Widespread Hijacking of Search Traffic In the US 194
Peter Eckersley writes "The Netalyzr research project from the ICSI networking group has discovered that on a number of U.S. ISPs' networks, search traffic for Bing, Yahoo! and sometimes Google is being redirected to proxy servers operated by a company called Paxfire. In addition to posing a grave privacy problem, this server impersonation is being used to redirect certain searches away from the user's chosen search engine and to affiliate marketing programs instead. Further analysis is available in a post at the EFF."
Use HTTPS (Score:5, Informative)
Or, if you don't like Google, use DuckDuckGo [duckduckgo.com], which uses HTTPS by default with no need for a browser extension.
Comment removed (Score:5, Interesting)
Re:Use HTTPS (Score:4, Informative)
Sure, there are benefits, but as always, TANSTAAFL.
- https does incur overhead and higher CPU usage on both ends, so it will be slower. /., surely I'm not the only one with a proxy array at home?)
- I will defeat most of the benefits of running local caching proxy servers (come on, this is
- Some sites serve different content on the http and https sites.
- A few even redirects the https to http (to save themselves cycles and bandwidth, while not losing the visitor).
Re:Use HTTPS (Score:4)
- https does incur overhead and higher CPU usage on both ends, so it will be slower.
Firstly, this overhead is manageable. You do not have to be Google to run all your content over HTTPS. Secondly, apparently encrypting every single connection is a necessity of the times to prevent assholes from hijacking traffic, so that overhead is simply the necessary cost of interacting safely over the Internet.
- - I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)
I do not know a single person who runs a proxy at home.
- - Some sites serve different content on the http and https sites. - A few even redirects the https to http (to save themselves cycles and bandwidth, while not losing the visitor).
You can disable individual rules. Over time those websites will have to stop doing those things or they will lose visitors.
Re:Use HTTPS (Score:5, Funny)
I do not know a single person who runs a proxy at home.
You should get out more, or stay in more. I'm not sure which one applies here.
HTTPS requires an IP address per domain (Score:2)
You do not have to be Google to run all your content over HTTPS.
But you do pay more per month for hosting if you run your hobby site on HTTPS. Name-based virtual hosting of HTTPS sites requires SNI, but Internet Explorer on Windows XP doesn't support SNI, nor does Android 2.x. So until IE on XP passes out of use and Android 4 (Ice Cream Sandwich) has been out for a couple years, HTTPS will still need a dedicated IPv4 address per certificate, which in practice means per domain. And now that all the /8 blocks are used up, hosting providers such as Go Daddy have started to
Re: (Score:2)
Now you know of at least one.
Privoxy blocks things that Adblock misses.
Re: (Score:2)
Re: (Score:2)
Over time those websites will have to stop doing those things or they will lose visitors.
Like google, you mean? Their https://www.google.com/ [google.com] is a redirect to a site with less functionality than http://www.google.com/ [google.com]
I bet they are bleeding visitors right and left over that one...
Re: (Score:2)
I do, and I use it to block both certain sites (advertising and tracking networks) and headers (referrer header is blocked, with a list of exceptions for sites that won't work without it).
Re: (Score:2)
https does incur overhead and higher CPU usage on both ends, so it will be slower.
Yeah, my quad-core really bogs down when I use https on a connection which can transfer as much as a few hundred kbytes per second..
Re: (Score:3)
Just because you don't notice something doesn't mean it isn't there.
http://serverfault.com/questions/43692/how-much-of-a-performance-hit-for-https-vs-http-for-apache [serverfault.com]
http://www.semicomplete.com/blog/geekery/ssl-latency.html [semicomplete.com]
Re: (Score:2)
One that I don't even notice on my PDA...
There's a little more lag but that's happening on the server side.
Re: (Score:2)
come on, this is /., surely I'm not the only one with a proxy array at home?
You on dial-up or something? I just let my browser cache do the work (RAM cache only, I always disable disk caching to defeat Evercookies).
