The America Online Protocol Revealed

Gods Misfit writes "The America Online protocol(Connecting, Logging In, Joining Chats, etc..) has remained a mystery for most of its life. The only way one could log into their AOL account was via the AOL software. A few months ago, some people set out to break down the AOL protocol and open the door for alternative America Online software. This document is the result: The AOL Protocol. A sign on example for Visual Basic programmers has been written and is available here." I suspect a fair number of people never try Linux or one of the BSDs because they're moderately happy with AOL as an ISP, and switching OSes would mean switching ISPs at the same time. A shame that AOL doesn't make this kind of information more easily available.

Re:Congratulations!

AOL cracks have been in existence for over 10 years now (way before AOL was even on the internet, or called AOL). As it turns out, AOL started with a lot of security through obscurity (they used to trust the client for a lot), and as a result, there were holes galore. One crack a couple years ago realized that you got internet access before you actually logged in, and for a while people were getting free internet access without signing up again every 30 (now 45) days (like those of us with a little more fear of jail time do).

In any case, yes, releasing the protocol might uncover some additional security through obscurity holes, but in the end they can always be plugged up, just as they have in the past.

Re:Congratulations!

Things that are proprietary are not always bad. Windows 95/98 used a proprietary IP stack, but you could still share a connection, use said connection with other programs besides IE, etc. It's when proprietary things severely (in our minds, our meaning tech geeks) limit what you can do beyond the realms of "reasonable use" or whatever you want to call it. I hope that answers your question.

Illegal Activities?

Wouldn't this be considered illegal under the DMCA, since they reverse engineered AOL's proprietary protocol? If AOL had meant for it to be public, then they would have put it out themselves.

Re:Illegal Activities?

I think that would only count if AOL claimed to be secure. That would be one interesting legal argument.

Re:Illegal Activities?

I wonder if "intentionally obscured" is the same as "encrypted" in the eyes of the DCMA

You mean using Double Rot13 for an extra layer of security?

Re:Illegal Activities?

it may be illegal, but not under the dmca because it doesn't involve bypassing encryption to get to data; it's just reverse engineering. if the software has a reverse engineering clause there might be problems.

i liked timothy's comment that people who use aol may shy away from bsd or linux because they wouldn't want to switch isps. having seen the aol interface and met aol users, i doubt any aol user would honestly USE linux. at best a couple might try the install, but go back to using windows.

Re:Illegal Activities?

Wouldn't this be considered illegal under the DMCA, since they reverse engineered AOL's proprietary protocol? If AOL had meant for it to be public, then they would have put it out themselves.

No. Reverse engineering algorithms protected only by copyright is always legal. DMCA makes it illegal to circumvent or reverse engineer copyright protection schemes. There is no evidence anything of the sort has been done.

Re:People sticking with Windows because of AOL?

I know people who actually use the words "I like AOL" all together in one sentence.

Hey now, wait a minute!!! You're stepping on my toes, now. I use those words together in one sentence all the time:

"I would like to see AOL ripped into tiny pieces and thrown into the Seven Seas."

Cat and mouse games

How long until they make an arbitrary change that breaks all the "new" clients? While I don't understand why they'd care (the customer is still, in theory, paying for the service), the fact that they've kept it secret for so long makes me wonder if they'll let this slide. Not to mention their annoying policies regarding the AIM client (how many times did they break everybuddy?)

Re:Cat and mouse games

The reason they won't let this slide : not all of AOL's revenue comes from subscription. They have lots of ads. And alternate clients could nix the ads, hence no ad revenue.

Re:Cat and mouse games

Uhh, the ad disabling is built into the AOL client. Go look under preferences. They're only on by default.

Re:Cat and mouse games

Not if you figure out the AOL auto-updating mechanism as part of the protocol. Then, the only way they can lock alternatives out is to actually force everyone who is on AOL 2,3,4,5, and 6 to upgrade immediately. That isn't ever going to happen.

I Thought The Main Benefit Of AOL...

...was keeping AOL users ON Windows? Now they can spread....

AOL on linux

AOL on Linux.

Isn't that like having a red neck teach physic's at MIT?

Well, that seals it

Finally, I can get onto AOL using Linux! I'm installing it as soon as I get home!

Seriously, I don't know why whenever something gets posted on /., the sentiment "Finally! Now the average user will use Linux!" has to be used. The simple fact is that the average user isn't savvy enough to use it, and there is a large group of users who ARE savvy enough to use it, but find setting it up to be a big headache.

America Online isn't going to be Linux's killer app.

(ducks behind asbestos wall)

AOL Runs on Linux also.

Uh, AOL runs on linux also, think Gateway kitchen device, think Playstation 2. It's there, it works, they've shipped. You just can't download it yet.

