Slashdot Mirror
ISP Is Bypassing Firefox's Location Bar Search
It was only a matter of time before ISPs began doing more than just redirecting failed DNS requests to their own pages.
An anonymous reader writes "It looks like the largest ISP in Hong Kong has started bypassing search results from Firefox's location bar (which typically uses Google), forcing their own search provider (yp.com.hk) onto their users. ... Can an ISP just start re-directing search traffic at will?"
It looks like the largest ISP in Hong Kong
I never knew that Hong Kong was in the United States.
Use a VPN provider of your choice.
Can an ISP just start re-directing search traffic at will?
Not in my book. My ISP started doing some redirection and they got an immediate complaint from me. In person, at their local office. If there was an alternative to their service I would have switched ISP's immediately.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
If these idiots are too dumb to handle being a dumb pipe, we have no choice but to encrypt everything.
And that's why we should start using encryption for everything...
`echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
The article is a single post on a forum from one user with no follow-up. Can anyone else confirm the allegation?
So if this is the future...where's my jet pack?
As shown by the recent Comcast - FCC ruling, ISPs can barely be regulated at all (and therefore can do anything they want).
Well, as someone else pointed out, this is an ISP in Honk Kong, not the US. While most of the "harmonizing" efforts of the Chinese government have been passive toward the consumer of the "non-harmonious" content, I would fear that this is a sort of precursor towards ISPs in China being required to pass search terms linked to individuals/accounts/addresses to the government for non-harmonious search terms indicating a level of dissent associated with that individual. Call me a tin foil hat but I haven't been too impressed with what's going on out in China. While you might claim it's overhead and too expensive, I guess we might start talking about https (port 443 secure) traffic even for search terms to avoid this inspection? Even that's naive though as the government could just ask the inside search provider for the data ... or failing that block the that port on that provider.
My work here is dung.
This is as sleezy as it gets for an ISP. I hope firefox and google setup some sort of trusted cert and use HTTPS for the traffic from that bar. That might make it much harder for them to do men in the middle attacks of the sort. Google could sue the ISP for impersonation or something similar.
Most people still believe that just because you can legally do something, doesn't mean you should. When businesses do every sneaky, duplitious thing they can to make a buck, they push that natural tendency toward expecting civility and something resembling high-mindedness in civilized people straight into the Socialist camp.
As a Capitalist, that really offends me. If businesses want to be treated laissez faire then they damn well better learn to make society not feel like they're a bunch of crooks who care so little about the common good that if regulators aren't going Big Brother on them every nanosecond they'll steal everything that isn't nailed down and cheat everyone who isn't paying 110% attention to every detail of their lives.
You can try. It might even work this time. But they can also choose to misdirect the request based on the IP address because they literally are the man in the middle, your traffic must pass through their routers.
This is, after all a Chinese city redirecting search traffic away from Google. Hardly surprising, considering the recent lack of love between the Chinese government and Google (even though Hong Kong is *supposedly* exempt from much of China's more repressive policies)
SJW: Someone who has run out of real oppression, and has to fake it.
Exhibit A: OpenDNS
http://forums.opendns.com/comments.php?DiscussionID=226
I never knew that Hong Kong was in the United States.
It's rude to derail a rant with logic.
A perfect example of why we need net neutrality rules in place. An ISP should not be allowed to modify packets or redirect packets to/from known destinations.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
This IS Slashdot right? Let's look at the technical limitations here. As long as your ISP does not block DNS requests then you can use any DNS provider you want and therefore bypass any redirection. If an ISP started blocking the use of other DNS server then I'd say it's time to jump ship.
My US ISP recently started doing this (windstream.com). This was done without any real notice and turned on by default. Granted, there is a link in the redirected search results to turn it off.
Do you really believe the average firefox user has the technical know-how to even understand what a DNS server is, let alone how to setup and configure one, even if it is "trivially easy" for you? Please...
Le français vous intéresse?
