How Did Apple Keep Safari Hidden From Server Logs?
You know, one of Apple’s characteristics is (was?) secrecy; and that includes all of its products, both software and hardware. We’ve already written about how Safari ended up with the name “Safari,” and Don Melton decided to share another piece of the Safari puzzle: how did secrecy work at Apple? Jump into the time machine to find out.
As he points out, a long time before it was called by the name Safari, the browser pretended to be Microsoft Internet Explorer for Mac, and six months before its debut, it started pretending to be a Mozilla browser.
These steps were obviously to keep Safari private — which makes me wonder why this secrecy doesn’t work anymore (see iOS 7 usage logs) — as Twitter and Facebook didn’t exist back then, and nobody at Apple was blogging back then.
So why pretending? Because of the server logs.
When a Web browser fetches a page from a Web server, the browser identifies itself to that server with a user agent string — basically its name, version, platform, etc. The browser also gives the server an IP address so the server knows where to return the page. This exchange not only makes the Web work, it also allows the server to tell who is using what browser and where they’re using it.
You can see where this is going, right? But wait, there’s more…
Back around 1990, some forward-thinking IT person secured for Apple an entire Class A network of IP addresses. That’s right, Apple has 16,777,216 static IP addresses. And because all of these addresses belong together — in what’s now called a “/8 block” — every one of them starts with the same number. In Apple’s case, the number is 17.
IP address 184.108.40.206? That’s Apple. 220.127.116.11? Yes, Apple. 18.104.22.168? Also, Apple. 22.214.171.124? Apple, dammit!
I was so screwed.
Even though we operated the project like some CIA black op — with loyalty oaths and all — we couldn’t let Safari be “Safari” when we used it on the Apple campus network. Otherwise, some Web server administrator somewhere might be scanning their log files and notice the connection between user agent string and IP address origin. Then the big surprise Steve Jobs wanted to unveil at MacWorld on January 7, 2003, would be shot. And, likely, so would I.
So, what they did was to hide the Safari user agent string whenever they were at the Apple campus. When back home, they modified it to enable its real user agent string for compatibility testing. That allowed Melton to tweak the string for maximum compatibility of with the websites of the day (circa 2002) and that’s why the Safari user agent string has so much extra info in it, such as the names of other browser engines.