Dev

How Apple kept Safari a secret

safari

About 10 years ago, Don Melton was nervous as hell. Melton, Apple’s director of Internet technologies, had been tasked with building the Safari web browser and keeping the whole project secret.

While Apple has done a fairly good job of keeping hardware product designs secret (minus that one time), a web browser is a different story. What browsers are in use around the world are easily tracked by site administrators and web monitoring services.

Melton describes the ordeal of keeping Safari a secret in a blog post published late last night. He writes:

We weren’t under physical lockdown like Jony Ive’s design group was then, or like the iPhone team would be years later. But unless you knew who to look for, you were never going to find us on campus. And if you did, it’s unlikely you could tell what we were doing unless you caught one of us actually running Safari — something we usually did with our office doors closed.

I wasn’t worried about talk either. Forstall certainly trusted me – that’s one of the many things that made him a great boss. And I trusted my team — otherwise I wouldn’t have hired them. None of us nor any of the internal beta testers at Apple were going to snitch. There were too damn few beta testers, but they were above reproach.

Twitter and Facebook didn’t exist then. Nobody at Apple was stupid enough to blog about work, so what was I worried about?

Server logs. They scared the hell out of me.

Server logs make it easy to track which browser someone is currently using, so you have to be more clever than people with access to server logs.

Melton had one other big problem. Apple’s computer network has the same number (“17″) in front of its 16,777,216 static IP addresses. Which means anytime people did testing on Safari from Apple’s campus, it would be easy to spot the connection on a server log between the IP address number and the browser info.

To make sure server logs didn’t reveal Safari to the world before Apple did, Melton wrote code to create a fake “user agent string” on Safari. Instead of Safari, it appeared to server logs that Internet Explorer for Mac was in use. Later, Safari was masked to appear as if it was a Mozilla browser.

Melton writes:

Even though we operated the project like some CIA black op — with loyalty oaths and all — we couldn’t let Safari be “Safari” when we used it on the Apple campus network. Otherwise, some Web server administrator somewhere might be scanning their log files and notice the connection between user agent string and IP address origin. Then the big surprise Steve Jobs wanted to unveil at MacWorld on January 7, 2003, would be shot. And, likely, so would I.

So we hid my cleverly designed Safari user agent string whenever we were at Apple. And I say “my” because that’s actually one of the few pieces of code in Safari and WebKit that I can 1) claim to have designed and 2) is still actually in the source. Thank God my engineering team removed or refactored all my other hacks. I hired good people.

Whenever we were off the Apple campus network, e.g. in our homes, we modified Safari to enable its real user agent string. And we had to do this for compatibility testing. That allowed me to tweak the string for maximum compatibility with the websites of that time. Which explains why the Safari user agent string has so much extra information in it, e.g. KHTML, like Gecko — the names of other browser engines.

Finally, Melton had one more challenge. He needed to make sure the legitimate “user agent string” shipped with Safari on Jan. 7, 2003. So Melton and his team coded Safari so the real user agent string would automatically be enabled after a certain date. That way, the browser would finally display its info normally to server logs when regular people used the browser.

“Just about this time 10 years ago, days before it was to debut, Safari went from hiding its light under a bushel to being proud of who it really was,” Melton wrote.

Safari image via Apple


Mobile developer or publisher? VentureBeat is studying mobile marketing automation. Fill out our 5-minute survey, and we'll share the data with you.