I use a small, local telephone company for my DSL. They're reliable, not the fastest or the cheapest, but hey, it's pretty much a monopoly unless I want the cruddy cable service provider that is unreliable in their connectivity and just as expensive.
For six years now I've dealt with this. At work I just type a keyword and end up at the site I wanted. At home I do that by mistake and I get a page with an advertisement for something local saying the page couldn't be found.
Extremely annoying, but I don't have much choice as I don't want cable or their cruddy service, so I deal with it.
They could even be sleazy and open up shops that almost look like the same name depending on the font used.
Shop at Arnazon.com!
It's also very easy for your ISP to intercept all DNS queries, regardless of where they're being sent, and handle them themselves. I know of an ISP that does this.
It would, of course, be possible to run an encrypted tunnel to a remote machine with a caching DNS server on it, then direct all your queries to that. I suspect this is far beyond the ken of most normal users. Just setting up a caching name server is beyond the ken of normal users. Most of them can handle turning computers on and click icons. Some of them have problems with that.
Yeah, I had a sig once; I got bored of it.
They don't block DNS requests, they just send all port 53 traffic to their DNS server.
There are a lot of areas with a single good internet option (where 'good' means decent bandwidth and latency). Jumping ship may not be a realistic option.
If any high tech company is going to come out of the closet, it would be apple.
Thank [deity].
I saw that this article was tagged "opendns" and for a moment thought with horror that people were tagging it that as a kind of suggestion that using OpenDNS was a solution to this. It seems like every single fucking time an article comes up about ISPs doing something wrong (generally messing with NXDOMAIN) people come out of the woodwork to suggest using OpenDNS, even though they do the exact same thing and there are plenty of perfectly standards compliant and free DNS providers to chose from.
You link is actually incredibly relevant, thanks.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
The EICAR test "virus" is used to see if you have working AV which is blocking threats that are downloaded from the network.
Please see the FAQ.
Test your net with Netalyzr
Caffiene deficiency this morning? ;)
What firefox does is first try to do DNS lookups for:
foo
foo.com
www.foo.com
before launching the google search.
Thus NXDOMAIN wildcarding (which is unfortunately growing very common, distressingly so in our data) will mess up the firefox behavior by causing one of the three names to resolve to the "helpful" search page belonging to the ISP.
Test your net with Netalyzr
Well. Thank God that like most /.'ers you realize that getting FP is way more important than the content of your post.
Why is it so hard to only have politicians for a few years, then have them go away?
Heck, it happens here in the USA. I'll name names too - Windstream Communications. As of a couple months ago they started redirecting our google search bars to their custom search portal. Annoyed the hell out me. Emailed, but apparently got dumped into the bucket of spam/"unhappy customer, please ignore".
This isn't new, and this isn't NXDOMAIN hijacking. Windstream, a US DSL provider, was already caught red-handed doing this. Not only this but they also refuse to answer very specific questions asked (see http://www.dslreports.com/forum/r24059591-DPILayer7NXDOMAIN-Privacy-questions-re-Windstream-DSL) and provide a paper-thin excuse as to why it's happening (see http://www.dslreports.com/forum/r24074065-Our-Response-to-Redirect-Service-Concerns).
Affected users are not using the ISP's DNS servers, this is not NXDOMAIN hijacking. This is layer 7 inspection, the sheer fact the URL was transformed, being carefully re-written, from the URI passed to 'www.google.com' discredits what Windsteam has said entirely.
When a user performs a search using the Firefox search bar against Google HTTP/1.1 is used with an HTTP method of GET against Google. The following URI is constructed:
q=[search critera]
ie=[encoding]
oe=[encoding]
aq=
rls=[browser]
So, when I search against Google I pass ?q= for my search term.
