 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Bobby_Peru
Re: ZoneAlarm "False-Proxy Detection" The short answer is that I don't really know, and probably won't ever know, but I can think out loud.
First, we don't know what patterns ZoneAlarm is looking for in order to say "Aha! Looks like a proxy!" but I find it very hard to believe that they have some kind of RFC-compliant scanner that validates HTTP on the fly and authoritatively recognizes that it's seeing proxy traffic. Instead it probably just looks for patterns that (usually) only occur in proxy traffic, and they are sufficiently rare that they don't show up in "regular traffic".
BBR has custom-written forum software that doesn't "look" like anything else, so we'll generate unique patterns that others won't. If it turned out that (say) VBulletin accidentally generated the curious patterns, you'd instead see a widespread issue instead of just one here at home.
Second, an outsider's view of "www.dslreports.com" is not a webserver, but a proxy server that protects several webservers hiding behind it. This proxy is here for the benefit of the server(s), not the client, and I don't think that the proxy-ness is supposed to be visible to outsiders.
But perhaps ZoneAlarm is somehow seeing the proxy-ness of this conversation and confusing a server proxy with a client proxy (which it should detect).
In short, this is almost certainly just an accidental collision of a bunch of unrelated patterns rather than (say) being representative of a bug in a browser or bad coding at BBR.
I guess that's the long way of saying "sh*t happens".
It would be nice of ZoneLabs filled us in on the nature of why BBR got all this attention, but I dunno if they will.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
|
|
 skjWelcome to the far side of realityPremium,Mod
join:2002-04-04
Gone South | I don't know why but my 5.0 ZAF version has now started connecting to the Zonelabs update site again instead of DSLReports. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by skj:
I don't know why but my 5.0 ZAF version has now started connecting to the Zonelabs update site again instead of DSLReports.
Every time ZoneAlarm restarts, it discards any knowledge of proxies, but it can "relearn" the proxy at an time.
You can run ZAWatch to be notified immediately upon false-proxy detection.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
skjWelcome to the far side of realityPremium,Mod
join:2002-04-04
Gone South | Ok. That is probably what happened. |
|
 atangelNow What??Premium
join:2002-02-18
Bronx, NY | reply to Steve
Just FYI, according to ZA Watch, still happening with today's .043 version. |
|
| reply to Steve
said by Steve:
The short answer is that I don't really know, and probably won't ever know, but I can think out loud.
Thanks for the explanation!
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Steve:
I don't know
said by Bobby_Peru:
Thanks for the explanation
It's satisfying when ignorance serves a useful purpose 
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
 KalfordSeems To Be An Rtfm Problem.Premium,MVM
join:2001-03-20
Ontario
kudos:1 | reply to Steve
said by Steve:
BBR has custom-written forum software that doesn't "look" like anything else, so we'll generate unique patterns that others won't.
Someone gave Fatness the keys to the coding vaults and he broke Zone Alarm.  :D;)
--
"I reverse my right to type siht the wrong way." |
|
 PacratOld and CrankyPremium,MVM
join:2001-03-10
Cortland, OH
 ·RoadRunner Cable
| reply to Steve
Re: The ZoneAlarm/BBR research thread Has anyone heard any more about Zone Labs efforts to correct this annoying situation? Fortunately, it appears that it is just an annoyance and not a real security issue as ZoneAlarm does, in fact, block all these connection attempts. I can tell just about every time ZA starts "phoning home" to BBR... my computer starts to hesitate just an instant while the "call" is being made.
--
41º 19’ 6.4” N - 80º 43’ 21.8” W |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
1 edit | I understand they have a handle on it (e.g., can reproduce it in the lab, they know why it's being detected, etc.) and are presumably working on a fix. No idea of schedule or the like.
They just had an unrelated product release a coupla days ago, so my guess is that it's kept them busy. I'm hoping that some of us are invited to participate in any beta program once they have a fix in place.
Steve
P.S. - I don't speak for Zone Labs, no inside information, blah blah blah.
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
 McSummationMmmm, Zeebas Are Tastee.Premium,MVM
join:2003-08-13
Round Rock, TX
kudos:2 | I got an "update available" this morning for version 5.0.590.043. |
|
atangelNow What??Premium
join:2002-02-18
Bronx, NY | That's the update he is referring to, been around a couple of days....
»Zone Alarm 5.0.590.043 release (21 June 2004) |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to McSummation
ZoneLabs said publicly that they would not turn on remote updates for a day or two to help manage bandwidth; apparently there would be a rush of people upgrading by explicit request, and once that calmed down, they would turn on the "new update available here" flag to let the others in on the fun.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
