What's going on behind the scenes??

Discussion in 'privacy general' started by Rmus, Apr 27, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I thought I would start a new thread, even though it's somewhat related to Paranoid2000's HTTPS thread.

    Sometimes you aren't going to the web server you think you are. One day, I unchecked the "Permit Browser" rule in my firewall, which means that it prompts for every outgoing attempt.

    I typed in this url: blogs.msdn.com and this firewall prompt appeared:

    ------------------------
    'Opera Internet Browser' from your computer wants to connect
    to 89.67-18-200.reverse.theplanet.com [67.18.200.89], port 80
    ------------------------

    I did a server query for that IP:

    ------------------------
    Initiating server query ...
    Looking up the domain name for IP: 67.18.200.89
    The domain name for the IP address is: 89.67-18-200.reverse.theplanet.com
    -------------------------

    Then I did a server query for blogs.msdn.com

    -------------------------
    Initiating server query ...
    Looking up IP address for domain: blogs.msdn.com
    The IP address for the domain is: 67.18.200.89
    -------------------------

    What's going on here? I wrote to MSDN and received this reply:

    -------------
    The Planet is the new Internet Service Provider that hosts
    blogs.msdn.com. We switched to the IP address 67.18.200.89, which you
    are encountering. The servers assist us in blog hosting.

    I would like to apologize for any inconvenience this issue has caused
    you.

    Should you have other questions or concerns, please feel free to write
    back.

    Sincerely,

    xxxxxxxx

    MSDN
    http://msdn.microsoft.com
    ------------------------------

    I then wrote to Opera support to inquire about possible security problems,
    and received a nice reply from one of the Opera developers who
    often posts to the Opera Newsgroups:

    ----excerpt--------------
    blogs.msdn.com is hosted on the IP address 67.18.200.89, which is apparently
    a server operated by the domain theplanet.com.

    All browsers navigating to this site will retrieve information from that
    server, which as far as they are concerned is the blogs.msdn.com server.

    A single server (that is, IP-address) can host multiple hostnames
    (www.domain1.com, www.domain2.com, www.domain3.com, etc.) through
    something called virtual servers. This is done by configuring the
    individual domains DNS servers so that the various names are translated to
    the same IP address, the webserver is then told by the client which of the
    addresses hosted on it it want to access.

    What MSDN has done here is to outsource the blogging to a company that
    specializes in such services, but assigned it a name from their own
    domain. The alternatives would have been to maintain the servers and
    software themselves, or use a name like msdn-blogs.theplanet.com which
    might not be as acceptable and trustworthy to visitors.

    The only real security threats in this situation is if the hosting server
    isn't properly secured, either against external attack or against one
    customer attacking another, or the IP address is somehow assigned to
    another server (which would probably be a breach of contract). There is
    also the possibility of DNS cache poisoning a.k.a pharming, which can be
    used to take over entire sites, but that applies to ALL websites, also
    those run by their owners on their own hardware.

    Problems may occur with such arrangements if the domain (or the IP
    address) is blacklisted for some reason, usually related to activities by
    another of the hosting company's customers. This has been known to happen
    to sites that are hosted by ISPs that also host servers run by people
    accused of various unethical or criminal activities.

    I am not familiar with theplanet.com, but I am pretty sure Microsoft
    checked them out before entering into a hosting contract with them.

    In short, I do not think there is a problem with MSDN's arrangements.

    I hope this helped.
    -----------------------------------

    In this case, there is nothing malicious, just standard web hosting -- the Opera developer mentioned that Opera's own OperaMail webmail service is hosted in a similar manner -- but it does show that things aren't always what they appear to be.

    I often uncheck my "Permit Browser" rule just to see what a web site is really doing...

    ---
    Rmus
     
    Last edited: Apr 27, 2005
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Nice. I emailed the developer's of SpoofStick to see if this needs to be corrected in their program, because both the FireFox and IE versions of SpoofStick don't reflect "theplanet" at all.

    I'm not even sure it's supposed to, but I thought I'd ask. Pete
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    My understanding of SpoofStick is that it alerts to the use of homographs to spoof the URL, aka Phishing.

    DNS cache poisoning, aka Pharming, is different, yet it would seem to me that the program should be able to display the IP address and all domain information in any case.

    A firewall doesn't care whether it's Phishing or Pharming - it just displays the IP address and domain information that the browser is attempting to connect to. That's when you can check it against your known trusted addresses/domain names.

    ---
    Rmus
     
    Last edited: Apr 27, 2005
Loading...
Thread Status:
Not open for further replies.