Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Block VeriSign's attempt at internet domination' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Block VeriSign's attempt at internet domination
Authored by: kerbaugh on Sep 20, '03 01:52:52AM

I agree that a sixty second timeout is intolerable. The problem as I see it is that this hint blocks the wrong site with the wrong rule. The Verisign process is a two step process. When you type an incorrect URL, the Verisign DNS server actually returns an IP address, which is that of sitefinder-idn.verisign.com, not the server listed in this hint. When the browser attempts to contact this server, it sends a redirect to the sitefinder.verisign.com server. This is done so that the Verisign address correctly appears in the browser address bar. This is slightly more polite than a one step process which would result in the incorrect URL appearing in the address bar, although the whole thing violates every account that I've read of the DNS rules.

Blocking the sitefinder-idn.verisign.com server in the manner recommended in this hint would save a fraction of a second but the main problem with this hint is that it suggests blocking the response when a far more efficient method would be to block the outgoing request. The system tells the browser that permission is denied for this request and the browser passes that information along immediately. Thus, the rule I use is:

sudo ipfw add 1170 deny tcp from any to 64.94.110.11 setup

I include a number with the rule because if you already have a well-constructed firewall, you need to make sure this rule precedes the rule allowing outgoing connections.



[ Reply to This | # ]
Umm, no.
Authored by: sebastienb on Sep 22, '03 05:00:06PM
Here's the complete 'transcript' of my trying to get a non-exitant domain:
+++GET 7258+++
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; .NET CLR 1.1.4322)
Host: adsfasdfkjhdflkjaslfkj.com
Connection: keep-alive

+++RESP 7258+++
HTTP/1.1 302 Found
Date: Mon, 22 Sep 2003 20:55:52 GMT
Server: Apache
Location: http://sitefinder.verisign.com/lpc?url=adsfasdfkjhdflkjaslfkj.com&host=adsfasdfkjhdflkjaslfkj.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
+++CLOSE 7258+++

+++GET 7259+++
GET /lpc?url=adsfasdfkjhdflkjaslfkj.com&host=adsfasdfkjhdflkjaslfkj.com HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; .NET CLR 1.1.4322)
Host: sitefinder.verisign.com
Connection: keep-alive

+++RESP 7259+++
HTTP/1.1 200 OK
Date: Mon, 22 Sep 2003 20:55:52 GMT
Content-Encoding: gzip
Content-Type: text/html;  charset=UTF-8
Transfer-Encoding: Chunked
Connection: Close
+++CLOSE 7259+++

+++GET 7260+++
GET /b/ss/verisignwildcard/1/G.2-Verisign-S/s2266934808526?[AQB]&ndh=1&t=22/8/2003%2016%3A55%3A51%201%20240&pageName=Landing%20Page&ch=landing&server=US%20West&c1=adsfasdfkjhdflkjaslfkj.com&c2=adsfasdfkjhdflkjaslfkj.com%20%2800/00%29&c3=adsfasdfkjhdflkjaslfkj.com%20%28DYM%29&c12=No&c13=00&c14=No&c15=00&c16=Yes&c17=15&c22=NOT%26%2332%3BSET&g=http%3A//sitefinder.verisign.com/lpc%3Furl%3Dadsfasdfkjhdflkjaslfkj.com%26host%3Dadsfasdfkjhdflkjaslfkj.com&s=1024x768&c=24&j=1.3&v=Y&k=Y&bw=1016&bh=581&ct=lan&hp=N&[AQE] HTTP/1.1
Accept: */*
Referer: http://sitefinder.verisign.com/lpc?url=adsfasdfkjhdflkjaslfkj.com&host=adsfasdfkjhdflkjaslfkj.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; .NET CLR 1.1.4322)
Host: verisignwildcard.112.2o7.net
Cookie: s_vi_fubycywx7Egyx7Ctsqbt=[CS]v4|3F6F606000007A5E-A000A9400000001|3F6F6060[CE]
Connection: keep-alive

+++RESP 7260+++
HTTP/1.1 200 OK
Date: Mon, 22 Sep 2003 20:55:53 GMT
Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6e
Set-Cookie: s_vi_fubycywx7Egyx7Ctsqbt=[CS]v4|3F6F606000007A5E-A000A9400000001|3F6F6060[CE]; Expires=Sat, 20 Sep 2008 20:55:53 GMT; Domain=.2o7.net; Path=/
Expires: Sun, 21 Sep 2003 20:55:53 GMT
Last-Modified: Tue, 23 Sep 2003 20:55:53 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
ETag: 3F6F61D9-78E3-77E919DF
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP LAW NID PSA OUR IND NAV STA COM"
xserver: www136
Content-Length: 43
Connection: close
Content-Type: image/gif
+++CLOSE 7260+++
I don't see that other domain you mentioned. It's also interesting to see the cookies these guys try to set on a browser.

[ Reply to This | # ]
Re: Umm, no.
Authored by: gschueler on Sep 22, '03 09:52:13PM

No, there is no extra redirect, but the reverse DNS lookup on 64.94.110.11 returns "sitefinder-idn.verisign.com"

$ dig -x 64.94.110.11
...
;; ANSWER SECTION:
11.110.94.64.in-addr.arpa. 2m14s IN PTR sitefinder-idn.verisign.com.

which is probably what he meant.



[ Reply to This | # ]
Block VeriSign's attempt at internet domination
Authored by: gsdali on Sep 25, '03 01:39:47PM

This works perfectly, thanks. It restores the functionality of the internet.

Now, any idea of how to block this on my conexant router?

---
--
Ed Lynch-Bell
dali@zerointegrity.co.uk



[ Reply to This | # ]