But I would go as far to say that the type of people who like computers very simple, and very task oriented wouldn't want to install Linux on their desktop for more than one reason.

1) maybe AOL
2) their computer likely came with windows and installing a new OS is beyond their skills
3) linux desktops are still not dumbed down enough. Come on, TiVo is easy to use, my playstation 2 is easy to use, why is my computer so hard?

Joseph Elwell.

Silly Rabbit!

I suspect a fair number of people never try Linux or one of the BSDs because they're moderately happy with AOL as an ISP, and switching OSes would mean switching ISPs at the same time. A shame that AOL doesn't make this kind of information more easily available.

Probably very few people using AOL would consider playing with *nix. If you're playing with other operating systems, you've probably already outgrown AOL. You're not burning ISOs from Redhat that you downloaded via AOL/dialup. If you're on AOL, you're happy and content and most probably don't want to be switching ISPs or playing with a new OS. Besides, just because you're on a new OS, doesn't mean you have to get rid of your M$ partition and AOL as your dialup. People can explore the goodness of *nix on that old computer in the closet they feel bad about donating to the Salvation Army.

The AOL protocal was a nice reverse engineering hack. Nice work fellows. AOL didn't make it more freely available because it was a proprietary technology. They'd prefer to keep it to themselves or license it out.. otherwise they would have used a published standard.

=steve

Re:Silly Rabbit!

The AOL protocal was a nice reverse engineering hack. Nice work fellows.

Hear, hear!
Look:
There is nothing wrong with a cool hack, made by hackers, that is solely of interest to other hackers, and that maybe even impresses your hacker friends.

This is all Just For Fun, people... never lose sight of that!

Re:Silly Rabbit!

no - but how many people leave their system booted into windows, since their SO, mom, whatever doesn't know how to:

# sync
# sync
# /sbin/shutdown -r now

If they could just click on a pretty AOL icon on the linux desktop, a lot of linux-users might drop their windows partition entirely.

it's all about advertising

when you have to use aol's software to log in to aol, you have to look at the ads and crap that they want you to look at. aol is just one large, happy advertisement. with the possibility of being able to log into your aol account without having to use their software, they'll lose some of that advertising exposure, which means that yes, they will have kittens over this. whee.

Not a big user group overlap..

I suspect a fair number of people never try Linux or one of the BSDs because they're moderately happy with AOL as an ISP ...

Let's face it, the reason that AOL and Linux don't mesh isn't because there's no AOL-Linux interface. It's because people who use AOL use it for a reason - it's got a happy, friendly, push big rainbow colored buttons, don't-cut-yourself safety-scissors interface. Love 'em or hate 'em, it's what they do well - an interface so simple that even grandma can use the demon box.

Linux is still, even in its most user-friendly form, a system that requires you to get some dirt under your fingernails while you use it. It's still a power-user OS.
There just simply isn't a big overlap between the types of people who use AOL and the types of people who traditionally run Linux.

Re:Not a big user group overlap..

There just simply isn't a big overlap between the types of people who use AOL and the types of people who traditionally run Linux.

Everything you say is true (I did't quote your entire post, but I mostly agree with all of it). There is one point you and many others overlook: @Home is bankrupt. What will thousands of Linux users do when their always-on, high-speed ISP goes away and is replaced by AOL? Switch to Windows? Perhaps so, either that or go back to a dial-up ISP. If I were faced with that choice, I'd prefer to figure out how to make AOL work with Linux. Or rather, figure out how to make Linux work with AOL. There may not be much overlap between Linux users and AOL subscribers now, but in the near future there may well be quite a bit of overlap as the "types who traditionally run Linux" are given few alternatives.

Unless you think it might be easer to get MSN to play with Linux.

Making it available means lost revenue

Actually, it doesn't surprise me that they don't make it available. If they release that information, they lose an edge they have on joe average as an entry level computer user. How many times have you talked to someone who wanted to show you something that was on the 'internet' and in reality, it was something that was on a section of AOL? AOL has done a really good job of making a 'controlled' section of the internet we're they control the information. By having only one style of software they have more control also. Would YOU just want anything to connect to YOUR server and have authorization privleges? Of course AOL is very much based on server side scripting, and a butchered version of html. All aol sections are addressed with an aol://xxxx:xxxx:asdgfsadgas type link... a mix of alphanumeric strings, etc. Essentially it's THERE style of html distributed through a browser.

But in the end the bottom line is profit. You don't want to allow people to get onto the internet where you can't 100% control what the first thing they see is. AOL gives the illusion to first time joe averages that it IS the internet. My mom spent months on AOL without even using the actual internet and she thought she was on the internet. It's marketing genius. You control their access, you control the way content is shown, you give them places to spend their money and control the ways they communicate. Everyone does it the same way, so everyone is having a similar version of their own experience...
The AOL designers aren't dumb IMHO, sure it's not the service that I want as my ISP, but when it comes to marketing, they know what their doing...

