ISP Is Bypassing Firefox's Location Bar Search 385
It was only a matter of time before ISPs began doing more than just redirecting failed DNS requests to their own pages.
An anonymous reader writes "It looks like the largest ISP in Hong Kong has started bypassing search results from Firefox's location bar (which typically uses Google), forcing their own search provider (yp.com.hk) onto their users. ... Can an ISP just start re-directing search traffic at will?"
Why? (Score:1, Informative)
For the love of $deity why would _anybody_ still be using the DNS server that their ISP provides?
Ignoring the multiple FREE DNS providers out there, it is trivally easy to setup your own caching DNS server regardless of the OS platform you use.
With the abundance of 'old' computers that most people upgrade from, it shold be standard practice to setup an old box as a firewall/dns server.
Re:Man in the Middle (Score:3, Informative)
You can try. It might even work this time. But they can also choose to misdirect the request based on the IP address because they literally are the man in the middle, your traffic must pass through their routers.
Re:MitM of Google (Score:4, Informative)
http://forums.opendns.com/comments.php?DiscussionID=226 [opendns.com]
Re:Sure they can (Score:5, Informative)
Re:Sure they can (Score:5, Informative)
Re:Not much evidence yet... (Score:4, Informative)
It's PCCW. What I have heard is they are hijacking NXDOMAIN, but not sure about redirecting the location bar. Maybe Firefox will try to lookup for domain for single name hostname, hence giving an impression that it redirects if your "search term" is just one word.
Re:Sure they can (Score:5, Informative)
They don't block DNS requests, they just send all port 53 traffic to their DNS server.
There are a lot of areas with a single good internet option (where 'good' means decent bandwidth and latency). Jumping ship may not be a realistic option.
Re:MitM of Google (Score:3, Informative)
Thank [deity].
I saw that this article was tagged "opendns" and for a moment thought with horror that people were tagging it that as a kind of suggestion that using OpenDNS was a solution to this. It seems like every single fucking time an article comes up about ISPs doing something wrong (generally messing with NXDOMAIN) people come out of the woodwork to suggest using OpenDNS, even though they do the exact same thing and there are plenty of perfectly standards compliant and free DNS providers to chose from.
You link is actually incredibly relevant, thanks.
Re:MitM of Google (Score:3, Informative)
The EICAR test "virus" is used to see if you have working AV which is blocking threats that are downloaded from the network.
Please see the FAQ [berkeley.edu].
Re:Not much evidence yet... (Score:5, Informative)
Indeed, the poster only discusses what happens when he puts the name of a website into Firefox's address bar. By default, that will carry out a DNS lookup and if that lookup fails, Firefox will redirect to a Google "I'm feeling lucky" result.
Lots of ISPs are intercepting failed DNS requests and injecting their own ad page, there's usually a way to bypass this.
Probably NXDOMAIN wildcarding.... (Score:5, Informative)
What firefox does is first try to do DNS lookups for:
foo
foo.com
www.foo.com
before launching the google search.
Thus NXDOMAIN wildcarding (which is unfortunately growing very common, distressingly so in our data) will mess up the firefox behavior by causing one of the three names to resolve to the "helpful" search page belonging to the ISP.
Re:Making their own argument for net neutrality... (Score:2, Informative)
As a Capitalist, that really offends me. If businesses want to be treated laissez faire then they damn well better learn to make society not feel like they're a bunch of crooks who care so little about the common good that if regulators aren't going Big Brother on them every nanosecond they'll steal everything that isn't nailed down and cheat everyone who isn't paying 110% attention to every detail of their lives.
... which is precisely why there is regulation in every civilised society on the planet, and no such thing as a 100% capitalist society.
Re:VPN (Score:3, Informative)
not happen, happened. Lots of ISP's worldwide, not US only, want you to have a business connection just for daring to establish a VPN connection over it. Usually it ends up being somewhere between 10 and 40$ extra a month depending on country/currency/etc to do so.
right now however, in the us, comcast is staying away from that stuff, at least temporarily. Or if they do throttle, it's on the low end speeds. On my 22/10 they are not throttling anything, nor are they sending warnings and I use what comcast considers massive amounts of bandwidth per month for games/downloads/videos/netflix (>500GB).
Outside the us, these throttling attempts are quite regular. Especially rogers, etc.
