Slashdot Mirror
ISP Is Bypassing Firefox's Location Bar Search
It was only a matter of time before ISPs began doing more than just redirecting failed DNS requests to their own pages.
An anonymous reader writes "It looks like the largest ISP in Hong Kong has started bypassing search results from Firefox's location bar (which typically uses Google), forcing their own search provider (yp.com.hk) onto their users. ... Can an ISP just start re-directing search traffic at will?"
As shown by the recent Comcast - FCC ruling, ISPs can barely be regulated at all (and therefore can do anything they want).
Use a VPN provider of your choice.
We've seen a few ISPs that MitM www.google.com in DNS (you can check for yourself in Netalyzr.
Does anyone know (save me looking at a TCPdump) what domain name firefox uses, is it www.google.com or something else, for the google searches?
Test your net with Netalyzr
Can an ISP just start re-directing search traffic at will?
Not in my book. My ISP started doing some redirection and they got an immediate complaint from me. In person, at their local office. If there was an alternative to their service I would have switched ISP's immediately.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
If these idiots are too dumb to handle being a dumb pipe, we have no choice but to encrypt everything.
And that's why we should start using encryption for everything...
`echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
The article is a single post on a forum from one user with no follow-up. Can anyone else confirm the allegation?
So if this is the future...where's my jet pack?
This is as sleezy as it gets for an ISP. I hope firefox and google setup some sort of trusted cert and use HTTPS for the traffic from that bar. That might make it much harder for them to do men in the middle attacks of the sort. Google could sue the ISP for impersonation or something similar.
For the love of $deity why would _anybody_ still be using the DNS server that their ISP provides?
Ignoring the multiple FREE DNS providers out there, it is trivally easy to setup your own caching DNS server regardless of the OS platform you use.
With the abundance of 'old' computers that most people upgrade from, it shold be standard practice to setup an old box as a firewall/dns server.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
Most people still believe that just because you can legally do something, doesn't mean you should. When businesses do every sneaky, duplitious thing they can to make a buck, they push that natural tendency toward expecting civility and something resembling high-mindedness in civilized people straight into the Socialist camp.
As a Capitalist, that really offends me. If businesses want to be treated laissez faire then they damn well better learn to make society not feel like they're a bunch of crooks who care so little about the common good that if regulators aren't going Big Brother on them every nanosecond they'll steal everything that isn't nailed down and cheat everyone who isn't paying 110% attention to every detail of their lives.
You can try. It might even work this time. But they can also choose to misdirect the request based on the IP address because they literally are the man in the middle, your traffic must pass through their routers.
They outed the almighty Google...
Google is gay?
Tequila: It's not just for breakfast anymore!
This is, after all a Chinese city redirecting search traffic away from Google. Hardly surprising, considering the recent lack of love between the Chinese government and Google (even though Hong Kong is *supposedly* exempt from much of China's more repressive policies)
SJW: Someone who has run out of real oppression, and has to fake it.
Or run your own DNS server?
A perfect example of why we need net neutrality rules in place. An ISP should not be allowed to modify packets or redirect packets to/from known destinations.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
1) Be an ISP
2) Create an online shop ala amazon.
3) Redirect all users to your shop
4) Profit!
Best answer so far. Yes they can. The real question should be "SHOULD they do this".
Tequila: It's not just for breakfast anymore!
Title is by-passing. I was expecting a funny reply about "you've got to build bypasses!" in the "letter from your ISP" format.
No.
I use a small, local telephone company for my DSL. They're reliable, not the fastest or the cheapest, but hey, it's pretty much a monopoly unless I want the cruddy cable service provider that is unreliable in their connectivity and just as expensive.
For six years now I've dealt with this. At work I just type a keyword and end up at the site I wanted. At home I do that by mistake and I get a page with an advertisement for something local saying the page couldn't be found.
Extremely annoying, but I don't have much choice as I don't want cable or their cruddy service, so I deal with it.
