US internet providers hijacking users' search queries
mysidia at gmail.com
Sat Aug 6 13:25:18 CDT 2011
On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post at rsuc.gweep.net>wrote:
> On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
> > Correct, I don't believe that any of the providers noted are actually
> Disappointing that nanog readers can't read
> http://www.paxfire.com/faqs.php and get
a clue, instead all the mouth-flapping about MItM and https. a clue,
> instead all the mouth-flapping about MItM and https. While
Maybe instead of jumping to the conclusion NANOG readuers should "get a
you should actually do a little more research than reading a glossyware/
vacant FAQ that doesn't actually explain everything Paxfire is reported to
do, how it works, and what the criticism is?
I mean... don't you see a problem relying on _their own publication_ to
say what they are doing, when they
might like to keep their methods quiet to avoid negative attention?
Changing NXDOMAIN queries to an ISP's _own_ recursive servers is old hat,
and not the issue.
What the FAQ doesn't tell you is that the Paxfire appliances can tamper
traffic received from authoritative DNS servers not operated by the ISP.
A paxfire box can alter NXDOMAIN queries, and queries that respond with
known search engines' IPs.
to send your HTTP traffic to their HTTP proxies instead.
In addition, some ISPs employ an optional, unadvertised Paxfire feature that
redirects the entire stream of affected customers' web search requests to
Bing, Google, and Yahoo via HTTP proxies operated by Paxfire. These proxies
seemingly relay most searches and their corresponding results passively, in
a process that remains invisible to the user. Certain keyword searches,
however, trigger active interference by the HTTP proxies.
More information about the NANOG