For awhile they were going to make it so you could use them as a 'traditional' isp using Dial-up, but I don't think that anything really ever came of it.... I guess AOL users just like hearing 'WELCOME, YOU'VE GOT SPAM, (I MEAN MAIL)...'

This will not get AOLer to Switch OS's

This will not get AOLers to switch OS's. Most AOLer's are very paranoid about any change to their computer.

They fear that the change they make will kill their expensive toy and force them to go talk to a more computer literate friend who will once again berate them for using the most expensive ISP with the worst service.

What this will do. (maybe) is covered by point 8

8) Common Sense

Ok, most of you have probably stopped reading by now. But I need to make a point.

The only reason that the information above is not already widely available is because of the fear of abuse. Putting this information in immature hands is dangerous. Some people believe that if it gets out, the walls of the America Online service will come crashing down as things like faster mail bombers, spammers, IM bombers, and cloners begin to immerge. It may very well be impossible to enter a chat room without being so lagged by scrolling, IMs, and emails that you cannot even stay connected. I don't personally believe that though. Due to the complexity of these packets, it is far harder to use even copied source of this than to use copied source of the infamous "AOL Progs" that eventually died out. If you are learning from this document, I implore you to use common sense in your use of this information.

I suspect that this doocument will be the source from which nasty new AOL hacks will be based. And now that it is out it is in very immature hands.

Not that it matters to me because I don't use AOL

Finally!

Public recognition of Visual Basic as a programming language by the /. crowd! Millions of Microsoft programmers, no longer afraid to talk about work at cocktail parties!

Re:Finally!

The only reason you aren't publicly beaten right now is because of the political climate and the promotion of tolerance towards those that are different, regardless of how stupid they appear to be.

Personally, I think we should declare a war against VB programmers after the war on terrorism is over.

What about mail?

In my opinion, logging on and enjoying AOL's so-called services was never 1/10 of the problem as their stupid crappy propritary mail system.

Back around 1996 or so, I was part of an AOL beta program that released a MAPI interface for AOL mail servers. IE, you could add the AOL mail server to your Outlook config and download your AOL mail right into Outlook.

Of course, the AOL exec freaked out when they considered how many eyeballs their advertisers would lose if everyone uninstalled the AOL client and kept their mail via Outlook. So the program was canned, and I was unfortunately too short-sighted to save a copy of that MAPI tool before the area was closed down.

Ever since, I've been trying to get my sister/parents/grandparents off AOL. Not to mention that AOL never supported Windows NT because they couldn't figure out how to install their stupid AOL Adapter TCP shunt thing. So for years my relatives were forced to run a crappy 16-bit (Win 3.11) version of the AOL client for the sole purpose of checking e-mail.

AOL's mail service is terrible but a lot of people don't want to change their e-mail addresses. If you really want to do a great services to help newbies move beyond their AOL shackles...please, I implore you:

A) Reverse engineer the AOL mail protocol so that external programs can at least READ AOL mail (sending, unsending, and AOL custom features are optional)

B) Reverse engineer the AOL mail database (local copy of stored mail) so that it can be imported into another program.

Even after I got a couple family members to switch over to Hotmail, they still have to use the AOL client to read their old mail. It's that or save it all as flat text and lose all the important header information.

Also, a bonus to reverse engineering the AOL mail database would be the ability to sync mail with your Palm. The AOL client for Palm is 400KB and can only dial-up, not sync.

Please post reply if you know of any project working on the AOL mail/database formats. Thank you!

- JoeShmoe

Re:What about mail?

A) Reverse engineer the AOL mail protocol so that external programs can at least READ AOL mail (sending, unsending, and AOL custom features are optional)

It's just a set of IMAP servers. There's no secret about it. If you use Netscape 6.x, it gives you the option to set up an account to retrieve your AOL mail, and it does this by setting you up to do it via IMAP.

imap.mail.aol.com

(Yes, I'm an AOL employee)

Re:What about mail?

Not to mention that AOL never supported Windows NT because they couldn't figure out how to install their stupid AOL Adapter TCP shunt thing.

AOL 5 runs fine on NT 4.0. AOL doesn't support it, but it works. The last time I called their tech support (last Spring,) they said they'd have a specific NT client out by now. I haven't seen it and don't know that the world really needs it since AOL 5 works fine. I also bitched about the lack of a Linux client and the support person told me that they thought one was going to be released, but I haven't seen that, either. I figure it's either vaporware or someone changed their mind.

AOL's mail service is terrible but a lot of people don't want to change their e-mail addresses.

