@ yeah, right.

You can climb down from your soap box now! To suggest that every programmer should be at the same level of learning regarding securely written code is completely preposterous.

BareFruit put their solution out on trial, and an error returned. Trial and error is still one of the finest methods for learning. Now, if you're unable to learn from your repeated mistakes, then I'd say you're an even worse programmer than one who unintentionally writes insecure code, and should probably consider a change in hobby or career.

27 minutes?

Er, where's the unit test plan, test evidence etc? Or system test? Or user acceptance testing? Or integration testing?

Very professional outfit, by the sound of it.

I own the domain, but not the subdomains?

To me the problem here is that if I own a site the ISP can make any subdomains under it show whatever they want. At the moment it seems to be ads, but surely they could put a rival service there. Maybe if someone made cheapmp3s.itunes.com point to a different store and started marketing that address then there would be enough fuss created which would hopefully ensure that when someone owns a domainname people cannot legally redirect subdomains for any reason (mistyped or otherwise)

Basic net connectivity

Remember you pay for the connection, that's all - you should be pathetically grateful if your ISP deigns to offer premium services such as DNS on top of that connection. Its only natural that they should protect their bottom line by forcing you to watch ads. Customers make such unreasonable demands, just the other day I heard of someone complaining that they'd been disconnected for over two weeks! Did the previous year of 72% uptime count for nothing?

In laymans terms

We are only as safe as our ISP is trustable . Does that include BT and PHORM ?.

Cookies and cream

Cookies can be set to different hosts in a domain, that one is a bit of red herring.

But things like flash, active X and Java vulnerabilities, and trust across the domain is compromised a bit.

I imagine the practice is going to stop very soon - one lawsuit will negate all possible advertising revenue, as everyone else will just pile in, and sue away.

Trust in the domain is not a bug - it is what enables the web to work - it is the security holes in ActiveX, Java, Flash and the Browser that enable the penetration. ISPs are just increasing the vector points with this practice, so if they use practices that are not secure or get compromised it is a bit similar to your domain being compromised.

Yes, they do need to stop this practice but unfortunately the pricing models are based on it.

404 for non existent domains?

If you are getting 404 responses for unknown domains, then there is some proxy between you and the (non-existent) website.

You should only get HTTP responses from domains that can be resolved.

I agree with the previous poster: opendns.org

that takes the ad serving out of the ISPs hands, nearly completely. I'm sure they will find a workaround eventually, but for now we have an alternative.

Scott

@james

"then there is some proxy between you and the (non-existent) website."

Yeah. The ISP.

Disabling RoadRunner 404 Redirect

If you're a RoadRunner customer, you can disable the 404 redirect they're imposing at the following page:

http://ww23.rr.com/prefs.php

Now my question is: If I disable the 404 redirect that they're imposing (at the above link), does this protect me from the PiTMA vulnerability described in this article?

@ the coder crowd

Chill, dude. The prob here is not with buggy code but with exploit allowed by shameless sub-domain pimping by the ISP. Which is BAD. Especially as you PAY for domain names...

I may be missing something, but...

...when I pay my (yearly) dues to a registrar, it is my understanding that I also get the right to any sub-domains. So for example, because I paid for blah.com, then www.blah.com, ftp.blah.com or even library.blah.com are mine (and only mine) to use.

So if I understand correctly, these people are trying to make money using domain names which are legally mine.

Isn't that domain-hijacking?

Site owners should address this problem

This is a form of DNS hijacking, and website owners should prevent it by:

* Having their name servers handle requests for non-existent sub-domains (e.g. redirect users to the www domain by default)

* Using secure communications always (i.e. always https).

Someone should also maintain a list of ISPs using this technique that other sites can query. When a user queries a non-existent domain from an IP owned by one of these ISPs the domain owner could optionally display a message, "You are seeing this page to prevent your ISP, <insert ISP name here>, from hijacking your request. If you believe your ISP should not be involved in DNS hijacking, please contact your IPSs customer service department. Click here to learn more".

Because there is a cost involved in every customer service call, and calls about DNS hijacking would lengthen the wait time for customers with other queries, I bet the practice would stop soon enough.