Re:VPN (Score:3, Informative)
China? (Score:4, Informative)
Re:They can if they're in China (Score:4, Informative)
Despite the handover in 1997, Hong Kong is still very much its own entity, sharing more in common with Seoul and Tokyo than with, say, Shanghai. They have protests, marches, and as far as I could tell the internet wasn't subject to the Great Firewall. Having been there three months ago and a wife there now, I *think* I can say that much.
Windstream, DSL US ISP is already doing this (Score:5, Informative)
This isn't new, and this isn't NXDOMAIN hijacking. Windstream, a US DSL provider, was already caught red-handed doing this. Not only this but they also refuse to answer very specific questions asked (see http://www.dslreports.com/forum/r24059591-DPILayer7NXDOMAIN-Privacy-questions-re-Windstream-DSL [dslreports.com]) and provide a paper-thin excuse as to why it's happening (see http://www.dslreports.com/forum/r24074065-Our-Response-to-Redirect-Service-Concerns [dslreports.com]).
Affected users are not using the ISP's DNS servers, this is not NXDOMAIN hijacking. This is layer 7 inspection, the sheer fact the URL was transformed, being carefully re-written, from the URI passed to 'www.google.com' discredits what Windsteam has said entirely.
When a user performs a search using the Firefox search bar against Google HTTP/1.1 is used with an HTTP method of GET against Google. The following URI is constructed:
q=[search critera]
ie=[encoding]
oe=[encoding]
aq=
rls=[browser]
So, when I search against Google I pass ?q= for my search term.
When this is redirected to searchredirect.windstream.net the URI is transformed, with the ?q= parameter being extracted. Windstream's site uses this URI structure:
search=[search criteria]
src=[interger value, likely points to an RDBMS based on HTTP_REFERER]
Windstream is not disclosing the truth. For this behavior to occur you would have to be using an MITM proxy or DPI; either way they are inspecting layer 7 traffic, extracting the ?q= URI string passed to Google, and either transparently or via HTTP 302 redirecting customers to searchredirect.windstream.net
They got caught, red handed, and have been fabricated mis-truths from the start.
How HTTP/1.1 GET against /search?q=my_search_term becomes /search.php?search=my_search_term without some form of Layer 7 is impossible. This CANNOT be NXDOMAIN.
Clearly they're not disclosing the full details or hiding behind careful sentence structure and semantics. This appears that there is now an industry initiative and a company behind this search harvesting and privacy invasive technology which is being sold to ISPs. Expect more to come, this isn't isolated to over-seas, it's already happening right here in the US.
-SirMeowmix_I
Re:Sure they can (Score:1, Informative)
Do not confuse "Hong Kong" with "China". Hong Kong is a "special administrative region", and there are very different legal rules and power structures in both places due to how the place developed as a British territory. At least until 2047, anyway.
If you were watching the Google/China drama just a short while back this distinction came up frequently, particularly when it came time for Google to move their servers from mainland China... To Hong Kong.
Re:MitM of Google (Score:3, Informative)
a fair followup to show that mainly OpenDNS was just trying to fix what google/dell/others? broke:
http://blog.opendns.com/2007/05/22/google-turns-the-page/ [opendns.com]
Re:Probably NXDOMAIN wildcarding.... (Score:3, Informative)
A: If the ISP is good, they have an opt-out to a non-wildcarding DNS server.
B: If the ISP is not, I hate to say it but use Google Public DNS (8.8.8.8 and 8.8.4.4), as they don't wildcard or do anything beyond use the DNS information for data-mining purposes.
I'd personally STRONGLY AVOID OpenDNS, which does lots of bad things to DNS: NXDOMAIN wildcarding ANY address (not just www. addresses), SERVFAIL wildcarding, wildcarding addresses which HAVE valid records but just no A record, and even man-in-the-middling Google!
Re:Nope (Score:3, Informative)
Get a grip. Don't demean the sacrifices made at Tiananmen Square with this far less serious bad behavior on the part of my ISP. The two situations aren't slightly close to be moral equivalents.
Re:Nope (Score:2, Informative)
Re:Not much evidence yet... (Score:4, Informative)
Confirmed this with a few of my friends who are using PCCW Netvigator. I have the same ISP, but use OpenDNS, so haven't notice anything was amiss for some time.
Re:Not much evidence yet... (Score:4, Informative)
(This is also a single post on a forum from one user... ;-p)
I'm in Hong Kong and I use that ISP mentioned in the article at home.
Never noticed the change because I've set my DNS servers to google's, but now that I test it out, my ISP's servers do seem to be returning 203.198.80.* in place of NXDOMAIN.
Fuck.
