ISP Is Bypassing Firefox's Location Bar Search 385
It was only a matter of time before ISPs began doing more than just redirecting failed DNS requests to their own pages.
An anonymous reader writes "It looks like the largest ISP in Hong Kong has started bypassing search results from Firefox's location bar (which typically uses Google), forcing their own search provider (yp.com.hk) onto their users. ... Can an ISP just start re-directing search traffic at will?"
VPN (Score:3, Insightful)
Use a VPN provider of your choice.
Re: (Score:2, Insightful)
Use a VPN provider of your choice.
And immediately get throttled by the ISP for using encryption
Re: (Score:2)
Does this actually happen in practice? Most people who use VPNs use it because they work from home and their work requires it. I don't think we are at the stage yet where all VPN traffic is assumed to be evil.
In the past I've had more success torrenting things with comcast while VPN'd into my school, then without a VPN at all. Not that my story is evidence of much, but I haven't witnessed any sort of throttling like you claim.
Re: (Score:3, Informative)
not happen, happened. Lots of ISP's worldwide, not US only, want you to have a business connection just for daring to establish a VPN connection over it. Usually it ends up being somewhere between 10 and 40$ extra a month depending on country/currency/etc to do so.
right now however, in the us, comcast is staying away from that stuff, at least temporarily. Or if they do throttle, it's on the low end speeds. On my 22/10 they are not throttling anything, nor are they sending warnings and I use what comcast con
Re: (Score:3, Informative)
I have my VPN port at home on port 80. It is the best way to bypass firewalls at work and other places.
works great. you can run your VPN software from a thumb drive and firefox as well. do your surfing over it and the IT BOFH's cant detect or prevent a thing.
I pointed this out once as a IT manager, "isn't it easier to educate the users about safety? any fool can vpn out port 80 and bypass all our security."
I had several IT consultant "gurus" stutter and almost foam at their mouth because they just proc
Re: (Score:3, Informative)
MitM of Google (Score:2)
We've seen a few ISPs that MitM www.google.com in DNS (you can check for yourself in Netalyzr [berkeley.edu].
Does anyone know (save me looking at a TCPdump) what domain name firefox uses, is it www.google.com or something else, for the google searches?
Re:MitM of Google (Score:4, Informative)
http://forums.opendns.com/comments.php?DiscussionID=226 [opendns.com]
Re: (Score:3, Informative)
Thank [deity].
I saw that this article was tagged "opendns" and for a moment thought with horror that people were tagging it that as a kind of suggestion that using OpenDNS was a solution to this. It seems like every single fucking time an article comes up about ISPs doing something wrong (generally messing with NXDOMAIN) people come out of the woodwork to suggest using OpenDNS, even though they do the exact same thing and there are plenty of perfectly standards compliant and free DNS providers to chose fro
Re: (Score:2)
It seems like every single fucking time an article comes up about ISPs doing something wrong (generally messing with NXDOMAIN) people come out of the woodwork to suggest using OpenDNS, even though they do the exact same thing
They do... But it's generally in a beneficial way (phishing filter, content filtering, etc.) and at the user's discretion. Your ISP may not have any way to opt-out of the NXDOMAIN hi-jinks... But OpenDNS does.
I happily use OpenDNS at home, as well as at any client that asks for a quick and easy way to make sure folks are surfing for porn.
there are plenty of perfectly standards compliant and free DNS providers to chose from.
I've been using Google's DNS [google.com] for the folks who don't want filtering.
I have, in the past, found the addresses for various higher-level DNS servers and used them successfu
Re: (Score:3, Informative)
a fair followup to show that mainly OpenDNS was just trying to fix what google/dell/others? broke:
http://blog.opendns.com/2007/05/22/google-turns-the-page/ [opendns.com]
Re: (Score:3, Informative)
The EICAR test "virus" is used to see if you have working AV which is blocking threats that are downloaded from the network.
Please see the FAQ [berkeley.edu].
Re: (Score:2)
Or they will just put their cert into your browser so they can "optimize your web experience".
Nope (Score:5, Funny)
Can an ISP just start re-directing search traffic at will?
Not in my book. My ISP started doing some redirection and they got an immediate complaint from me. In person, at their local office. If there was an alternative to their service I would have switched ISP's immediately.
Re: (Score:3, Funny)
... and how did that work out for you?
