SafetyOnline IP Verification

Posts number 2, 11, 13, 15 and 23.

In your last post you only quoted previous ones.

You got us: we are stupid, you are smart. We are all in it for the eye candy.

 

oops, sorry was not aware that your are the speaker for all.

the way you post just confirms it, does not matter for you whether the feature just pleases your ego of feeling safe rather than actually contributing to safety, else you may contribute something substantial than ranting

 

Sorry for the lack of a response here - the Beta forums are not checked frequently because they only relate to our beta versions, and currently there aren't any beta releases so we generally would not be monitoring this forum.

Regarding your comments - IP verification will generally only fail directly when there is a malicious website/DNS server involved and it would not require a warning when it is just waiting to be verified. We tend to take a cautious approach and wait until we are positive that the resolution is correct before marking it as trusted which is why some domains take longer than others (as well as popularity, etc.)

Hope that answers it! Sorry again for not responding but this area of the forum is generally not used for discussions.

 

Everybody has a "knows-it-all" brother in law that ruins all the family meetings, don't believe you are so special.

 

keep on ranting, perhaps you look for another place though, if you cannot stand questions about something you are in love with. nope, still nothing substantial from you. and btw, asking questions is something contrary to 'knows-it-all', which seems to be more your kind of attitude

 

I'm in love with you, you foolish little thing. Can't you hear my heart beating?.

Lets go to the barn and let nature do it's job!.

 

no worries, feedback is appreciated. perhaps have to wait then for another response until the next beta is out, will be patient. or you may take it to other forum then.

As mentioned earlier in the thread, it happens with this forum too, which is neither a malicious nor an unpopular website.
Malicious websites tend to be less popular, and since IP Verification depending on it, it sort of negates the protective nature. Isn't the goal of IP Verification to protect the user instantly from accessing malicious websites?

And personally I can live with the IP Verification failing in SO, the mainstream browsers already do a better job there as well as NOD32 for instance.
Perhaps also as NOD32 having a larger database of malicious websites due to a larger number of users than Prevx and labs for research.

Summarizing leads to conclude:

A. IP Verification on SO will generally only fail directly when there is a malicious website/DNS server involved, thereby negating its protective cause
B. IP Verfication on SO is less effective than internet browsers and NOD32
C. IP Verification on SO does not notify the user when failing
D. overall protection of SO is not lessened if the IP is not validated
E. IP Verification on SO has some leeway allowed for websites hosted via Akamai or servers that have multiple data centers in different countries
F. IP Verification on SO is extremely depending on popularity of websites, which malicious websites do not tend to be

In light of above I popped the question earlier, which so far has not been answered:

What is IP Verification with SO worth, considering resources and network traffic?

 

It is important to verify that a malicious site is indeed malicious. It would be terrible to try to enter a scam web page and be redirected to Amazon.

 

Yes, but there are multiple layers of this protection - IP verification is just one component of it (verifying that the IP address matches the DNS server which matches the originating website). Prevx provides background checking if the domain is malicious and this is performed automatically irrespective of the determination returned by IP verification.

I think you are not correctly relating what IP verification is - this is not blacklisting/whitelisting/blocking: it is verifying that the domain is what the domain says it is - a feature that NOD32 and all browsers do not have.

The list of bullet points doesn't really apply being that your interpretation of IP verification appears to be different than what the feature provides, but please let me know otherwise.

 

First of all thanks for your patience and continued participation in this thread.

That it is only a component is understood, and that solely I am inquiring about, not the other layers. However, according to you

So, if prone to fail on malicious sites the protective nature of this component is negated and the user is not being informed about it. How is that supposed to help the user regarding protection?

I am getting a bit confused here, in another related thread you mentioned

I get the primarily triangulation, still you mentioned blacklisting functionality, sort of contradicting? Same is for white-listing, which is nothing less than the proclaimed popularity of websites being surfed by the majority of Prevx users, rendering IP Verification obsolete on less popular websites.

The bullet list isn't so much my interpretation but mainly quoting your various statements (not being out of context) about this subject in the forums, except for B.
Browser and NOD32 still doing a better job with malicious websites (containing malicious code but also hijacked ones), due to large black/white list database, resulting from a large number of users.

Unless the triangulation is improved as well as well black/white lists to a point where a website's IP, whether popular or not amongst Prevx users, is verified the instant it starts to load I do fail to see the benefit of this one component, it just adds useless network and cpu/ram load, the small either might be.

Until then I prefer to switch this particular component off, though there does not seem to be way to do so, unless lowering the SO overall protection to level low, which is not my aim.

 

I still suspect there is something not being understood properly here so I'll just walk through it again.

SafeOnline is a multi-layer solution which protects the user's data, screen contents, clipboard, keyboard, and about 50+ different areas from unknown threats on the user's PC. On top of this, it provides protection from websites being redirected beneath the user, either via an LSP chain, HOSTs file, malicious DNS server, etc. SafeOnline, leveraging our 10+ million users and multiple data feeds, also protects against malicious websites via heuristics and blacklists, blocking websites before they load if they're found to contain malicious content. SafeOnline will also check for malicious proxy settings, user-level redirection attempts, and a whole raft of other potential attack targets, transparently in the background as pages load.