Re: (Score:2)
You on dial-up or something? I just let my browser cache do the work (RAM cache only, I always disable disk caching to defeat Evercookies).
No, load balanced Cable+DSL.
According to my local statistics, it saves around 20% bandwidth and increases page load speed around 30% (this is higher because there's a lot of tiny requests going back and forth to servers, where latency is the killer, not the bandwidth). That's significant. And it's also an average - for certain sites, the benefits are much larger.
There are some immediate benefits too, like when someone else in the household IMs me a link, and it pops up instantaneously because all the elem
Re: (Score:2)
Do you have browser caching turned off or something or do you just browse so freaking much your browser cache is overflowing regularly.
You're right on automatic updates, but being that you can just schedule them for a time when your lines aren't busy, which seems a whole lot simpler than setting up a proxy.
I find your numbers suspect. Perhaps in a large enough household, with a bunch of facebook users or something where you guys visit the same set of sites, but in my house, which is small with only 2 perm
Re: (Score:2)
The easiest is to pick up a dual wan router, which will do the load balancing for you. Something like a SYSWAN SW24 would probably work. Some firewalls, like WatchGuard and Cisco also have dual or quad WAN ports, and can be set up for load balancing, but they are going to be more expensive.
Alternatively, you can set up a linux box with multiple network cards to do the job for you.
http://lartc.org/howto/lartc.rpdb.multiple-links.html [lartc.org]
Re: (Score:2)
- I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)
This is slashdot, those of us with proxies at home can make them work with https if we wanted them to.
Re: (Score:2)
- I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)
I think you'll find the percentage pretty low, the only people who do it really are those with more time than money, as in most cases it offers very little benefit.
My browser caches pretty well on its own, there are 2 people in my house, me and my wife. We view pretty much 0 related content on the web with the exception of photos ... which are served locally anyway. A cache proxy is going to get almost 0 cache hits in normal usage, except for that one time when I happen to look at an old reference manual
Re: (Score:2)
Running a cache proxy at home is something you do when you don't have a real job and want to futz around in your free time, maybe learn about it so you can use it at a job and make yourself more valuable.
If you have one machine running as a home server, it's trivial. My box handles a plethora of little tasks that can be centralized: file server, web server, torrent box, machine to run Linux X11 apps from in OS X or even iOS, web cache, home DNS and forwarding, BOINC, backup server . . .
The rest of us however, don't have time to set it up
sudo apt-get install squid
Make a few changes to squid.conf and you're done. You might not find it worthwhile, but others who're already running a little home server might as well.
Re: (Score:2)
HTTPS Everywhere only works with sites that support HTTPS. If you want to really be safe on WIFI* use a VPN, or set up a quick socks proxy with 'ssh -D'.
*notice that even encrypted WIFI isn't safe. Anyone with access to the encrypted network can eavesdrop on your packets
Re: (Score:2)
HTTPS/SSL is a good solution (Score:2)
Assuming you have a browser capable of secure renegotiation (not IE on XP or older), your ISP would have to set up a certificate authority and someone would have to add the certificates into your browsers to bypass the giant red warnings.
Re: (Score:2)
You actually run those disks? I have never heard of someone who knows computers actually running them.
Re: (Score:2)
They could do an SSL MITM attack, I doubt their buddies in the government would mind, but to prevent that you could use Perspectives. [perspectives-project.org]
MITM in the hosting provider's ISP (Score:2)
Re: (Score:2)
Well assuming the ISP hasn't set up a set of fake Perspectives project pages to serve you a tampered version to give false negative results, notary servers in other locations around the world (which you connect to using encryption keys already included in the Perspecives plugin) should see a different certificate, raising a warning.
Re: (Score:2)
notary servers in other locations around the world (which you connect to using encryption keys already included in the Perspecives plugin) should see a different certificate
A web server at a hosting provider has only one connection to the Internet, namely through the hosting provider's upstream ISP. So all notary servers outside the upstream ISP's own network would see the web server through this upstream ISP, including any MITMs that the upstream ISP has installed.