Re:Nope (Score:5, Insightful)
Who knows? They have been quite responsive to complaints about services in the past. Even if I don't get an immediate response my voice was heard. They do know at least one of their customers was angry about their conduct. Should I just silently accept them screwing with me and not voice my concerns? That seems to me a guarantee that they won't change their ways.
From your post it seems that you think not standing up for yourself is the way to change things. Don't vote. Don't express your opinion. Be a martyr. How's that working for you? Effecting a lot of change in society are you?
Re:Nope (Score:4, Funny)
> Should I just silently accept them screwing with me and not voice my
> concerns?
No. You are supposed to rant selfrightously about evil, greedy corporations and demand that the government "regulate" them into forcing whatever it is that you want on all their customers whether they want it or not, but never make any attempt to communicate your concerns to the company in question. That's the Slashdot way.
Re: (Score:2)
I don't know at this point. I haven't experienced it lately, but that doesn't mean they aren't still doing it.
A lot of people complain about my ISP but I've found them pretty reasonable. When they first moved into this area their service was really bad, and expensive. In the years since then though they've actually lowered their prices, increased their speeds and usage caps, and become very reliable. If I have a service interruption they are there that day, not a week later.
Re: (Score:2)
My ISP started doing some redirection and they got an immediate complaint from me. In person, at their local office.
I imagine that approch would yield a response that consisted of little other than a look of confusion of amazement, or a blank stare that barely suppressed the "I wish this guy would stop talking and go away."
When I call ATT and they discover I have fixed IP addresses, I immediately get transferred in a flurried confusion to second level tech support. When the next level discovers my connecti
Re: (Score:2)
> I love how the general slashdot public has this "I should be able to do what
> I want with my property" attitude with things like file sharing. But when an
> ISP decides to use that same logic (since you are using their lines to access
> the Internet) you get pissed off.
I see no contradiction in this specific case. They can do what they want with their property and he can take his business elsewhere if he doesn't like it. He did them the courtesy of telling them what they were doing that he did
Re: (Score:2)
Who says I support "file sharing", as in taking copyrighted work without permission?
I have never downloaded a song or movie. I have always purchased all my music, and never buy movies as that doesn't interest me. I just don't buy any music any more. But, that's because of the actions of the RIAA. If they acted ethically I would most likely still be buying music that interests me.
You make some huge assumptions with absolutely no evidence to back them up. You can search all my posts here and you will nev
Re: (Score:2)
When you buy an internet connection, I would say there is an implied warranty of merchantability that includes integrity of communication.
You should be able to assume that your inbound and outbound internet traffic isn't effectively altered.
Re:Nope (Score:4, Insightful)
If you're paying for a service that requires using someone's else property, they have voluntarily transferred some of their interest and rights in that property to you. Your landlord can't come into the house you're renting from him just because he feels like it, even if a clause permitting it is in the lease agreement. In the same way, if an ISP sells you access to the Internet, they can't start blocking you from certain parts of it without changing the agreement, which requires your consent (after all, it's a contract, and contracts require all parties to agree to it).
Whether the courts would agree with this interpretation is another matter, but this is the way I see it.
Re: (Score:3, Informative)
Get a grip. Don't demean the sacrifices made at Tiananmen Square with this far less serious bad behavior on the part of my ISP. The two situations aren't slightly close to be moral equivalents.
time for end to end encryption (Score:3, Insightful)
Re:time for end to end encryption (Score:4, Interesting)
It's getting so bad now the only option might be to fork the Internet's infrastructure, in combination with universal encryption. Replace it with open WiFi/WiMAX wireless mesh networks that only connect to the "corporate Internet" via TOR routers or something similar. Then once the public wireless mesh is popular enough, companies like Google and Hulu will voluntarily tie into it directly to stay relevant. The hard parts would be:
- Replacing the IANA/ICANN. A democratic online community might be the best solution.
- Submarine/satellite links. A "community project" wouldn't have the capability to do anything on this scale. Using TOR-like traffic on the "corporate Internet" might be a good short-term option.
Eventually ISPs that attempt to control traffic (to the extent that even these measures aren't sufficient) would be put out of business, those that stop trying to control traffic might stay in business serving as a backbone to the community Internet.
If this all seems too idealistic, imagine it could work like torrents: Those who are selfish or malicious have their access restricted or even removed due to rules built into the protocol. The more you share the more you get.
