What's going on behind the scenes??

I thought I would start a new thread, even though it's somewhat related to Paranoid2000's HTTPS thread.

Sometimes you aren't going to the web server you think you are. One day, I unchecked the "Permit Browser" rule in my firewall, which means that it prompts for every outgoing attempt.

I typed in this url: blogs.msdn.com and this firewall prompt appeared:

------------------------
'Opera Internet Browser' from your computer wants to connect
to 89.67-18-200.reverse.theplanet.com [67.18.200.89], port 80
------------------------

I did a server query for that IP:

------------------------
Initiating server query ...
Looking up the domain name for IP: 67.18.200.89
The domain name for the IP address is: 89.67-18-200.reverse.theplanet.com
-------------------------

Then I did a server query for blogs.msdn.com

-------------------------
Initiating server query ...
Looking up IP address for domain: blogs.msdn.com
The IP address for the domain is: 67.18.200.89
-------------------------

What's going on here? I wrote to MSDN and received this reply:

-------------
The Planet is the new Internet Service Provider that hosts
blogs.msdn.com. We switched to the IP address 67.18.200.89, which you
are encountering. The servers assist us in blog hosting.

I would like to apologize for any inconvenience this issue has caused
you.

Should you have other questions or concerns, please feel free to write
back.

Sincerely,

xxxxxxxx

MSDN
http://msdn.microsoft.com
------------------------------

I then wrote to Opera support to inquire about possible security problems,
and received a nice reply from one of the Opera developers who
often posts to the Opera Newsgroups:

----excerpt--------------
blogs.msdn.com is hosted on the IP address 67.18.200.89, which is apparently
a server operated by the domain theplanet.com.

All browsers navigating to this site will retrieve information from that
server, which as far as they are concerned is the blogs.msdn.com server.

A single server (that is, IP-address) can host multiple hostnames
(www.domain1.com, www.domain2.com, www.domain3.com, etc.) through
something called virtual servers. This is done by configuring the
individual domains DNS servers so that the various names are translated to
the same IP address, the webserver is then told by the client which of the
addresses hosted on it it want to access.

What MSDN has done here is to outsource the blogging to a company that
specializes in such services, but assigned it a name from their own
domain. The alternatives would have been to maintain the servers and
software themselves, or use a name like msdn-blogs.theplanet.com which
might not be as acceptable and trustworthy to visitors.

The only real security threats in this situation is if the hosting server
isn't properly secured, either against external attack or against one
customer attacking another, or the IP address is somehow assigned to
another server (which would probably be a breach of contract). There is
also the possibility of DNS cache poisoning a.k.a pharming, which can be
used to take over entire sites, but that applies to ALL websites, also
those run by their owners on their own hardware.

Problems may occur with such arrangements if the domain (or the IP
address) is blacklisted for some reason, usually related to activities by
another of the hosting company's customers. This has been known to happen
to sites that are hosted by ISPs that also host servers run by people
accused of various unethical or criminal activities.

I am not familiar with theplanet.com, but I am pretty sure Microsoft
checked them out before entering into a hosting contract with them.

In short, I do not think there is a problem with MSDN's arrangements.

I hope this helped.
-----------------------------------

In this case, there is nothing malicious, just standard web hosting -- the Opera developer mentioned that Opera's own OperaMail webmail service is hosted in a similar manner -- but it does show that things aren't always what they appear to be.

I often uncheck my "Permit Browser" rule just to see what a web site is really doing...

---
Rmus

 

Nice. I emailed the developer's of SpoofStick to see if this needs to be corrected in their program, because both the FireFox and IE versions of SpoofStick don't reflect "theplanet" at all.

I'm not even sure it's supposed to, but I thought I'd ask. Pete

 

My understanding of SpoofStick is that it alerts to the use of homographs to spoof the URL, aka Phishing.

DNS cache poisoning, aka Pharming, is different, yet it would seem to me that the program should be able to display the IP address and all domain information in any case.

A firewall doesn't care whether it's Phishing or Pharming - it just displays the IP address and domain information that the browser is attempting to connect to. That's when you can check it against your known trusted addresses/domain names.

---
Rmus