When this is redirected to searchredirect.windstream.net the URI is transformed, with the ?q= parameter being extracted. Windstream's site uses this URI structure:
search=[search criteria]
src=[interger value, likely points to an RDBMS based on HTTP_REFERER]
Windstream is not disclosing the truth. For this behavior to occur you would have to be using an MITM proxy or DPI; either way they are inspecting layer 7 traffic, extracting the ?q= URI string passed to Google, and either transparently or via HTTP 302 redirecting customers to searchredirect.windstream.net
They got caught, red handed, and have been fabricated mis-truths from the start.
How HTTP/1.1 GET against /search?q=my_search_term becomes /search.php?search=my_search_term without some form of Layer 7 is impossible. This CANNOT be NXDOMAIN.
Clearly they're not disclosing the full details or hiding behind careful sentence structure and semantics. This appears that there is now an industry initiative and a company behind this search harvesting and privacy invasive technology which is being sold to ISPs. Expect more to come, this isn't isolated to over-seas, it's already happening right here in the US.
-SirMeowmix_I
a fair followup to show that mainly OpenDNS was just trying to fix what google/dell/others? broke:
http://blog.opendns.com/2007/05/22/google-turns-the-page/
You mean, there are cities outside the united states ?
Apple isn't gay, they're just metrosexual. That way they get to look fashionable without actually taking it in the butt.
All Google needs to do is modify their search bar to encrypt the outbound search string using Google's public key. By doing that, it makes it difficult to intercept whatever search is being done.
That was the turning point of my life--I went from negative zero to positive zero.
opt-out bad, mmmkay ?
What a depressingly stupid machine.
Sure they can, and by the federal government, too. Congress just hasn't yet given the FCC that power.
So in general they could be regulated, but in practice not yet.
Write your representatives! Repeal the 2nd Law of Thermodynamics!
Like another poster also pointed out: Hong Kong is not China. It is politically part of China, but for all practical reasons it acts as a different country (and you as not being involved in the world political stage should simply consider it as such, much closer to the everyday reality):
Separate currency, the Hong Kong dollar, linked at 7.8 to the US dollar and fully convertible (can't say that of the yuan).
Borders with China. I am Hong Kong resident, and still need to buy a visa to enter China.
Hong Kong is a free port for import and export of goods and services. China is pretty thoroughly locked down, import duties of goods to China are huge. Really.
Hong Kong has an open, accountable judiciary, with a strong respect for the rule of law. The exact opposite of the other side of the border.
Hong Kong has press freedom, and not just official.
Hong Kong people have the right to demonstrate, and do so. In 2003, half a million people took to the streets - or about 7% of the total population. It sent shock waves throughout the country, all the way to Beijing. Something like that would never be allowed in China.
And last but not least Hong Kong has the permission from Beijing's overlords to move towards full democracy.
Nope, sure doesn't. And they can sniff out a DNS request even if you find a DNS host that was amiable to using another port.
So what you really need as a DNS service that sends and receives encrypted requests over a non-standard port.
Then you can get around it. Hosting your own DNS does no good, as it still comes through your ISP's DNS first. Hard-coding Google's IP address would work short term for Google search, but if it catches on they'll just start redirecting all Google traffic instead of just DNS requests.
My host only reroutes failed DNS requests to their own shitty search, but it's still annoying as hell.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
My ISP (Frontier) was doing this as well, even worse, when you opted out you still actually got the wrong response from DNS, it would detect your browser and give back an error page that looked similar, but not quite the same (at least that's what it did for Firefox). I noticed because the error page looked a little different and the URL was clearly wrong. I ended up switching to Google DNS until my contract was up, and then switching to the local cable monopoly (I suppose they do something similar, but I haven't noticed since I'm still using Google).
However, I'm obviously a lot more technically savvy than the average user, or even the average tech support person (they couldn't understand the problem). ISPs shouldn't be doing this, router manufacturers should start shipping their products to default to Google DNS, it's faster anyway.
The right to protest the State is more sacred than the State.
DNSSEC prevents tampering, if I understand it right. If you request an answer from server X, the client won't accept a server from any other server, thus prevent man-in-the-middle attacks like this.