The way I see it working in the Average Joe's house is like this:
They have their "local AP" for short-range connections that handles LAN traffic, just like how home wireless APs are used today. Traffic is freely allowed out but inward traffic is restricted in a NAT-like configuration (there is actually a standard for NAT-like security on ipv6, but I can't find the name of it now)
Then they have their "community AP" that connects to other community wireless nodes. This is the center of the home network and handles all aspects of connecting to the community mesh. It might be a long-range-only AP.
Then optionally, a "corporate Internet modem" much like the ADSL/cable modems used today. All traffic sent over this connection is either onion-routed or securely tunneled to another "community AP," and of course encrypted like everything else. Providing this connection gives the network better "karma" like the seed ratios on Bittorrent, and therefore gives their network better access to other networks.
If the technology becomes available I'd be more surprised if this didn't happen. If a DD-WRT like system becomes available with "community Internet support," people will start reflashing their equipment so they can share warez, host services the ISP doesn't allow, etc. Then businesses will get on board for the security and redundancy (and maybe speed - going via "commu-net" to another location might be faster than a "corp-net" connection and cheaper than a wired connection).
The only weakness is that governments could outlaw the "commu-net," but once big businesses start reaping the rewards their lobbyists should ensure it stays legal.
Encryption (Score:5, Insightful)
And that's why we should start using encryption for everything...
Re:Encryption (Score:5, Insightful)
Remember that encryption won't help without authentication; your ISP will just MITM all your encrypted traffic. You need to know who you're really talking to.
I have the perfect solution (Score:2)
Use Google's DNS.
8.8.8.8
8.8.4.4
Pretty easy to remember, too.
Not much evidence yet... (Score:5, Insightful)
Re:Not much evidence yet... (Score:4, Informative)
It's PCCW. What I have heard is they are hijacking NXDOMAIN, but not sure about redirecting the location bar. Maybe Firefox will try to lookup for domain for single name hostname, hence giving an impression that it redirects if your "search term" is just one word.
Re:Not much evidence yet... (Score:5, Informative)
Indeed, the poster only discusses what happens when he puts the name of a website into Firefox's address bar. By default, that will carry out a DNS lookup and if that lookup fails, Firefox will redirect to a Google "I'm feeling lucky" result.
Lots of ISPs are intercepting failed DNS requests and injecting their own ad page, there's usually a way to bypass this.
Re:Not much evidence yet... (Score:4, Informative)
Confirmed this with a few of my friends who are using PCCW Netvigator. I have the same ISP, but use OpenDNS, so haven't notice anything was amiss for some time.
Re:Not much evidence yet... (Score:4, Informative)
(This is also a single post on a forum from one user... ;-p)
I'm in Hong Kong and I use that ISP mentioned in the article at home.
Never noticed the change because I've set my DNS servers to google's, but now that I test it out, my ISP's servers do seem to be returning 203.198.80.* in place of NXDOMAIN.
Fuck.
Sleezy (Score:5, Interesting)
Re: (Score:2)
Correct me if I am wrong, but in theory, if Firefox uses the google certificate, there is no way the ISP can do man in the middle attacks, that's the whole point of the certificate.
So this is the answer, start using https and certificates for everything.
And on a more general note, all traffic should be encrypted to every web site and for every Internet application.
Comment removed (Score:5, Insightful)
Re: (Score:3, Insightful)
Indeed! Adam Smith's laissez faire was based on thousands of small, independent businesses --not a few monopolies. Perhaps that is why in Europe people are not bothered by the idea of government intrusion in controlling their lives, but rather big business intrusion and controlling their lives.
Re: (Score:2, Informative)
As a Capitalist, that really offends me. If businesses want to be treated laissez faire then they damn well better learn to make society not feel like they're a bunch of crooks who care so little about the common good that if regulators aren't going Big Brother on them every nanosecond they'll steal everything that isn't nailed down and cheat everyone who isn't paying 110% attention to every detail of their lives.
... which is precisely why there is regulation in every civilised society on the planet, and no such thing as a 100% capitalist society.
Re: (Score:2)
> ... which is precisely why there is regulation in every civilised society on
> the planet, and no such thing as a 100% capitalist society.
People do not become superhuman when they become part of government. They merely acquire power over other people.
