe.}8..N......
....k..n.Z.W.&....(..{..[.....5...z....k..H...zW..y.^..u.].X........W..2.m....Y.N....(W

T 2006/12/21 02:36:58.430013 10.0.0.2:2497 -> 72.14.221.93:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7581,goog-black-enchash:1:14922 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 02:36:58.474311 72.14.221.93:80 -> 10.0.0.2:2497 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 01:36:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
18ed.
...............F.D........A.....=.=.~..5...DWwU..._.,._...._.\........h......Q..?....Ep4.....0..4..,..........%R.i..Z%../!6.,y......B.g.4.&.......Q....\u.E.
.\.L....mf.da..2..5.....[.a..(.cQ.Gh..8..Q........l..d2.4v"..Jwx.....s..z......$U...G6P.q..P......lK..[...!s9~'_+..vdkR.@T.........PSs.h...Al.A....`..yT...,..<...f....4.6F....n...i.s.0.D,..+...hp%6.1....(N"$...J $...H.,.c.."..G..[2........!4..{.`A.....A.Gf...)pY..XEH )-..\b.]G.O|4.q.......]W.....`Q..q0...>']&./....s!(.*A~.,.9\c.....z.x...p.((..$1.4.)...Y.<#.O....?s_.N....z..w...k`4...U`..fp.*M...$_8...`x.o..YQ...t....P-Pm.....&j.H.SA...|..m.hV..s...h.VI.N.c.V,..r...Zp(..7.s......#=.......8..B..j.29._.XR..A....,%5.....ik.Z%..--.cMD.?..Mf.F........]..rMl.9.Zz.......}/\.-8P2'A.*.gq..J~....y.<l.....-........|=;V.t.V..{...[.Id)w.....+

(...)

T 2006/12/21 03:06:58.416347 10.0.0.2:3813 -> 72.14.221.93:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7581,goog-black-enchash:1:14923 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 03:06:58.460172 72.14.221.93:80 -> 10.0.0.2:3813 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 02:06:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
fd7.
...........W...L.^.s......i.b..&)I.q.Y 9
..\.........zC..x..?.6N.?Y.......o
...k..x...KP.EA.SH.Y.
..d P....!..?q....O...r.........#.[..z.....j.....'RO..W.......hzx.-..E...}..V.7..;.q.a...J<.5.r@..g.....t..D<.7....0%".x9c.]....U.6.
..a.....4^l..sB.:..;....D....._.F.R.V..J.y.R.AFPae.@A.........u%v..6..O~.@...w....e.u......#.K....N...u.Y.OE.;ge].|^lic..u..<..........lJ..@.E...vc.o2:.........cP.'..@...E..=.i.xJd...g.|N.....lJ....y.U......Q........_5.Q...../V..i..o.j.@..........}.....?.3S......z.
.F3....(O[.9.o....uo......W..X/.u.G.....tE...XIH_.T.,. ~....y..J.....R.~GQ..4YW.A....Ow\..=..D..O.IO.s.M.5?..!.n4T..NE....J....$...(..( #.......j.&.{^_.2.|.).....v...%.V<..R ...k'....R.nZ..m,.ucF.K.Q.{..ZF..Q.&..m.'..!.._.aE...$. Q.UIf8A.!/..>....v.....;...C...wE8..+..qF...ahhf..a.\G.3'.WH..l.wK..

T 2006/12/21 03:36:58.512347 10.0.0.2:1882 -> 72.14.221.91:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7581,goog-black-enchash:1:14924 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 03:36:58.555587 72.14.221.91:80 -> 10.0.0.2:1882 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 02:36:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
8a0.
............I..<.....+z.y.L@....$2."."}z.....8..o.^dC..@....s.....K^......?......!._.......5..I.0.T....fr...I.-.0~V...x}.^...e..k.A:..8.Z.}.]6...-.d...T.~..m].............uM..........Y.....Ps2._o{...1hr~p.{.(O.7B.M.zz...h...?X..q/.#.[S\...v+O....GW8a..p.-...k=......N.j..n+NtN.....E.....&...D}2..Er-..*..]=.......I\.q..P..'.z.3.1...;..y.y....A.....rN.......I....1....0G.@..:4.i..`X.D.?.3w..D.4.E.nvw*..2.....qu....T...b.2.._Qd....Ms..........w'.6..)........,8.
`f~..^.P.fH...Db6..*).2.7.sGY....*.......[K&.6..5.......3.`.|....^.#...}..jf.......Qk..M.j......._m...".-@.......m.]J5..?k...)..u...reV....d...:.r....wJ..70Y..[..'.~....999p..g.......:.]wr........6..N .XI...@..2,....vI.....$M...3.#\h.{.,.[{..|bi.zA^g.u....5>..cq;........A:O...l.'.kF.+..x]g\.:....C...x.`...LA.b.^.p.I@uI......+>......

(...)