Alternatively, you can redirect all or part of the traffic through a VPN or secure proxy. Even Tor, if you compensate the long delays with some DNS caching, as provided by pdns or other caching server (even if you don't need it, it's awesome, I tell you! Every request after the first takes 0ms).
Dilbert RSS feed
I find it quite disgusting that an ISP can fuck with your traffic like this on an "opt-out" basis. If I send a search query to Google, then I wanted my search results from Google, dammit! If I wanted to use your shitty, 3rd rate search engine which gives you a kickback, I would have sent my search query to them. If they want to do something like this, it should be mandatory opt-in, and I should get a discount on my bill for using the provider which gives you a kickback.
For all that Hong Kong people may have the right to demonstrate, have a separate judiciary, there are still companies operating in Hong Kong that are being pressured to conform to mainland laws...
A Hong Kong Internet company, called TOM Online, announced it had stopped using Google's search mechanism. "TOM reiterated that as a Chinese company, we adhere to rules and regulations in China where we operate our businesses," the company's parent, Hong Kong-based TOM Group, said in a statement Tuesday.
Companies owned by people/companies subject to Chinese laws, or wishing to do business in China proper, will certainly have to make decisions based on the relations they want to keep with the Chinese government. I can well imagine employees of a HK company being denied visas based on the ire of some Chinese bureaucrat. Or Chinese citizens who own an obstreperous HK company getting harassed because of the behavior of that company.
duckduckgo is amazing in my book - it
makes me feel warm and fuzzy inside.
I tried most of the major websites and no dice with https.
Here are few that do
https://www.blackle.com/
https://www.powerset.com/
https://www.leapfish.com/
https://www.a9.com/
honorable mention
https://www.vadlo.com/
and a mystery anyone know what's up with this
https://www.ask.com/
https://www.bing.com/
Kind of a technicality really. The existing laws granting FCC authority just don't spell it out. A forgiving interpretation of the intent of the law lends me to believe congress did intend for the FCC to regulate all activities of companies using government granted monopolies.
The free market is powerless in a pseudo-monopolistic environment. Companies(and I mean specifically Qwest, Comcast, AT&T Wireless, AT&T, Sprint, Verizon Wireless and others) have shown and will continue showing that they are unable to provide a service consumers want without applying unscrupulous terms, practices, price gouging, or without violating privacy of their customers.
Congress needs to get this figured out. Consumers don't have many broadband choices and the companies in the market now are abusive bullies.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
My understanding of the issue is that Telco's are alternating between how they are classified. First, they wanted to be classified in such a way that they could receive gov't grants to build infrastructure. Then to reclassify so they do not need to license their infrastructure to competitors. Then to reclassify to avoid FCC regulation.
I agree, Congress needs to get their heads out of their asses. They either need to be regulated, or forced to compete.
Write your representatives! Repeal the 2nd Law of Thermodynamics!
You're largely correct.
They shift their stance based on what they're asking for. Just 2 weeks ago, AT&T defended the FCC(in a case against Comcast) because it feared losing universal service fee money because of the "telecommunications carriers" classification. I don't pretend to be an expert...
but it seems fairly obvious that when there is tax dollars to be handed out to build infrastructure, the telecoms are all out there with their hands open ready and willing. But when it comes time for the FCC to enforce consumer fairness and openness on the internet(that we taxpayers paid AT&T and others to build a backbone for), they cry foul.
Politicians seem spineless when it comes time to intervene.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
At least we nomads only have to worry about that storm - unlike Americans who are hit by a constant barrage of tornados, hurricanes, earthquakes and volcanos and who have to deal with the sparse vegetation going up in lethal firestorms every other year or so.
Seriously, it's a wonder there's any life at all on North America. No wonder you invented nuclear weapons; anything less doesn't even register against the hellish conditions of that purgatory-like continent you live on.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)