"For the love of $deity why would _anybody_ still be using the DNS server that their ISP provides? Ignoring the multiple FREE DNS providers out there, it is trivally easy to setup your own caching DNS server regardless of the OS platform you use."
Because the internet stoppped being just for techies 10 years ago? Step out of your little bubble, you dweeb, and look around. First you have to give a crap about the concept of a DNS, which is exactly one step too far for the vast majority of folks.
Rightly so, too. If my family had to worry about things like that they would never have gotten any further than the occasional email.
In my past I've frequently been in your position - wondering why the whole world doesn't give a crap about some ridiculous thing I think is incorrect. However, this year I'm turning 40, and for some reason I'm starting to get the other perspective. The "ridiculous" is on the other side.
I have the same issue in Seamonkey, just posted about it on the Mozillazine forums as well. http://forums.mozillazine.org/viewtopic.php?f=5&t=1811375
If any high tech company is going to come out of the closet, it would be apple.
Obvious answer as well. The real question is, what can you do about it?
You never wondered about the rainbow colours in their logo?
What firefox does is first try to do DNS lookups for:
foo
foo.com
www.foo.com
before launching the google search.
Thus NXDOMAIN wildcarding (which is unfortunately growing very common, distressingly so in our data) will mess up the firefox behavior by causing one of the three names to resolve to the "helpful" search page belonging to the ISP.
Test your net with Netalyzr
They can if they are in China.
Use Google's DNS.
8.8.8.8
8.8.4.4
Pretty easy to remember, too.
The latest Slashdot meme.
UPC in the Netherlands currently pulls the same kind of trick on you.
Their DNS servers have a catch-all redirect to there own search portal. They have instructions on how to undo it (manually change your dns servers), but the common man doesn't of course know how to do that.
Shouldn't governments protect us from this evil?
Not really no. China's leaders aren't stupid. They realized Russia fell trying tokeep pace Econmically with the USA. Then china realized theyout number us 4-1. So all they had to do was convert their poor peasants into manufacturers. The fastest wayto do that is to invite foriegn companies to use their labor. Putting their own people in place to learn the tricks of the various trades. After 20 years they will be teaching their own people to do that on their own. (current place). After that they can kick out the foriegners.
However in reality I think china and the USA are on a Course for merger in a couple of centuries. Slowly the USA will add socialist ideals totake dare of thosewho can't. And china won't be able to shake the grip of the captalism that is slowly changing their country.
i thought once I was found, but it was only a dream.
Heck, it happens here in the USA. I'll name names too - Windstream Communications. As of a couple months ago they started redirecting our google search bars to their custom search portal. Annoyed the hell out me. Emailed, but apparently got dumped into the bucket of spam/"unhappy customer, please ignore".
And all of a sudden, you realise that EVERY car dealership in town has small print saying "...and if you buy this car, we can fuck you in the ass."
Well, you don't like being fucked in the ass. But there are only 3 car dealerships available to you, and they all have this small print in it. And you really need a car.
So what do you do?
What backbone? There isn't one; the internet is a distributed network.
The closest you could get is probably one of these. Of course, these companies are ISPs, too.
as mentioned elsewhere, setting to other DNS servers can be defeated.
But... leasing dedicated servers is cheap (now), and VPS even cheaper.
Set one up as a VPN/Proxy server, and route your connection through there. The major server hosting farms can't (edit: won't) do any re-direction tricks as they would gain little/nothing from it.
That will effectively get you your direct access (with a latency/bandwidth penalty) without some insane cost.
Alternatively, business packages from the same ISP -may- have a different setup, but at a higher cost.
It is Hong Kong, which unlike mainland China, has a democratically elected government.
I'm surprised that people haven't started making personal resolvers easy to set up and use - or routers don't start coming with them to bypass the ISP resolvers. After all, all you really need is the list of root servers (which change inrrequently and are available at a well-known place for self-bootstrapping) and that's it. Eliminates pharming (poisoned DNS servers), ISP shenanigans including NXDOMAIN, and possibly others.