Re: (Score:2)
Re: (Score:2)
Either that or get these jackasses to respect Network neutrality before the law requires them to.
So now that we can see that ISPs everywhere are interested in hijacking and intercepting your traffic for their profit (and you thought you were paying them to just give you a connection to the internet) are all those people out there on Slashdot still saying we don't need any network neutrality laws?
We live in a capitalist society and their aim it to make money in every way they can. Respect for their customer
Re: (Score:2)
I suppose it's like when Sony rootkits everybody it's just an embarrassment that they are caught doing it, but when I rootkit even one person it's a computer crime?
Re: (Score:2)
If there were a criminal investigation, it would end with the privacy agreement between the subscriber and the provider in the clause that says "subject to change without notice."
If someone else did it, it would be a crime because it would be intrusion on someone else's network.
Re: (Score:2)
Another good reason to install HTTPS Everywhere
I would also actually run a HTTPS server everywhere if I didn't have to deal with the certificate mafia, and if major browsers would silently accept self-signed without drowning the user in a storm of "RUN FOREST, RUN !!!" messages. This is currently pretty tricky to do on the browser side without opening PayPal to attack (cache the sites that use real certs ? have a hardcoded master list for first connect ?). But it would be very nice if I could publish a flag in DNSSEC that could say "This is my certifica
Re: (Score:2)
, and if major browsers would silently accept self-signed without drowning the user in a storm of "RUN FOREST, RUN !!!" messages.
Just a hint, every time you say that, it makes it very clear that you have absolutely no idea how SSL works. SSL with unverified certificates is absolutely useless, which means blindly accepting it and pretending its okay is a lie of omission to the user, its basically snake oil instead of something useful.
At the very minimum, the user has to be prompted to verify the unknown certificate. You must make the wording here strong enough that people GET that its a dangerous decision. You setup a site with a s
Re: (Score:2)
Or, if you're a browser that doesn't support it, just set your default search engine to https://encrypted.google.com/#q= [google.com] followed by the query string.
Re: (Score:2)
I tried, but when I clicked install it gave me a completely useless firefox extension. Its completely useless because I, and well, the majority of the web users, do not use firefox. Now I realize that of the 5 big ones, my prefered browser is second to last with only 2 or 3% usage according to w3schools, but nothing for Chrome or IE either? Not even a 'go get it from your built in extension source'? Seriously?
Firefox is the new IE, people went retarded and code shit for firefox rather than remembering t
Re: (Score:2)
I had to build my own Safari version. There are some issues that prevent the EFF from standing behind an official binary; you've probably encountered info about it by this point.
Here is a link to my build, if you're willing to trust me:
http://tinyurl.com/6dul8vr [tinyurl.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Remember when people moved to Google around '98 or so. The search results were nice, but the main attraction (for me) was a truly sparse layout with minimal advertising.
Now Google, in addition to appearing very nefarious, has a cluttered shithole of a layout that makes Bing attractive in comparison.
DuckDuckGo is minimal. It's not trying to be anything more than a search engine -- just like Google was in the beginning. Seems like each time I search for anything remotely obscure on Google nowadays I get an
That didn't take long (Score:2)
Site slashdotted in under 5 minutes.
Re: (Score:3)
Re: (Score:2)
Netalyzr is up for me, connecting from Washington DC starbucks, as are the EFF and New Scientist articles.
Re:That didn't take long (Score:4, Funny)
Works fine for me. I just won 2 free $250 Walmart Pirce club cards and I get 20% off my next purchase of a HiPhone 5 Nano from Somy. Pretty exciting.
Re: (Score:2)
Hah! I installed their little app and I won a FREE iPad. It's in the mail as I write this...