Re: (Score:2)
> ...a bunch of crooks who care so little about the common good that if
> regulators aren't going Big Brother on them every nanosecond they'll steal
> everything that isn't nailed down and cheat everyone who isn't paying 110%
> attention to every detail of their lives.
That pretty much describes the entire human race. Including the "regulators".
They can if they're in China (Score:4, Insightful)
Re:They can if they're in China (Score:4, Informative)
Despite the handover in 1997, Hong Kong is still very much its own entity, sharing more in common with Seoul and Tokyo than with, say, Shanghai. They have protests, marches, and as far as I could tell the internet wasn't subject to the Great Firewall. Having been there three months ago and a wife there now, I *think* I can say that much.
This is why we need net neutrality (Score:5, Insightful)
Re:This is why we need net neutrality (Score:4, Informative)
More profit! (Score:2)
1) Be an ISP
2) Create an online shop ala amazon.
3) Redirect all users to your shop
4) Profit!
Re:More profit! (Score:5, Funny)
They could even be sleazy and open up shops that almost look like the same name depending on the font used.
Shop at Arnazon.com!
My ISP has been doing this for some time now (Score:3, Interesting)
I use a small, local telephone company for my DSL. They're reliable, not the fastest or the cheapest, but hey, it's pretty much a monopoly unless I want the cruddy cable service provider that is unreliable in their connectivity and just as expensive.
For six years now I've dealt with this. At work I just type a keyword and end up at the site I wanted. At home I do that by mistake and I get a page with an advertisement for something local saying the page couldn't be found.
Extremely annoying, but I don't have much choice as I don't want cable or their cruddy service, so I deal with it.
Re: (Score:2, Insightful)
use a different DNS server
Probably NXDOMAIN wildcarding.... (Score:5, Informative)
What firefox does is first try to do DNS lookups for:
foo
foo.com
www.foo.com
before launching the google search.
Thus NXDOMAIN wildcarding (which is unfortunately growing very common, distressingly so in our data) will mess up the firefox behavior by causing one of the three names to resolve to the "helpful" search page belonging to the ISP.
Re: (Score:3, Informative)
A: If the ISP is good, they have an opt-out to a non-wildcarding DNS server.
B: If the ISP is not, I hate to say it but use Google Public DNS (8.8.8.8 and 8.8.4.4), as they don't wildcard or do anything beyond use the DNS information for data-mining purposes.
I'd personally STRONGLY AVOID OpenDNS, which does lots of bad things to DNS: NXDOMAIN wildcarding ANY address (not just www. addresses), SERVFAIL wildcarding, wildcarding addresses which HAVE valid records but just no A record, and even man-in-the-midd
Re: (Score:3, Informative)
Q: Whats to stop your ISP from redirecting all outgoing packets to port 53 to their own DNS server?
A: If an ISP does this, we'd detect it: thats one of the tests we check for explicitly in Netalyzr: we send raw DNS requests directly to our server and ensure that they are not intercepted or proxied or modified on the way.
Yes (Score:2)
They can if they are in China.
China? (Score:4, Informative)
Re:China? (Score:4, Insightful)
The usual argument is that an ISP isn't legally liable for the information that they carry (as long as they comply with some basic rules), because their whole business model is based on them being a dumb carrier. They don't edit, they can't edit, it's not their job to edit, and if they tried, they'd be failing their customers and be wrecked as a business. If someone emails a piece of child porn across their network, they aren't guilty of aiding and abetting, because it's not their job to read or alter content.
So if an ISP has decided that it might be able to make a bit of extra money by deciding to divert search requests and exercise editorial control over what their customers are able to access, then ... bad news ... they've just broken that principle, stopped being a simple carrier and started to be an edited service. And with editorial power comes editorial responsibility. And that means that if someone goes on a killing spree and their family decides that they were influenced by content they found on the net, then if the person's ISP felt entitled to edit out Google, but not to edit out gun retailer sites or extremist political sites, the family's lawyer can now try to sue that ISP, on the grounds that the ISP has already discarded the principle that it doesn't filter content.
Any time an ISP pulls a redirection stunt like this, don't complain to their technicians: write a polite little note to their board of directors, or to their technical director, asking whether the shareholders understand that they're risking operating a corporation without legal "pure carrier status" protection. This is potentially a "shareholder alert" situation. Does the company's prospectus inform shareholders that the company is operating outside the usual "dumb carrier" rules?