Add in the ability to link with DHCP in the router and no more needing annoying IP addresses for a home network.
This isn't new, and this isn't NXDOMAIN hijacking. Windstream, a US DSL provider, was already caught red-handed doing this. Not only this but they also refuse to answer very specific questions asked (see http://www.dslreports.com/forum/r24059591-DPILayer7NXDOMAIN-Privacy-questions-re-Windstream-DSL) and provide a paper-thin excuse as to why it's happening (see http://www.dslreports.com/forum/r24074065-Our-Response-to-Redirect-Service-Concerns).
Affected users are not using the ISP's DNS servers, this is not NXDOMAIN hijacking. This is layer 7 inspection, the sheer fact the URL was transformed, being carefully re-written, from the URI passed to 'www.google.com' discredits what Windsteam has said entirely.
When a user performs a search using the Firefox search bar against Google HTTP/1.1 is used with an HTTP method of GET against Google. The following URI is constructed:
q=[search critera]
ie=[encoding]
oe=[encoding]
aq=
rls=[browser]
So, when I search against Google I pass ?q= for my search term.
When this is redirected to searchredirect.windstream.net the URI is transformed, with the ?q= parameter being extracted. Windstream's site uses this URI structure:
search=[search criteria]
src=[interger value, likely points to an RDBMS based on HTTP_REFERER]
Windstream is not disclosing the truth. For this behavior to occur you would have to be using an MITM proxy or DPI; either way they are inspecting layer 7 traffic, extracting the ?q= URI string passed to Google, and either transparently or via HTTP 302 redirecting customers to searchredirect.windstream.net
They got caught, red handed, and have been fabricated mis-truths from the start.
How HTTP/1.1 GET against /search?q=my_search_term becomes /search.php?search=my_search_term without some form of Layer 7 is impossible. This CANNOT be NXDOMAIN.
Clearly they're not disclosing the full details or hiding behind careful sentence structure and semantics. This appears that there is now an industry initiative and a company behind this search harvesting and privacy invasive technology which is being sold to ISPs. Expect more to come, this isn't isolated to over-seas, it's already happening right here in the US.
-SirMeowmix_I
Apple isn't gay, they're just metrosexual. That way they get to look fashionable without actually taking it in the butt.
Yes.
But then again customers can stop using them. (Of course theres legal ins and outs depending on the contract you signed... but you read that of course didn't you?)
- http://www.milkme.co.uk
or based on HTTP request headers.
All Google needs to do is modify their search bar to encrypt the outbound search string using Google's public key. By doing that, it makes it difficult to intercept whatever search is being done.
That was the turning point of my life--I went from negative zero to positive zero.
Apple is bi or multisexual, its customer love having unprotected sex with Apple (and Jobs by proxy... hmmmm... jobs, what kind of jobs I wonder) and you know, Apple's customers are of all genders I think.
I suppose there is an App for that, iSex anyone?
You can't handle the truth.
And all of a sudden, you realise that EVERY car dealership in town has small print saying "...and if you buy this car, we can fuck you in the ass." Well, you don't like being fucked in the ass. But there are only 3 car dealerships available to you, and they all have this small print in it. And you really need a car. So what do you do?
I buy KY or take the bus.
Seriously, though - you are talking hypothetically and I am talking about this example. If you don't like anal, then perhaps you should take steps to avoid "suprise butt secks". If you trust every company to put only nice things that benefit you in their terms and conditions, then you are living in a fairytale world. Why is it that people aren't willing to take responsibility for their own lives and then complain about a "nanny-state" governement??
Apparently racism against white people is fine for you.
The issue is that the ISP is redirecting your malformed URL before Firefox can, right? And yet the ISP is sleazy and Firefox is a victim?
How about everybody not fiddling with DNS responses, at least not without asking permission first?
Yeah, if I'd bothered to read the agreement, I would have noticed that I had agreed they could have sex with my wife anytime they wanted, and my wife was required to submit... boy is my face red!
