dslreports logo
site
spacer

spacer
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


view:
topics flat nest 
Comments on news posted 2011-08-05 12:23:25: Earlier this year, ICSI researcher Nicholas Weaver told me he and other Berkeley researchers had discovered some strange ISP shenanigans related to search traffic hijacking that went well beyond the traditional DNS Redirection ad services we've talke.. ..

page: 1 · 2 · 3 · next


DataRiker
Premium
join:2002-05-19
00000

1 recommendation

Simple solution

»encrypted.google.com/

I also recommend firefox users try HTTPS-Everywhere



hayabusa3303
Over 200 mph
Premium
join:2005-06-29
kudos:1

1 recommendation

humm

They want to track us, make a buck and cap us to death and charge us up the ass if we go over? Keep up the good work ISP's. Your business model is slowly going to crap.


mleland
Premium
join:2002-12-17
Westwood, CA

Wire tap laws?

Just imagine if the old phone company didn't have to follow wire tapping laws. It is clearly WAY past time for a MAJOR update to the wire tapping(privacy) laws.

Yes I know all about warrant-less wire tapping.... We are talking about a private company here using that data for profit without any notification or consent... not the gov't for criminal activity.



firephoto
We the people
Premium
join:2003-03-18
Brewster, WA

1 recommendation

Don't use ISP DNS

Use a public DNS server and don't fall for the tricks from the ISP that make you think you need to use their DNS.
--
Say no to JAMS!


nweaver

join:2010-01-13
Napa, CA

Questions answered in this thread...

I'm one of the Netalyzr developers, and will attempt to answer questions in this thread. I may have intermittent connectivity, so please be patient.



SkellBasher
Yes Sorto, I'll take my Prozac

join:2000-10-22
Niagara Falls, NY

1 edit

Paxfire is shady

Although I'm not at one of the ISPs listed, we use Paxfire appliances for DNS redirection for our customers. (I hate it, but my objections were overruled by our owner.)

Even though we ONLY use them for NXDOMAIN redirection, we've caught them performing this search hijacking in the past. The first time, they told me that they were requested to make the change by an individual that hadn't worked for us in 3 years. I raised hell about it, and they reverted it. Since then, I've been watching for it, and they've made 'configuration mistakes' to turn this back on more than a few times.

I very much suspect that they're intentionally turning this on without ISP knowledge to increase revenues, reverting it when they get caught.

EDIT: I wasn't running a check for Bing, since it's almost never used. I decided to look, and sure enough, they were proxying Bing without our consent.

Shady shady... can't wait to get rid of them.


nweaver

join:2010-01-13
Napa, CA
reply to mleland

Re: Wire tap laws?

The legal complaint specifically concerns the wiretap act amongst other complaints.



birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
kudos:9
reply to nweaver

Re: Questions answered in this thread...

Will changing DNS servers fix this problem?

Verizon is not on the current list of ISPs, but there's no assurance they won't try to tap that revenue stream in the future.


kaila

join:2000-10-11
Lincolnshire, IL
reply to DataRiker

Re: Simple solution

Not sure about this, but couldn't SSL still be vulnerable to man-in-the-middle type attacks if ISP's are proxying the traffic.
--
Jeff Howe
Jeff's Blog - »www.ostjournal.net



DataRiker
Premium
join:2002-05-19
00000

No.

SSL uses endpoint mutual authentication.



gettagrip

@141.191.20.x
reply to hayabusa3303

Re: humm

Keep up the good work ISP's. Your business model is quickly going to crap.

FTFY


firedrakes

join:2009-01-29
Arcadia, FL
reply to SkellBasher

Re: Paxfire is shady

seen it happen more then once. with this company



toby
Troy Mcclure

join:2001-11-13
Seattle, WA
reply to DataRiker

Re: Simple solution

Thanks, great software to use, just installed it. Coming back to this site redirected it to secure.dslreports.com



byteme

@141.191.20.x
reply to firephoto

Re: Don't use ISP DNS

My TWC provided router seems to be missing (by design) the option to choose my own DNS server. Any suggestions as to how I can get around this?



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to birdfeedr

Re: Questions answered in this thread...

said by birdfeedr:

Will changing DNS servers fix this problem?...