If they're making extra money on the side by stealing Google business, by "diverting the flow", ask them if their legal department has estimated how much they stand to lose if they get sued. Not by Google, but by the mother of some kid that got murdered after meeting someone they shouldn't from an internet chatroom.
Simple "carrier" ISP's don't edit for a reason. By deliberately firewalling themselves off from editorial powers, they give themselves a degree of immunity from being liable for what they carry. That's not something you throw away lightly. And if I was the CEO of another ISP, I'd be wanting to ring the CEO of this ISP, and ask them what they hell they thought they were doing, and whether they were trying to bring down the entire industry.
Windstream, DSL US ISP is already doing this (Score:5, Informative)
This isn't new, and this isn't NXDOMAIN hijacking. Windstream, a US DSL provider, was already caught red-handed doing this. Not only this but they also refuse to answer very specific questions asked (see http://www.dslreports.com/forum/r24059591-DPILayer7NXDOMAIN-Privacy-questions-re-Windstream-DSL [dslreports.com]) and provide a paper-thin excuse as to why it's happening (see http://www.dslreports.com/forum/r24074065-Our-Response-to-Redirect-Service-Concerns [dslreports.com]).
Affected users are not using the ISP's DNS servers, this is not NXDOMAIN hijacking. This is layer 7 inspection, the sheer fact the URL was transformed, being carefully re-written, from the URI passed to 'www.google.com' discredits what Windsteam has said entirely.
When a user performs a search using the Firefox search bar against Google HTTP/1.1 is used with an HTTP method of GET against Google. The following URI is constructed:
q=[search critera]
ie=[encoding]
oe=[encoding]
aq=
rls=[browser]
So, when I search against Google I pass ?q= for my search term.
When this is redirected to searchredirect.windstream.net the URI is transformed, with the ?q= parameter being extracted. Windstream's site uses this URI structure:
search=[search criteria]
src=[interger value, likely points to an RDBMS based on HTTP_REFERER]
Windstream is not disclosing the truth. For this behavior to occur you would have to be using an MITM proxy or DPI; either way they are inspecting layer 7 traffic, extracting the ?q= URI string passed to Google, and either transparently or via HTTP 302 redirecting customers to searchredirect.windstream.net
They got caught, red handed, and have been fabricated mis-truths from the start.
How HTTP/1.1 GET against /search?q=my_search_term becomes /search.php?search=my_search_term without some form of Layer 7 is impossible. This CANNOT be NXDOMAIN.
Clearly they're not disclosing the full details or hiding behind careful sentence structure and semantics. This appears that there is now an industry initiative and a company behind this search harvesting and privacy invasive technology which is being sold to ISPs. Expect more to come, this isn't isolated to over-seas, it's already happening right here in the US.
-SirMeowmix_I
Re:Windstream, DSL US ISP is already doing this (Score:5, Interesting)
If you are a windstream customer, could you please run netalyzr (http://netalyzr.icsi.berkeley.edu) and send teh results URL to netalyzr-help@icsi.berkeley.edu?
I'd like to investigate this in further detail.
This can be solved simply (Score:3, Insightful)
All Google needs to do is modify their search bar to encrypt the outbound search string using Google's public key. By doing that, it makes it difficult to intercept whatever search is being done.
Re:Sure they can (Score:5, Insightful)
It looks like the largest ISP in Hong Kong
I never knew that Hong Kong was in the United States.
Re: (Score:2)
But once one is doing it, the rest will follow.
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Re:Sure they can (Score:4, Funny)
Re: (Score:2)
Well you're still wrong. State governments have the same power to regulate an Internet Monopoly as they do to regulate the Electric Monopoly or Natural Gas Monopoly. Your local government could very easily put the squeeze on Comcast and require them to fall into line.
As for this article:
I don't understand how the ISP hijacks the request. If I type "slashdot" doesn't Firefox automatically convert that to "google.com/search?q=slashdot" and produce results? I don't see how the ISP can interrupt a valid URL
Re: (Score:3, Insightful)
Sure they can, and by the federal government, too. Congress just hasn't yet given the FCC that power.
So in general they could be regulated, but in practice not yet.
Re: (Score:3, Informative)
Kind of a technicality really. The existing laws granting FCC authority just don't spell it out. A forgiving interpretation of the intent of the law lends me to believe congress did intend for the FCC to regulate all activities of companies using government granted monopolies.