If it is an unconscionable contract, you cannot be legally held to it. The best thing to do is to guarantee the customer has adequate choices available, then the customers who care about the ISP butt-raping them will eventually gravitate to an ISP that doesn't -- or at least to one that uses lubricant.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
"Hi, I'm Pat. I'm a PC."
I thought it was funny, apparently there aren't as many HHGTTU fans on Slashdot as I thought.
And it's perfectly a on-topic reference.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
1. Apple makes Kurt from Glee look straight.
2. I suspect that, based on their approach to their users, Apple would be more likely to pitch than catch.
Is it just my observation, or are there way too many stupid people in the world?
Which only exists by the good grace of mainland China.
They are a separate entity only because China decided it would be economically beneficial to allow them to remain separate. It's not a strong position for HK to be in.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
For all that Hong Kong people may have the right to demonstrate, have a separate judiciary, there are still companies operating in Hong Kong that are being pressured to conform to mainland laws...
A Hong Kong Internet company, called TOM Online, announced it had stopped using Google's search mechanism. "TOM reiterated that as a Chinese company, we adhere to rules and regulations in China where we operate our businesses," the company's parent, Hong Kong-based TOM Group, said in a statement Tuesday.
Companies owned by people/companies subject to Chinese laws, or wishing to do business in China proper, will certainly have to make decisions based on the relations they want to keep with the Chinese government. I can well imagine employees of a HK company being denied visas based on the ire of some Chinese bureaucrat. Or Chinese citizens who own an obstreperous HK company getting harassed because of the behavior of that company.
... in the course of which data is falsified. I believe we call people who do something like that "terrorists" nowadays.
Nah; we usually call them "marketing". Which is pretty much what's going on in this case.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
duckduckgo is amazing in my book - it
makes me feel warm and fuzzy inside.
I tried most of the major websites and no dice with https.
Here are few that do
https://www.blackle.com/
https://www.powerset.com/
https://www.leapfish.com/
https://www.a9.com/
honorable mention
https://www.vadlo.com/
and a mystery anyone know what's up with this
https://www.ask.com/
https://www.bing.com/
Soon ISPs will be redirecting youtube traffic to here http://www.youtube.com/watch?v=b1WWpKEPdT4
sigh.
This is only the first ISP out of the gate who wants to do this. With net neutrality on the ropes, I'm sure people at a rogue ISP have considered most of the following:
Redirect traffic to sites to the highest bidder. If search engine A wants traffic redirected from google.com, they have to bid more than search engine B.
Use throttling to discourage traffic. If Google's pages start taking 30 seconds to load up, eventually people will use another search provider. Since this can be done via ports, a traceroute or ping will not detect these shenanigans. Of course, the destination site gets blamed.
Use passive interception to build not just a profile on people's Web surfing, but with smart utilities, intercept E-mails to make a non-anonymous profile to sell to the highest bidder. One doesn't need to have full access to an E-mail server to read stuff that swings through port 25, or gets read via the Web, POP, or IMAP.
Inject ads via a Phorm like mechanism. If the ISP wants to be mean, they can "accidently" inject ads that are handed to them by shady clients who are known to do malformed code and exploits in browsers and add-ons. Then the target site would be blamed for these.
Replace a website's ads with their own. In the early to middle part of the last decade, there was spyware that did exactly this. This would give a rogue ISP big pay per click bonuses on the expense of the website's advertisers.
Intercept registration/login info (usernames and passwords) that are sent via plain text. This can then be sold to someone who can then use the username/passwords to log in to a website or E-mail account.
Replace people's Web postings in flight. Someone posts a complaint about a business, the POST gets intercepted and it becomes praise for the product... or even worse, the content changed into libelous posts which cause the poster to be sued, and there is no way to detect this, much less prove innocence.
Replace people's reviews on products. Someone hits a local BBB website to give a thumbs down on a company due to bad service. If the mentioned company has a deal with the ISP for the presto-chango service, the thumbs down becomes a thumbs up.