AOL is also one of the few IPs who allow multiple users per account (although only one can be signed on at a time.) With five people in my house (all of whom have e-mail accounts,) I'd pay $100 per month for separate unlimited access accounts for everyone. With AOL, it's just $23 per month. Pure economics. Another reason for AOL accounts is their great worldwide POP network. We keep several AOL accounts for traveling salespeople and executives because we know they can find a local POP to dial into from just about anywhere they happen to be: London, Munich, Mexico City, and almost anywhere in the US. It beats the heck out of paying ruinous hotel long distance charges, or the '800' AOL line surcharge. And really beats the crap out of talking a marketing manager through whatever weird TCP/IP setup a local provider in Back Woods, Ontario needs for a local ISP connection over the phone on Sunday evening. :)

Finally, you no longer need the AOL mail client to send/receive AOL e-mail, you can use practically any web browser. Just point to www.aol.com and sign in to your AOL account, then click the mail icon. Presto, you're there. It's all web-r-ized. Webbified. Whatever.

Why do you think that is?

A shame that AOL doesn't make this kind of information more easily available.

A large amount of AOL's income is from advertisements. You're bombarded by them from the second you sign on, in every window you open, till you sign off. Salon might have adopted the mandatory ad viewing my friend, but they didn't invent it. AOL has been using these for years. Subscribers are forced to view several ads of "special offers" before they can even begin to navigate through the "service." It's like playing Where's Waldo trying to find the Close button on some of these windows. AOL doesn't want third parties designing software to be used on their networks because it would be detrimental to their advertising income. Fewer members using their software translates into fewer eyes viewing their ads, which reduces the value of their ad space. It's a safe bet that AOL will do everything in its power to ensure that people continue to use its software.

AOL has one good feature

As a single person without children I've never had any desire to use AOL, but I know lots of AOL users. There is at least one good reason to use AOL. Years ago internet access was $20/month and that gave you one email account. Meanwhile, AOL gave allowed you to create many accounts. Which is the better choice for a family with several children? One account shared between mom, dad, and all the kids, multiple accounts with some (possibly outrageous) surcharge per POP account, or one AOL account with lots of screen names?

Even now, most ISPs will give you a couple of POP mailboxes for $15-$20/month, but few if any provide the ease and convenience of creating new "screen names" that AOL provides. Try telling a 12-16 year old girl that she can't change her screen name to avoid some pre-pubescent geek who's harrasing her via email.

Here's the simplified version:

Here is the simplified version of the protocol:

void AOL()
{
while(connected)
{
send_advertisements();
monitor_browsing_habits();
monthly_fee++;
if(bandwith_to_spare)
send_internet_data();
}
return;
}

This doesnt solve the problem . . .

A bunch of clone clients have been trying to get hooks in for years to no constructive end because AOL actively tried to BLOCK other clients from connecting. If I remember correctly Jabber and MSN had it working for a while until AOL forced them out by altering the protocol. Most lately I believe they've been doing it with executable checksums. We might have figured out the protocol, but theyre just going to change it up again as soon as foreign clients start connecting in large numbers.

Some old coverage of this [zdnet.com] can be found at ZD. Theyve got a whole site called "InstantMess" that talks about how AOL refuses to discuss an open format because they want to lock users into their app.

Recently Trillian (www.trillian.cc) [trillian.cc] has succesfully done it. I think they got around it by using whatever method the JAVA aol clients (AIM express, Quickbuddy) [aol.com].

Id love to see an open standard, but without AOL on board its useless. Its sad really - that the unwashed masses are dictating the standard for the rest of us.

ROck On

I can't wait for the first Linux-client. Why?

The only thing about AOL that's worth anything are the chatrooms. Unlike IRC, you can actually meet real, low-self-esteemed, fat chicks who'll put out for anyone willing to pretend to listen to them whine about how no one likes them.

I'd better stock up on condoms and twinkies, big dog is gettin' let out of the house...

This is gonna rock.

(710)123-4567 is my phone line.
(456)123-4567 is an AOLnet dialin. Numbers mutilated to protect the guilty, of course. A few years and many many area code splits ago, we were all one code. More than a few lusers are confused by Windows' concept of "dialing location" and area code settings, and apparently more than a few of them are AOLers.

I get silent phone calls all the time, sometimes several in a row. Without fail, if I answer with a carrier, they connect.

Sometimes if I send "login:" they talk back. I've never bothered to get farther than that.

I've long dreamed of hacking up a barebones AOL emulator, just enough to push them a page that says "You dumbass, your area code settings are fux0red!" and then play some fart noises before dropping them.

Yeah, this is gonna rock. Not only do I get to fuck with their heads, but I get a free supply of AOL l:/p: pairs delivered to my desktop! Never know when those might come in handy.