Yesterday I did some testing of version 4.0.1 of Adobe Digital Editions and verified that it is now using HTTPS when sending ebook usage data to Adobe’s server adelogs.adobe.com.
Of course, because the HTTPS protocol encrypts the datastream to that server, I couldn’t immediately verify that ADE was sending only the information that the privacy statement says it is.
Emphasis is on the word “immediately”. If you want to find out what a program is sending via HTTPS to a remote server, there are ways to get in the middle. Here’s how I did this for ADE:
- I edited the hosts file to refer “adelogs.adobe.com” to the address of a server under my control.
- I used the CA.pl script from openssl to create a certificate authority of my very own, then generated an SSL certificate for “adelogs.adobe.com” signed by that CA.
- I put the certificate for my new certificate authority into the trusted root certificates store on my Windows 7 deskstop.
- I put the certificate in place on my webserver and wrote a couple simple CGI scripts to emulate the ADE logging data collector and capture what got sent to them.
I then started up ADE and flipped through a few pages of an ebook purchased from Kobo. Here’s an example of what is now getting sent by ADE (reformatted a bit for readability):
In other words, it’s sending JSON containing… I’m not sure.
The values of the various keys in that structure are obviously Base 64-encoded, but when run through a decoder, the result is just binary data, presumably the result of another layer of encryption.
Thus, we haven’t actually gotten much further towards verifying that ADE is sending only the data they claim to. That packet of data could be describing my progress reading that book purchased from Kobo… or it could be sending something else.
That extra layer of encryption might be done as protection against a real man-in-the-middle attack targeted at Adobe’s log server — or it might be obfuscating something else.
Either way, the result remains the same: reader privacy is not guaranteed. I think Adobe is now doing things a bit better than they were when they released ADE 4.0, but I could be wrong.
If we as library workers are serious about protection patron privacy, I think we need more than assurances — we need to be able to verify things for ourselves. ADE necessarily remains in the “unverified” column for now.