Send bogus E-mails out with the correct headers. This can get sites to be blackholed, with no way to prove otherwise if some form of cryptographic signature capability isn't used. A bit on a wire is a bit on a wire.
What can websites do about this? The ideal answer would be have everything go to the end user via SSL and the problem is solved. However, SSL takes CPU power in its setup and takedown. Second would be a way of sending signed Web pages from the servers that the browser can check for tampering. Since the signature is sent with the page (and validated by a CA against the domain names used), it wouldn't add to the CPU usage of machines (other than the first signing of Web pages when they are present), and it would only add a number of lines of text, like a PGP/gpg cleartext signature. Of course, webpages with dynamic content might end up with a performance hit signing the page, but this would be nowhere near as bad as a full SSL setup/takedown. This way, a Web browser can detect if a Web page has been altered in flight and warn the user. One can also sign various iframes, so it could display which part of the page is bogus as well.
What can users do about this? Probably just as the parent poster said -- a coloced box with VPN software. One can use the coloc box for a full VPN, or use it with a program like stunnel so only the Web browser traffic gets redirected via a SSL link.
Colocing a box whose purpose is to be a VPN gateway might soon be the only way to have an Internet free of foul play pretty soon.
IANAL, but isn't it trademark infringement if your browser tries to look up Google by name and an ISP deliberately redirects to a different, similar service?
Oh for fuck's sake. This is the same thing that Network Solutions and ISPs all over the world have tried for years. Nothing new to see here, folks. Just a response to failed DNS queries that redirects to a selected search provider.
It's amazing to me that not a single person in this entire thread (at least that I detected on a fairly close skim) actually read TFA where that was made plain as day.
Switch your DNS and the problem goes away.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
Apple is bi or multisexual, its customer love having unprotected sex with Apple (and Jobs by proxy... hmmmm... jobs, what kind of jobs I wonder) and you know, Apple's customers are of all genders I think.
I suppose there is an App for that, iSex anyone?
no, you should buy android for that.
Wealth is the gift that keeps on giving.
TLDR, brah
If anyone actually had to Read beyond the first line to know what it said, they fail at Slashdot.
antitrust
Comcast is doing this... I have a portable version of firefox running, and comcast hijacks pages not found, and redirects it to their search, instead of allowing me to use Google!
Just because it works, Doesn't make it right. - JTM
``there's usually a way to bypass this''
Yes, there is Google Public DNS. A gratis service provided to any desiring user.
http://code.google.com/speed/public-dns/
``What is Google Public DNS?
Google Public DNS is a free, global Domain Name System (DNS) resolution service, that you can use as an alternative to your current DNS provider. ''
I don't know. Why do people complain about the waste of duplicated services, then complain about the effects of a monopoly??
Obviously because there are more than one "people" under discussion, and you want to conflate them for the sake of a good line. That is almost as whacked as the car analogy in the GP (Seriously, what metropolitan area has just three car dealerships?).
So how's your dial-up working out for you?
404: sig not found.
With Apple I get the idea that Apple's mother keeps calling every 3 days to talk about grand kids but after 34 years she still hasn't figured it out.
Calling someone a "hater" only means you can not rationally rebut their argument.
Sometimes when you post, you don't realize that many folks will take you literally rather than common idom. However you are correct; let me restate what I said and see if we are a bit closer in our thinking.
/.'ers are talented and skilled enough to find the resources.
Why does it seem that a growing number of the population feel that they can complain about not enough things being done for them and provided to them, and yet these same people are quick to rail about injustices when everyone has partial or overwhelming responsibility to protect their own interests? That's not just ideologic, it's BIOlogical.
If you don't like the way that things are being handled "for" you "on your behalf", it is your responsibility to handle it yourself. If you are not sure what your rights are, why wouldn't you take the time to do a bit of research, especially in this community where so many
There. fixed that for me.
Browse to http://searchredirect.windstream.net./ Select "Opt Out of this Service" on the bottom right corner of the page.