ISPs (Score:5, Informative)
Here is a list of the ISPs mentioned in the article:
Cavalier
Cincinnati Bell
Cogent
Frontier
Hughes
IBBS
Insight Broadband
Megapath
Paetec
RCN
Wide Open West
XO Communication
Re: (Score:2)
No Comcast? No Cox? Heck, none of the big evil corps? I am... everything I learned on /. is wrong! My world has been thrown askew!
I wonder (Score:2)
Re: (Score:2)
Re:I wonder (Score:5, Informative)
Now if only I could vote with my dollars and switch to a different ISP that hasn't done this (Charter is my other option and they "claim" to have stopped).
Why not simply plug in a different DNS instead of using their crappy one?
Google 8.8.8.8, 8.8.4.4
OpenDNS 208.67.222.222, 208.67.220.220
Verizon 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6 (since these are all same subnet, don't use for both primary and secondary)
You can use Google Namebench [google.com] to compare DNS speeds.
Re: (Score:2)
OpenDNS does the same thing you tool, they at least tell you about it, but none the less, they do the exact same thing.
Re: (Score:2)
That's not a privacy concern... (Score:4, Insightful)
... that's a fucking computer crime.
Re:That's not a privacy concern... (Score:4, Insightful)
No no no, big corporations did this, it's just a privacy concern ^_^
Comcast (Score:2)
Re: (Score:2)
Re: (Score:2)
OpenDNS also does NXDOMAIN wildcarding.
If you want a clean public DNS, Google Public DNS is a better choice.
If you want a DNS that includes considerable filtering of known badness and other controls, at the cost of NXDOMAIN wildcarding, use OpenDNS.
Re: (Score:2)
This is available [google.com] should you wish to stop even that behavior.
Re: (Score:2)
And of course Comcast would never hijack the 8.8.8.8 and 8.8.4.4 name servers by rerouting those IPs to its own name server.
Re: (Score:2)
... and in doing so, invite all kinds of fun [slashdot.org] to the party!
In short, they would have to be stupid to do so.
Re: (Score:2)
Okay, I read through the information as went so far as to set up my laptop to use the Google public server. What's the catch? I read their write-ups about security, but frankly, I'm not a network guy and had eyes glazing fast.
If the end result is that by using 8.8.8.8 I am blocking the ability for an ISP to spoof or redirect my searches, then mission accomplished, but TANSTAAFL! What does Google get from providing this service? Better ads dollars?
Re: (Score:2)
Okay, I read through the information as went so far as to set up my laptop to use the Google public server. What's the catch? I read their write-ups about security, but frankly, I'm not a network guy and had eyes glazing fast.
If the end result is that by using 8.8.8.8 I am blocking the ability for an ISP to spoof or redirect my searches, then mission accomplished, but TANSTAAFL! What does Google get [google.com] from providing this service? Better ads dollars [google.com]?
These questions are answered in the FAQ. I linked them above in your quote.
Unless they are outright lying, this is one of those projects they do "For the Good of the Community"
Now, since DNS is a cleartext protocol, there's no technical reason why your ISP cannot interfere with this if they wish to. This said, doing so is more involved than simply tinkering with their own DNS servers, and this gets into a grey area legally.
Before, they were simply altering the behavior of their DNS systems, which you reques
Re: (Score:2)
If they were to alter your requests to, say, 8.8.8.8, then they would be deliberately violating their common-carrier status and exposing themselves to all kinds of lawyer-bait.
ISPs are not common carriers [wikipedia.org], and this sort of level of proxying happens all the time. In particular, many ISPs re-direct all outgoing connections to port 25 to their own mail server, and similarly all connections to port 53 (DNS) are sent to their own DNS server. It's not that they are "altering requests to 8.8.8.8", but rather they are altering requests to particular ports.
Also, almost every ISP blocks incoming requests to well-known "server" ports for their non-business customers. If "altering reques
Re: (Score:2)
Redirections are one thing, but in-place modification... that's just not cool.
Re: (Score:2)
True enough. Not all ISPs that do this allow you to turn it off, however. Comcast is doing something right in that respect - at least they let you opt out cleanly.
