• Welcome to Valhalla Legends Archive.
 

VeriSign redirects ALL nonexistant .com/.net domains to their site

Started by Skywing, September 15, 2003, 09:00 PM

Previous topic - Next topic

Skywing

http://slashdot.org/articles/03/09/16/0034210.shtml?tid=126&tid=95&tid=98&tid=99

Not all DNS servers have realized the change yet.

You can see it yourself by running a query on a.gtld-servers.net.

Basically, all .com/.net domains now "exist" and point to VeriSign.  I don't even want to think about how many things this breaks.

I hope that ICANN revokes their .com/.net registrar status, but it's not going to happen.

iago

eew, that's a pain.

I recommend boycotting all DNS servers as a result!
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Quote from: iago on September 15, 2003, 09:13 PM
eew, that's a pain.

I recommend boycotting all DNS servers as a result!
Better and better.  They've got a TOS on their site which disclaims their liability for * and requires you to not use their site if you disagree.  Hmm... I wonder how to not use if if I get sent there for every typo'd domain?

Also fun to note that they're tracking which domains you miss as cookies on their wonderful catch-all...

Just another little update:
VeriSign obfuscates the source of their cookies as from 2o7.net (although they could of course change this to ANY .net or .com to foil blocking attempts).  Their JavaScript code isn't exactly easy to read either.

Anyways, they're then retrieving the obfuscated cookies with a charming 1x1 image: <img
src="http://verisignwildcard.112.2O7.net/b/ss/verisignwildcard/1/G.2-Xpd-S"
height="1" width="1" border="0" />


Here's a snippet of their obfuscated JavaScript:
s_rep(fun,'_','-'),rs='http'+(s_ssl?'s':'')
+'://'+(s_ssl?'102':unc)+'.112.2O7.net/b/ss/'+un+'/'+(s_csss?0:1)+'/G.2-Verisign-S/'
+sess+'?'+'[AQB]&ndh=1'+(q?q:'')+(s_q?s_q:'')+'&[AQE]'


Feeling insecure yet?  Well, their site is also vulnerable to cross-site injection of javascript:  http://sitefinder.verisign.com/lpc?url=asdfasdfljkasdfkjasdfljsadlfkjasdljkfasd.c'om&host=asdfasdfljkasdfkjasdfljsadlfkjasdljkfa'%3E%3Cscript%20language="javascript"%3Ealert(document.cookie);%3C/script%3EEd.com

So now literally anybody can use XSS attacks on their charming search page to retrieve all of those wonderfully interesting cookies it collects about which domains you mistype.  (Note that you'll have to work a bit to grab the cookie for 2o7.com).

I'm not normally the conspiracy-theory kind of guy, but this obvious obfuscation of the data they collect is a little bit disturbing, I think?

j0k3r

Quote from: Skywing on September 15, 2003, 09:25 PM
Quote from: iago on September 15, 2003, 09:13 PM
eew, that's a pain.

I recommend boycotting all DNS servers as a result!
Better and better.  They've got a TOS on their site which disclaims their liability for * and requires you to not use their site if you disagree.  Hmm... I wonder how to not use if if I get sent there for every typo'd domain?

Also fun to note that they're tracking which domains you miss as cookies on their wonderful catch-all...

Right. That anti-liability claim is a load of bull and they know it, it's impossible not to get re-directed there if you mistype a domain. The cookies are one thing I disagree with (I assume they are part of the TOS), and although had it not been for skywing I would not have known, I wonder how cluttered up people's harddrives will get with cookies (er not harddrive per say, % of total disk alloted(sp?) for cookies).
QuoteAnyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin
John Vo

iago

hmm.. is it possible to block the host sitefinder.verisign.net so you get an error page instead of being sent there on a bad url?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Quote from: iago on September 15, 2003, 09:45 PM
hmm.. is it possible to block the host sitefinder.verisign.net so you get an error page instead of being sent there on a bad url?
You can block its IP address - but there is no guarantee that they won't change it.

iago

Can you block their dns, map it to 0.0.0.0 or something?  It uses a dns to display the search page, right?  Even, perhaps, map the ip to www.google.com's ip? :-/
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Quote from: iago on September 15, 2003, 10:02 PM
Can you block their dns, map it to 0.0.0.0 or something?  It uses a dns to display the search page, right?  Even, perhaps, map the ip to www.google.com's ip? :-/
You reach their site via other peoples DNS, though.

Another update: VeriSign is running an SMTP server on their catchall and is pointing mailexchangers for nonexistant domains to it.  Hmm... so, now they get to read your outgoing mail and record your email address if you mistype the domain?

Eagle of BH

Could always redirect/map a page using the dns with the windows HOSTS file. Find the dns to the site you want to redirect and put it in the HOSTS file as #.#.#.# <google.com> or something, it will just go there instead of the actual site. If this even has anything to do with what you're talking about.

Thing

The easiest solution is to use OpenNIC's public DNS servers to do name resolution.  Go here and pick a couple of tier 2 servers.  Next, send an email to your ISP and complain.

This was suggested in a response to that Slashdot article.
That sucking sound you hear is my bandwidth.

iago

In my hosts file:
216.239.41.99 sitefinder.verisign.com

That way, at least I don't see their page :-)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


K

VeriSign's controversial "typo-squatting" SiteFinder service is about to be bypassed by an emergency software patch to many of the Internet's backbone computers:

http://www.wired.com/news/technology/0,1282,60473,00.html

iago

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


UrbalT

Quote"Whether VeriSign should or should not have done this is not for us to decide. But we have to respond to our customers who are demanding it."

See, capitalism does work out in the end.

Grok

I still don't see it happening?  Still getting 404's when typing nonexistent .com and .net domains.