The free market is powerless in a pseudo-monopolistic environment. Companies(and I mean specifically Qwest, Comcast, AT&T Wireless, AT&T, Sprint, Verizon Wireless and others) have shown and will continue showing that they are u
Re: (Score:3, Informative)
My understanding of the issue is that Telco's are alternating between how they are classified. First, they wanted to be classified in such a way that they could receive gov't grants to build infrastructure. Then to reclassify so they do not need to license their infrastructure to competitors. Then to reclassify to avoid FCC regulation.
I agree, Congress needs to get their heads out of their asses. They either need to be regulated, or forced to compete.
Re:Sure they can (Score:4, Insightful)
You're largely correct.
They shift their stance based on what they're asking for. Just 2 weeks ago, AT&T defended the FCC(in a case against Comcast) because it feared losing universal service fee money because of the "telecommunications carriers" classification. I don't pretend to be an expert...
but it seems fairly obvious that when there is tax dollars to be handed out to build infrastructure, the telecoms are all out there with their hands open ready and willing. But when it comes time for the FCC to enforce consumer fairness and openness on the internet(that we taxpayers paid AT&T and others to build a backbone for), they cry foul.
Politicians seem spineless when it comes time to intervene.
Re:Sure they can (Score:5, Funny)
I never knew that Hong Kong was in the United States.
It's rude to derail a rant with logic.
Re:Sure they can (Score:5, Informative)
Re: (Score:3, Insightful)
Re:Sure they can (Score:4, Informative)
However, I'm obviously a lot more technically savvy than the average user, or even the average tech support person (they couldn't understand the problem). ISPs shouldn't be doing this, router manufacturers should start shipping their products to default to Google DNS, it's faster anyway.
Re:Sure they can (Score:4, Interesting)
Re: (Score:3, Funny)
You mean, there are cities outside the united states ?
Re: (Score:3, Insightful)
Seriously, it's a wonder there's any life at all on North America. No wonder you invented nuclear weapons; anything less doesn't even register against the hellish conditions of that purgatory-like continent you live on.
Re:Sure they can (Score:5, Insightful)
As shown by the recent Comcast - FCC ruling, ISPs can barely be regulated at all (and therefore can do anything they want).
Well, as someone else pointed out, this is an ISP in Honk Kong, not the US. While most of the "harmonizing" efforts of the Chinese government have been passive toward the consumer of the "non-harmonious" content, I would fear that this is a sort of precursor towards ISPs in China being required to pass search terms linked to individuals/accounts/addresses to the government for non-harmonious search terms indicating a level of dissent associated with that individual. Call me a tin foil hat but I haven't been too impressed with what's going on out in China. While you might claim it's overhead and too expensive, I guess we might start talking about https (port 443 secure) traffic even for search terms to avoid this inspection? Even that's naive though as the government could just ask the inside search provider for the data ... or failing that block the that port on that provider.
Re:Sure they can (Score:5, Informative)
Like another poster also pointed out: Hong Kong is not China. It is politically part of China, but for all practical reasons it acts as a different country (and you as not being involved in the world political stage should simply consider it as such, much closer to the everyday reality):
Separate currency, the Hong Kong dollar, linked at 7.8 to the US dollar and fully convertible (can't say that of the yuan).
Borders with China. I am Hong Kong resident, and still need to buy a visa to enter China.
Hong Kong is a free port for import and export of goods and services. China is pretty thoroughly locked down, import duties of goods to China are huge. Really.
Hong Kong has an open, accountable judiciary, with a strong respect for the rule of law. The exact opposite of the other side of the border.
Hong Kong has press freedom, and not just official.
Hong Kong people have the right to demonstrate, and do so. In 2003, half a million people took to the streets - or about 7% of the total population. It sent shock waves throughout the country, all the way to Beijing. Something like that would never be allowed in China.
And last but not least Hong Kong has the permission from Beijing's overlords to move towards full democracy.
China still has influence on Hong Kong (Score:3, Interesting)
For all that Hong Kong people may have the right to demonstrate, have a separate judiciary, there are still companies operating in Hong Kong that are being pressured to conform [washingtonpost.com] to mainland laws...
A Hong Kong Internet company, called TOM Online, announced it had stopped using Google's search mechanism. "TOM reiterated that as a Chinese company, we adhere to rules and regulations in China where we operate our businesses," the company's parent, Hong Kong-based TOM Group, said in a statement Tuesday.