Various

@Alastair

No - just no. My domain is not used solely for web services - something I believe to be true for a lot of domains. Why on earth should 'phone2.exmaple.com' redirect someone to www.example.com? The DNS query stage doesn't include service information - so there's no way to tell whether the lookup is for the purposes of web access.

@Barbara Moore

If by "text part" you mean the plain text version of the email, the chances are that those are not the real destinations that you would be sent to. The phishers normally put pseudo-real addresses in there so that you believe them... When you click you normally go to something like http://www.abbey.co.uk.3487ACDAAB9837456872345.example.com/ which most people will interpret as www.abbey.co.uk with the ID of the session after it. It'll quite often be even longer than that to make the real part of the domain invisible.

Branding & Typos

If I server a page headed with qww.microsoft.com and a load of ads, am I not pushing that page under microsofts branding and thus it's a blatant abuse of their trademark?

Microsod should get onto them about that, could be some beer money for the lawyers there....

Also, there are the other typos that the ISPs (Domain resellers) are making money out of stuff like www.microsotf.com someone is selling these domains which are invariably used for nefarious purposes and are in a dubious legal position regarding trademarks. It's about time they were stopped too. When malware is found on one of these the reseller should cop a fine or have their selling rights removed for putting internet users at risk.

(I'm especially annoyed because by typign is terribel.)

@ Graham Wood

"If by "text part" you mean the plain text version of the email, the chances are that those are not the real destinations that you would be sent to."

With many mail programs set to display only text and not the html nor any other attachments to the email, using the false subdomain with the encoded XSS in the URL makes the URL look even more real [I edited the XSS out for that reason]. Nor did I wish to publish anything which could identify me to the phishers.

@ Graham Wood

"@Alastair

No - just no. My domain is not used solely for web services - something I believe to be true for a lot of domains. Why on earth should 'phone2.exmaple.com' redirect someone to www.example.com? The DNS query stage doesn't include service information - so there's no way to tell whether the lookup is for the purposes of web access."

The purpose of the lookup is imaterial, what matters is that it is a non-existent sub-domain. The idea being that they will redirected to a legitimate page on your domain rather than be presented with the ISP's ad page.

No-one's saying that you only use your domain for web services, but it's very unlikely that you are running any non-existent services.

Re: Verizion FIOS Opt-Out on DNS 404 failure redirection

Verizon provides information on how to configure your Verizon supplied router to use DNS servers that don't hijack lookups (basically change the DNS server address from X.Y.Z.12 to X.Y.Z.14) but unfortunately, the directions don't actually match the screens that some of the devices use. (Though anyone techie enough to even attempt to follow Verizons convoluted "opt-out" suggestion can probably figure that out. The other 99% of Verizons customers are screwed, though).

And at least Verizon "only" hijacks addresses that contain ww (including www, ww1, www1, 1ww, etc). And the response is in fact a "HTTP/1.0 404 Not Found' header, but with javascript in the body that redirects to wwwz.websearch.verizon.net. This means that errors with "non-web" services (that don't use ww hostnames) shouldn't be affected, and that Verizon at last doesn't appear to be serving content that could exploit XSS vulnerabilities. (That's no excuse - though I suppose I'd rather have any revenue from this sort of hijacking go to my ISP than to Google or Microsoft or Yahoo, or whoever added that functionality to the web browser itself).

@Steve - The idea being that they will redirected to a legitimate page on your domain

Should stick another field in DNS for the default address on the domain, or maybe even just register default.domain and change the resolvers.

So I'd register (for instance) www.microsoft.co.uk and default.microsoft.co.uk then matches for wwq.microsoft.co.uk would fail and get the default.microsoft.co.uk.

www.microsotf.co.uk would get the default address default.co.uk, which I guess would be hijackable again.

It'd mess up the people who already have domains with "default" in them though so a new DNS field for the default address on the domain would be better.

302 or 303

Isn't a 302 (Moved Temporarily) or 303 (See Other) status code the least bad way to implement this (although how many browsers implement 303 I don't know).

It could then redirect to a page which is clearly under the ISP's control.

Personally I think it should be up to the browser to deal with it rather than the ISP but I guess they don't want to pass up a revenue stream.

Re: Don't use ISP's nameserver

fdg wrote:

"Use opendsn.org perhaps?"

Don't OpenDNS use exactly the same sort of advertising trick to fund their servers?