Re:China? (Score:1, Informative)
Windstream pissed me off too. They do, however, provide a link on the redirected results to "opt out" and opting out does actually work.
Re:VPN (Score:3, Informative)
I have my VPN port at home on port 80. It is the best way to bypass firewalls at work and other places.
works great. you can run your VPN software from a thumb drive and firefox as well. do your surfing over it and the IT BOFH's cant detect or prevent a thing.
I pointed this out once as a IT manager, "isn't it easier to educate the users about safety? any fool can vpn out port 80 and bypass all our security."
I had several IT consultant "gurus" stutter and almost foam at their mouth because they just proclaimed their new firewalls as unbreakable and it was impossible for anyone to get unwanted files through it.
Re:Sure they can (Score:5, Informative)
Like another poster also pointed out: Hong Kong is not China. It is politically part of China, but for all practical reasons it acts as a different country (and you as not being involved in the world political stage should simply consider it as such, much closer to the everyday reality):
Separate currency, the Hong Kong dollar, linked at 7.8 to the US dollar and fully convertible (can't say that of the yuan).
Borders with China. I am Hong Kong resident, and still need to buy a visa to enter China.
Hong Kong is a free port for import and export of goods and services. China is pretty thoroughly locked down, import duties of goods to China are huge. Really.
Hong Kong has an open, accountable judiciary, with a strong respect for the rule of law. The exact opposite of the other side of the border.
Hong Kong has press freedom, and not just official.
Hong Kong people have the right to demonstrate, and do so. In 2003, half a million people took to the streets - or about 7% of the total population. It sent shock waves throughout the country, all the way to Beijing. Something like that would never be allowed in China.
And last but not least Hong Kong has the permission from Beijing's overlords to move towards full democracy.
Re:Sure they can (Score:4, Informative)
Nope, sure doesn't. And they can sniff out a DNS request even if you find a DNS host that was amiable to using another port.
So what you really need as a DNS service that sends and receives encrypted requests over a non-standard port.
Then you can get around it. Hosting your own DNS does no good, as it still comes through your ISP's DNS first. Hard-coding Google's IP address would work short term for Google search, but if it catches on they'll just start redirecting all Google traffic instead of just DNS requests.
My host only reroutes failed DNS requests to their own shitty search, but it's still annoying as hell.
Re:Sure they can (Score:4, Informative)
However, I'm obviously a lot more technically savvy than the average user, or even the average tech support person (they couldn't understand the problem). ISPs shouldn't be doing this, router manufacturers should start shipping their products to default to Google DNS, it's faster anyway.
Re:Sure they can (Score:5, Informative)
DNSSEC prevents tampering, if I understand it right. If you request an answer from server X, the client won't accept a server from any other server, thus prevent man-in-the-middle attacks like this.
Alternatively, you can redirect all or part of the traffic through a VPN or secure proxy. Even Tor, if you compensate the long delays with some DNS caching, as provided by pdns or other caching server (even if you don't need it, it's awesome, I tell you! Every request after the first takes 0ms).
Re:Probably NXDOMAIN wildcarding.... (Score:3, Informative)
Q: Whats to stop your ISP from redirecting all outgoing packets to port 53 to their own DNS server?
A: If an ISP does this, we'd detect it: thats one of the tests we check for explicitly in Netalyzr: we send raw DNS requests directly to our server and ensure that they are not intercepted or proxied or modified on the way.
Re:This is why we need net neutrality (Score:4, Informative)
Re:Sure they can (Score:3, Informative)
Kind of a technicality really. The existing laws granting FCC authority just don't spell it out. A forgiving interpretation of the intent of the law lends me to believe congress did intend for the FCC to regulate all activities of companies using government granted monopolies.
The free market is powerless in a pseudo-monopolistic environment. Companies(and I mean specifically Qwest, Comcast, AT&T Wireless, AT&T, Sprint, Verizon Wireless and others) have shown and will continue showing that they are unable to provide a service consumers want without applying unscrupulous terms, practices, price gouging, or without violating privacy of their customers.
Congress needs to get this figured out. Consumers don't have many broadband choices and the companies in the market now are abusive bullies.
Re:Sure they can (Score:3, Informative)
My understanding of the issue is that Telco's are alternating between how they are classified. First, they wanted to be classified in such a way that they could receive gov't grants to build infrastructure. Then to reclassify so they do not need to license their infrastructure to competitors. Then to reclassify to avoid FCC regulation.
I agree, Congress needs to get their heads out of their asses. They either need to be regulated, or forced to compete.