I occasionally leave varnishlog running after testing / debugging our webstack / webapp configuration and every once in a while I spot an interesting request comming in. Here’s one:

1
2
3
4
5
6
7
8
9

6 SessionOpen  c 38.127.167.46 47322 x.x.x.x:80
6 ReqStart     c 38.127.167.46 47322 319643459
6 RxRequest    c HEAD
6 RxURL        c /
6 RxProtocol   c HTTP/1.0
6 RxHeader     c Host: mail.example.com
6 RxHeader     c Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
6 RxHeader     c Accept-Language: en
6 RxHeader     c User-Agent: Lynx/2.8.8dev.9 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/2.12.14

Reverse DNS lookup on the source IP tells us it belongs to LastPass:

1
2

% dig -x 38.127.167.46 +short
38.127.167.46.LastPass.com.

So, why are LastPass making HEAD requests to our webserver, with Lynx?

Nothing turns up in the few minutes I spent searching the Internet for similar reports. A post-Heartbleed post on LastPass blog announcing a new feature in the Security Check tool, which can be run by LastPass users to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time., suggests that they are checking web server headers and certificate issue dates (either on demand or crawling around), but it can’t be what we’re seeing here, as the request in question was made over plain HTTP and didn’t follow the 301 redirect to HTTPS the webserver issued.

To be continued?