Companies owned by people/companies subject to Chinese laws, or wishing to do business in China proper, will certainly have to make decisions based on the relations they want to keep with the Chinese government. I can well imagine employees of a HK company being denied visas based on the ire of some Chinese bureau
Re:Sure they can (Score:5, Informative)
Re:Sure they can (Score:5, Informative)
They don't block DNS requests, they just send all port 53 traffic to their DNS server.
There are a lot of areas with a single good internet option (where 'good' means decent bandwidth and latency). Jumping ship may not be a realistic option.
Re:Sure they can (Score:4, Informative)
Nope, sure doesn't. And they can sniff out a DNS request even if you find a DNS host that was amiable to using another port.
So what you really need as a DNS service that sends and receives encrypted requests over a non-standard port.
Then you can get around it. Hosting your own DNS does no good, as it still comes through your ISP's DNS first. Hard-coding Google's IP address would work short term for Google search, but if it catches on they'll just start redirecting all Google traffic instead of just DNS requests.
My host only reroutes failed DNS requests to their own shitty search, but it's still annoying as hell.
Re:Sure they can (Score:5, Informative)
DNSSEC prevents tampering, if I understand it right. If you request an answer from server X, the client won't accept a server from any other server, thus prevent man-in-the-middle attacks like this.
Alternatively, you can redirect all or part of the traffic through a VPN or secure proxy. Even Tor, if you compensate the long delays with some DNS caching, as provided by pdns or other caching server (even if you don't need it, it's awesome, I tell you! Every request after the first takes 0ms).
Re: (Score:2)
Re: (Score:3, Informative)
You can try. It might even work this time. But they can also choose to misdirect the request based on the IP address because they literally are the man in the middle, your traffic must pass through their routers.
Re: (Score:2)
Or run your own DNS server?
Re: (Score:2)
Best answer so far. Yes they can. The real question should be "SHOULD they do this".
Re: (Score:2)
No.
Re: (Score:2)
Obvious answer as well. The real question is, what can you do about it?
Re:Why? (Score:5, Insightful)
Do you really believe the average firefox user has the technical know-how to even understand what a DNS server is, let alone how to setup and configure one, even if it is "trivially easy" for you? Please...
Re: (Score:2)
For the love of $deity why would _anybody_ still be using the DNS server that their ISP provides? Ignoring the multiple FREE DNS providers out there, it is trivally easy to setup your own caching DNS server regardless of the OS platform you use.
With the abundance of 'old' computers that most people upgrade from, it shold be standard practice to setup an old box as a firewall/dns server.
Really? You can set up a firewall/dns box, but you aren't familiar with laziness. Also, for the majority of internet users, setting up a firewall / dns server is not trivial. For a majority of internet users, changing the desktop background is not trivial. This affects non-nerds....you know, most people.
Re: (Score:3, Insightful)
It's also very easy for your ISP to intercept all DNS queries, regardless of where they're being sent, and handle them themselves. I know of an ISP that does this.
It would, of course, be possible to run an encrypted tunnel to a remote machine with a caching DNS server on it, then direct all your queries to that. I suspect this is far beyond the ken of most normal users. Just setting up a caching name server is beyond the ken of normal users. Most of them can handle turning computers on and click icons.
Re: (Score:2)
Routine Altering of DNS? Really? (Score:2)
Because the internet stoppped being just for techies 10 years ago? Step out of your little bubble, you dweeb, and look around. First you have to give a crap about the concept of a DNS, which is exactly one step too far for the vast majority of folks.
Rightly
Re: (Score:2)
Re: (Score:2)
Title is by-passing. I was expecting a funny reply about "you've got to build bypasses!" in the "letter from your ISP" format.
Re:In China? (Score:5, Funny)
If any high tech company is going to come out of the closet, it would be apple.
Re: (Score:3, Insightful)
Re: (Score:2)
You never wondered about the rainbow colours in their logo?
Re: (Score:2)
Not really no. China's leaders aren't stupid. They realized Russia fell trying tokeep pace Econmically with the USA. Then china realized theyout number us 4-1. So all they had to do was convert their poor peasants into manufacturers. The fastest wayto do that is to invite foriegn companies to use their labor. Putting their own people in place to learn the tricks of the various trades. After 20 years they will be teaching their own people to do that on their own. (current place). After that they can kick o