T 2006/12/21 04:06:58.473703 10.0.0.2:2751 -> 72.14.221.91:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7581,goog-black-enchash:1:14925 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 04:06:58.517061 72.14.221.91:80 -> 10.0.0.2:2751 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 03:06:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
534.
...........UI..8.\....{.6....HH..". |..........x{.,r.=..n.......]WY~.-...{....C,...u.d.......qG3.-..( ...q...$.v..3.......".8....aST....J.p.3..l..Gu.v...>..q}.K.N.k.j1...[..+;.....+R.....

.J.pf.......0`.r.v..:...\"...6.k..Mz...=^.c!.%....h?.....[...F.A.{..IS.=..........t...--?uF/..z..7........2.n.S...e....q.r...w..a.s.
.G....f.(,..d...8....*....$>Q...r....gA....7.1.uku....h.._QxMG...."Y,^A...+.. ~..'H=......fO.WQ.....^:.]...$DVK-...E.q...1..p....Y.'}....a.uY.h...;..0...z...W.j..`.....E................oz~..lq.F;=...S{.%N.#....3gE...D...(..u(R.2...-.......J....33..t......]D......^P.~..w>......:OJ?x.f..G1.......{..<X|..G..`..{...:.."........]y...O.cUt.Q.#o:9....s7.-.._=.+.yW44o...`.*
....\F...`..E...v&Q._.V..Z-.}......>.T..^2..M..i..j..h...W.G5..W.."....U.*a..4.{u6K....?.U.L(...B.......

T 2006/12/21 04:36:58.431947 10.0.0.2:1863 -> 72.14.221.91:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7581,goog-black-enchash:1:14926 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 04:36:58.475040 72.14.221.91:80 -> 10.0.0.2:1863 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 03:36:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
82c.
...........V..............+R..v........>.^3:...?.q...ui..S.y......P.`...T.[... ..%..x..<....
..H@.I.`$.'E,.......W.1$+..I"$'.$Or..(...........b..v..u...-....2ba............-..=.../s..2 .).q.C]x.IJ..W{.......BIB H. .AJ<.1...........O..'.H-..+0.0...oH....l."O.O.@.`.k...v/.0......l+.{:...Jx.....n.:.s.d.},.d/...MC..;..VL2...........9.A%.....4G.8.D..$E...K7.`.{...j..y.0.Sv....DV....[-.c.z.
...dc...'\G.....t.i.L.....n....{..X5D-.6.u.K..._Y....x5....[..{.I.!..9..7...#g...]E.S......8.A..I..).....1..$F....H.C.?.c-q.Y.^....M.$s..[..y..c..<....%.aG.k...%@... z.
U..t.v..6>Z#z......G....H8<.....B+..d.._..2..<Q....Y"..N.O...K.[.ARx.cs...Q...~s.....}x..y........2..z.......w......R....._hz...
nS..;..'....!....94h].
{f.d.-..s=.KJu..v...w.n....I.B 6".......k.-....}...K2.-..}.f.".(..\j.r>R%......Z..E.c.

(...)

T 2006/12/21 05:06:58.501883 10.0.0.2:3918 -> 72.14.221.95:80 [AP]
GET /safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120814&version=goog-white-domain:1:18,goog-white-url:1:371,goog-black-url:1:7581,goog-black-enchash:1:14927 HTTP/1.1.
Host: sb.google.com.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: pl,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Cookie: PREF=ID=4c5d39473ccb5765:TM=1166654268:LM=1166654268:S=wF0xD9_lsWpeHRc5.
.


T 2006/12/21 05:06:58.545058 72.14.221.95:80 -> 10.0.0.2:3918 [A]
HTTP/1.1 200 OK.
Content-Type: text/plain.
Server: TrustRank Frontend.
Transfer-Encoding: chunked.
Content-Encoding: gzip.
Date: Thu, 21 Dec 2006 04:06:49 GMT.
Cache-Control: private, x-gzip-ok="".
.
b78.
...........W...:......].A...n...x`4._u......c..q.%*U..=........u.T.Y......./.%..3.i<f.....b.QN!,....D.!+JTU5DX..
..E[..\.S..t4.0..B.w..s2..S{.J..
...Bh.{.*.1.#..........C....{.a.........5..h......SJOv......?e...vo{uJ...Z....ci'R..j.I.V.2..'~5...J.n_..j2..(.....B(.).d....s..OFk/=.\H.5.*...c........B..oK.7.1.L.@J.,j.L...v.?.la.B.$A..X..[ .B$c..P.H.q..uK{u.......i:N.q.>...y.....T9..:..[4.C^....z.D.\V^I.7...vtM.=.....x.....z...}.RQ.@%.@ .L..Q,.,/......?..a...[+.....?...:.o.}."..My..".?..-.EJ.......h....P2?..A.........'....."..
.*?..q.\.x...........Pa.l..1.=&+fy.......WF.G.w.........7...~......P...p.>....b1.n...Y...x.(..6n.o......Y..1Imwi
xH.....".n..
.po....U...n...%./qW..1...X...X.......y|........X..U.s........o...n.,ct...*k+.V....%r.G.k...!.;..Ld.......P......c.3.v|K$.....S...f....fK.%.