Re: (Score:3)
I just tested Comcast's DNS lookup. They are redirecting SLDs that get NXDOMAIN from the TLD server. However, for hostnames within registered and working SLDs, they are redirecting SOME of those, as well. In particular my test for a couple of my own domains shows that for .net they are not doing 3rd level name redirection, but for .us they are. IMHO, the 3rd level redirection is bad.
The list of ISPs (Score:3)
List of ISPs that are redirecting some search queries
Cavalier
Cincinnati Bell
Cogent
Frontier
Hughes
IBBS
Insight Broadband
Megapath
Paetec
RCN
Wide Open West
XO Communication
Charter and Iowa Telecom were observed to be redirecting search terms, but have since ceased doing so. Iowa Telecom stopped its redirection between July and September 2010, and Charter stopped in March 2011.
Re: (Score:3)
Re: (Score:2)
Could you email a Netalyzr [berkeley.edu] execution from One Communications to netalyzr-help@icsi.berkeley.edu, so we can verify this? It could be due to IBBS, which runs DNS for multiple ISPs.
Re: (Score:2)
Use a VPN always. (Score:2)
anyway thats not a bad idea. In that case also an hijacked machine withing you own network plays a lesser role.
Make sure to include DNS in your VPN... (Score:2)
Make double-sure that your VPN also tunnels the DNS requests, by checking the configuration and/or by using TCPdump. EG, its pretty easy to accidentally set-up firefox through an SSH tunnel in a way where the DNS requests don't pass through the tunnel.
Questions answered in this thread... (Score:5, Interesting)
I am one of the Netalyzr developers involved in this work. I or my colleagues will answer questions in this thread, but I may be offline for a little while so responses may be somewhat delayed at times.
Do you have a useful tool for identifying this? (Score:2)
Is there some easy way we can check for this, such as with a curl or wget command line script? A great way to defeat this practice would be to notify the businesses that are needlessly paying commissions out even though they are the first result.
Re:Do you have a useful tool for identifying this? (Score:4, Informative)
Yes. Netalyzr [berkeley.edu] specifically detects this condition amongst its many other tests. We also have a Java Command Line Client [berkeley.edu].
You can also check by doing a "dig search.yahoo.com". If the authority is "jomax.net", its a Paxfire appliance changing the results.
Re: (Score:2)
How much does the use of neutral (for example google's) DNS services rather than default ISP's DNS help?
Re: (Score:3)
They do NOT intercept DNS that's not directed to the ISP's resolvers, thus using Google Public DNS allows you to avoid this redirection completely if you are affected.
Re: (Score:2)
Re: (Score:2)
We don't do GIFs except for ones on the web page, there are test JPG downloads however, which check for caching.
We also fetch a .exe, a .torrent, a .mp3 file, and a "virus" (the benign EICAR test file which AV systems detect as a virus so you can check AV operation safely).
Re: (Score:2)
Thats unfortunately common. Your ISP probably offers an opt-out. If it doesn't, change your DNS server to something like Google Public DNS.
Net Neutrality (Score:2)
Re: (Score:2)
Ok, I know this is just DNS and not some network-level hijacking
Thats irrelevant. ANY UNAUTHORIZED access to computer systems or data is illegal under federal law. You can thank Kevin Mitnick and DEC (May have my companies wrong) for that. Shortly after that whole event laws were enacted that basically made it so you need explicit permission to even VIEW someones data let alone manipulate it.
This sort of tampering, to me fits squarely as a violation of that law. I authorize them to look at the IP headers only for routing purposes, I grant no authorization for any m
Mistyped URLs (Score:3)
"... additional revenue through advertising based on mistyped URLs."
This is why perfect spelling is so important.
