mailing list archives
Re: US internet providers hijacking users' search queries
From: Jimmy Hess <mysidia () gmail com>
Date: Sat, 6 Aug 2011 13:25:18 -0500
On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post () rsuc gweep net>wrote:
On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
Correct, I don't believe that any of the providers noted are actually
Disappointing that nanog readers can't read
http://www.paxfire.com/faqs.php and get
a clue, instead all the mouth-flapping about MItM and https. a clue,
instead all the mouth-flapping about MItM and https. While
Maybe instead of jumping to the conclusion NANOG readuers should "get a
you should actually do a little more research than reading a glossyware/
vacant FAQ that doesn't actually explain everything Paxfire is reported to
do, how it works, and what the criticism is?
I mean... don't you see a problem relying on _their own publication_ to
say what they are doing, when they
might like to keep their methods quiet to avoid negative attention?
Changing NXDOMAIN queries to an ISP's _own_ recursive servers is old hat,
and not the issue.
What the FAQ doesn't tell you is that the Paxfire appliances can tamper
traffic received from authoritative DNS servers not operated by the ISP.
A paxfire box can alter NXDOMAIN queries, and queries that respond with
known search engines' IPs.
to send your HTTP traffic to their HTTP proxies instead.
In addition, some ISPs employ an optional, unadvertised Paxfire feature that
redirects the entire stream of affected customers' web search requests to
Bing, Google, and Yahoo via HTTP proxies operated by Paxfire. These proxies
seemingly relay most searches and their corresponding results passively, in
a process that remains invisible to the user. Certain keyword searches,
however, trigger active interference by the HTTP proxies.