PSA: On DNS Hijinks and Hijacks

This is a somewhat obscure technical problem, but several ISPs have recently begun hijacking mistyped domains and directing them to ads.

This is bad on several levels. Wired has a story about how it’s even worse than you thought: it lets hackers (the bad kind) hijack any site on the web.

The hole was made possible by ISPs subverting the Domain Name System or DNS, which translates website names into numeric addresses. Instead of simply returning an error message to a user’s browser when a user typed the name of a website that doesn’t exist, Earthlink and others instead substitute a page of Yahoo ads and suggest alternate spellings for the non-existent site.

The ads are served up by a British company called Barefruit, which pretends to actually to be the non-existent domain when delivering the ads.

Due to unforeseen consequences and Barefruit’s failure to screen for rogue JavaScript code, that forgery allowed a hacker to create perfect fraud site imitating eBay that looked in the browser address bar to actually be legitimately hosted on ebay.com.

…

“The entire security of the internet is now dependent on some random ad server run by some British company,” Kaminsky said, adding that he’d talked this week to many internet companies who were pissed, though not at him.

“I can’t secure the web as long as ISPs are injecting other content into web pages.”

Known ISPs who are doing this: Earthlink, Comcast. Verisign did this a few years ago, but doesn’t anymore. (Instead they steal domains when you search for them, which is a different level of evil.)

The best solution is to not use affected DNS servers. If you are on Comcast or Earthlink, use OpenDNS instead. It’s reliable, very fast, and free.