OpenDNS has been doing this for years (Score:2)
Its not like its new, anyone using OpenDNS has been subjected to this bullshit since day one. And for some reasons unknown to me, half of the slashdot user base still thinks opendns is a god send. The same people who were bitching like crazy when Network Solutions started returning itself instead of NXDOMAIN for missing names, everyone was ranting about how OpenDNS is the way to go ... ignoring the fact that they do exactly the same thing ... and its a feature. Idiots.
Re: (Score:3)
If your ISP is fucking with DNS, though, and your attempts to talk to the real google are going to a different IP entirely, it will only warn you of that, not get you where you want to go.
If only because copyright/trademark claims for a US company serving an exact duplicate of the google homepage for monetary gain could pretty quickly hit the zillions, I
Re: (Score:3)
How convenient [google.com]!
Re: (Score:2)
... or if you are feeling adventurous, you can always install your own resolver locally. Unless your ISP would hijack requests going to root servers (which is a whole other level of maliciousness)...
Re: (Score:2)
... or if you are feeling adventurous, you can always install your own resolver locally. Unless your ISP would hijack requests going to root servers (which is a whole other level of maliciousness)...
Or indeed any traffic on UDP53.
The solution is to therefore tunnel your DNS requests to a known server, or even just put everything through your own personal VPN, and terminate with a decent company.
Re: (Score:2)
Which only helps you if your ISP isn't intercepting and redirect port 53 requests. If an ISP is evil enough to redirect search traffic through some lookalike service, I doubt they'll feel even the slightest twinge at redirecting DNS.
Unfortunately, at that point, the only real solution is surfing via some form of VPN, which has some very real performance consequences.
Re: (Score:2)
Re: (Score:2)
That can easily be hijacked by the ISP. They simply set up a DNS server host, add these IP addresses to an interface, and add routes to direct the traffic to that server. Done.
Re: (Score:2)
Not hijacked but I get a bad feeling about sending my DNS requests through an advertising company that's already nearly omnipresent and omniscient (unless you've blocked their scripts and cookies) on the web...
Re:Simple Solution (Score:4, Informative)
Then use a local resolver, ensure you set up DNSSec checking, and beat everyone with a stick who still doesn't sign their zones.
Re: (Score:2)
Use HTTPS, use your own resolver with DNSSec, do this technical measure or that.
The fact is, you are going across a pipe controlled by another party and without laws and penalties to discourage and prohibit this behavior, this is what we can expect and will continue to get. And at the moment, they feel no guilt nor shame about this at all. They want more money (because if you're not growing, you're dying) and they will sell you and your mother to get it.
Re: (Score:2)
Probably not. You would think to try the referral URL, however that includes the DNS entry. That said, the ISP is already monkeying with the traffic, so they can always rewrite this header anyway.
Re: (Score:2)
Google did. This is why the ISPs that were proxying Google stopped in the past couple of months: Google's abuse-detection threw up a CAPTCHA on the queries, and then Google posted about it.
Also, you can run Netalyzr [berkeley.edu] to detect this condition.
Re: (Score:2)
Yes, find their ISPs ip ranges in the WHOIS database, send a special notice to anyone coming from those IPs. You'll warn a few people that aren't effected like slashdotters with their own resolvers locally, but those people will get it anyway and probably think you're pretty cool for doing so.
IP allocation information is publicly available, though not always easy to find.
Re: (Score:2)
We specifically detect this condition in Netalyzr [berkeley.edu] as well: we fetch three different 404 pages from our server (a blank page, a default apache page, and a custom page) and detect if they are changed in flight.
Re: (Score:2)
Hijacking traffic like this is almost certainly a breach of RIPA and the Computer Misuse Act.
Both of which are UK laws.
Re: (Score:2)
We don't say its BAD, we say its interesting: we alert on any non-legit reverse data for any site which would normally have a clean reverse. If you did these changes legitimately, it is a false positive, but since we want to detect all DNS-based blocking & modification of the significant name list, we always alert on these changes.
We check these particular names because there is malcode that changes BOTH these sites to malicious servers, and we alert on any change on theses sites.