Man-in-the-Middle attacks or poisoned DNS servers are a difficult area to deal with because of how many different servers there are globally, so we take two approaches to blocking MitM attacks: we blacklist known bad servers and return valid addresses for known good websites, and we triangulate the addresses of websites to heuristically find bad DNS servers. If a DNS server is returning different results that are outside the acceptable range for the website that the user is visiting, the user will be warned and redirected using clean addresses. Some websites may return "IP Not Verified" if the verification isn't complete yet, but this isn't a sign of malicious behavior: many websites are hosted on hundreds of different servers and as long as the servers are resolving to an acceptable range, SafeOnline will not need to block the visitation, although it may have not completed -all- of the verification for a website. This feature exists in addition to all of the other functionality within SafeOnline - irrespective of what type of website is being visited (a legitimate one, a malicious one, etc.) SafeOnline will ensure that the IP address of the visited domain matches what the DNS should be showing and that matches what the website itself is serving.

I hope that helps - let me know if you have any other questions.

 

Just let me reassure you that I do understand IPV being just a component of SO, in addition to all of the other functionality of SO and that IPV does indeed tries to make its job. Yet it is designed to execute a specific task, independent from the functionality of other protection layers in SO.
And I never mentioned nor implied that an incomplete IPV equals a malicious website, latter can be safe and sound, or just not - chances are 50/50.
Neither did I asked if in case of incomplete IPV to block the access to that site, I did ask though for a visible warning to the user that IPV is lacking (or if you prefer not completing what it is supposed to do).

Having said that you only keep on referring to SO as overall player. Though you concede that IPV may fail in certain scenarios, so far you mentioned two.

To get to the point - in tests (which are irrelevant to the Prevx certification) I ran on poisoned DNS sites , where IPV makes most sense, are the blacklists of various browsers as well as NOD32 more efficient than IPV of SO. Browsers as well as NOD32 warning or even preventing entering such sites. Still they failed here and there and that is where IPV of SO would come in handy to complement, yet triangulation of the addresses of websites to heuristically unmask such bad DNS servers did not complete, nor seems the IPV blacklist to be a match to those of the browsers and subsequent the user gets onto such sites. then certainly (or hopefully) another layer of protection kicks in, either the user's brain or from one of the AV products such as Prevx.

There is no way for the P/SO user to tell whether the IPV just failed or whether it may have not completed -all- of the verification for a website, because IPV just shows the same, except gets me thinking if the browsers stays open for several hours on MSN or Microsoft or Apple for that part and IPV still showing "IP will be verified shortly" that something might not be working right there. I could not find a benchmark of how long it normally is supposed take to complete IPV, considering the DNS server I am using popular.

 

Hello,
We're constantly improving our protection and verification but you appear to be having subpar results. If you could send me a PM which describes your current configuration and let me know the dns servers you use and the ones you used in the tests we will investigate further.

Thanks!

 

there is no attachment option on the pm, but since I ran a packet sniffer with filter on Prevx thought that it might be helpful. Just rename the file prevx packets.txt to *.pcap and it is assecible by wireshark e.g., should provide all the necessary info.

from the raw log, also enclosed and no need to change, there is HTTP/1.1 400 Bad Request mentioned at the end, looks a bit like the culprit to me.

last but least also attached a snapshot of my network configuration, fyg. System runs on WIN 7 64bit with NOD32 (4.2.40.0)

hope that will suffice to figure the matter.

 

hmm, sent pm, posted the traffic log and keeping me entertained here - or is this actually going somewhere, i.e. you got it figured?

 

We haven't found the cause yet but we're still investigating it Rest assured you are certainly not being ignored! I'll check back with the team in the AM to see if there has been any more progress.

 

cheers. resting now

 

researched a bit about the HTTP/1.1 400 Bad Request error, which generated from your server. It was suggested that if the server side was working ok then to clear the cache of IE, which I did.

On top did uninstall 3.0.5.130 and installed 3.0.5.136. And suddenly IP Verification works, yet only on IE8 (both 32/64 bit with the delay mentioned in another thread), not tab anymore on Opera 10.53 yeah well and those browser I use but not being supported FF Minefield 3.7 and Iron 5.0.380

 

I know Opera 10.53 is primarily a security update but they could potentially have changed some things in the build. I'll try testing with it a bit here to see if we can correct the behavior, but we should have another new beta coming out in the next day or so which could further improve it. I'll post back in the ongoing .136 thread when its ready

 

I was just tipping on Opera, I do not use it much anymore.

Having said that IP Verficiation is now working there are a few odd pages, though popular where IPV would not work:

 

I can never get the HTTPS website for Nationwide Building Society to be recognised, even if I leave it for several hours. All my other HTTPS sites I use are verified fine.

 

I'll take a look at these websites and the ones reported by vtol but, like the 'U' files referenced in the Prevx log, just because something isn't verified doesn't necessarily mean it is malicious or that there is a problem. Some websites use dynamic services like Akamai or Amazon's EC2 platform which prevent them from being tied down to a specific IP address for direct resolution.