Not using your ISP's DNS servers will only help with NXDOMAIN redirection. It will not stop packet inspection that redirects traffic based on the search engine (that you think you are using) and/or the search terms being used.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
-- Thomas Jefferson

openbox9
Premium
join:2004-01-26
Germany
kudos:2
reply to hayabusa3303

Re: humm

Actually, the business model is improving. It's the consumers' approval of the business model that is deteriorating.


openbox9
Premium
join:2004-01-26
Germany
kudos:2
reply to byteme

Re: Don't use ISP DNS

Identify the DNS server addresses on your local computer(s)...or use a different router


nweaver

join:2010-01-13
Napa, CA
reply to birdfeedr

Re: Questions answered in this thread...

YES, changing DNS fixes this problem.

THIS particular tampering was based on changing DNS results from the recursive resolver, so using a third-party DNS (eg, Google Public DNS) fixes the problem.



dcurrey
Premium
join:2004-06-29
Reviews:
·Time Warner Cable
·Cincinnati Bell
·ViaTalk
reply to byteme

Re: Don't use ISP DNS

Change DNS in your computers.

See »store.opendns.com/setup/computer/ to setup with open dns

You could just change servers to 4.2.2.1 and 4.2.2.2 for level 3. 8.8.8.8 and 8.8.4.4 for google. Think I have them right.


openbox9
Premium
join:2004-01-26
Germany
kudos:2
reply to SkellBasher

Re: Paxfire is shady

So external companies have access to devices on your network to make configuration changes? Wow.



SkellBasher
Yes Sorto, I'll take my Prozac

join:2000-10-22
Niagara Falls, NY

That's how they're setup, yes, inline with the DNS servers.

It's a terrible solution, and one that I objected to mightily. However, I was overruled by people who sign my checks.


openbox9
Premium
join:2004-01-26
Germany
kudos:2

I can't believe any knowledgeable network security officer would go for something like that.


InfinityDev

join:2005-06-30
USA
reply to firephoto

side note: Profile your DNS servers

On a side note: profile your DNS servers you plan to use. I use opendns for the extra features like anti-phishing help, but choosing ones that perform better than your ISP's will help.

This utility from SecurityNow podcaster Steve Gibson can help:
»www.grc.com/dns/benchmark.htm


InfinityDev

join:2005-06-30
USA
reply to kaila

Re: Simple solution

Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."

»www.grc.com/sn/sn-243.htm



SkellBasher
Yes Sorto, I'll take my Prozac

join:2000-10-22
Niagara Falls, NY
reply to openbox9

Re: Paxfire is shady

I laid out the (significant) risks. The owner overruled me, and said to do it anyways. My only option to not put this in place was to quit, and that wasn't an option.

I made significant network changes because of this to ensure that the remainder of the network was protected, and the only things they could reach were walled off from everything else. I also have things setup in such a way that if they do anything I don't like, I can disconnect their equipment within seconds, and move us back to 'clean' DNS infrastructure. I've done this a few times, and Paxfire starts screaming instantly because revenues stop.

It sucks, but unless the bank lets me skip a few mortgage payments, it's what I have to do.



Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
reply to DataRiker

Re: Simple solution

said by DataRiker:

»encrypted.google.com/

I also recommend firefox users try HTTPS-Everywhere

This is done at the DNS layer, SSL doesn't matter.


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
reply to firephoto

Re: Don't use ISP DNS

said by firephoto:

Use a public DNS server and don't fall for the tricks from the ISP that make you think you need to use their DNS.

Excellent suggestion for stopping this type of hijacking.

zefie

join:2007-07-18
Hudson, NY
Reviews:
·DSL EXTREME

1 edit
reply to DataRiker

Re: Simple solution

Just installed it. Irony is this site fails it. At least for me.

secure.dslreports.com uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

Edit: Oddly only Firefox (v5.0.1, fresh install) is doing it.


thedragonmas

join:2007-12-28
Albany, GA
kudos:1
reply to birdfeedr

Re: Questions answered in this thread...

is this what mediacom has been doing?
»Mediacom redirect service-opted out, still hijacks searches..


rahvin112

join:2002-05-24
Sandy, UT
reply to InfinityDev

Re: Simple solution

There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust. Though there is speculation that if a government provided a proxy node they could potentially identify some users. The probability is extremely low that this would succeed due to the onion routing, though it is technically possible. The only issue to deal with is that TOR is slow (because of the onion routing). TOR has been a documented resource in allowing people in oppressive totalitarian regimes to bypass the censorship regimes and provide real information flow.

The beauty of TOR over generalized proxy's is that the traffic is routed through multiple proxies before source and destination, thus shielding both sides from oppressive government (or ISP in this case) action.