Sites using subdomains to redirect to third party sites

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Sites using subdomains to redirect to third party sites

Re: Sites using subdomains to redirect to third party sites

by barbaz » Mon May 25, 2020 3:26 pm

Skeezix, I split your posts to viewtopic.php?f=18&t=25975 so that you can continue discussing that if you want without going off-topic.

Re: Sites using subdomains to redirect to third party sites

by Mad_Man_Moon » Thu May 21, 2020 10:06 pm

Thought I'd resurrect this blast from the past to let folks know about another occurrence of it (I'm sure it's happening all the time) from a few months ago:

https://news.ycombinator.com/item?id=22535303

I'm not sure the validity of Sp-prod.net, but this paragraph (from the above link) from the docs on 'messagingWithoutDetection.js' makes one's tummy grumble a little!
The Dialogue Javascript communicates with the Sourcepoint messaging server on a subdomain of the site. The benefit of doing that is to allow messaging cookies to be “first party” and thus, circumventing Safari’s web browser Intelligent Tracking Prevention (ITP). This creates a discrete messaging channel between the publisher’s messaging subdomain and the Dialogue messaging server. Once you have created the subdomain, you should create a DNS CNAME record to direct traffic to the Sourcepoint messaging endpoint message<account id>.sp-prod.net where the account id refers to you account ID in the Sourcepoint user interface
Anyway, it sounds like uBlock Origin catches these ... but ... GEEZ. :roll:

Re: Sites using subdomains to redirect to third party sites

by barbaz » Fri May 08, 2015 6:50 pm

I don't quite say the same thing about cloudfront, some sites use it as a CDN but others use it as a tracker. So I would definitely recommend allowing cloudfront.net scripts on a temporary per-subdomain basis and only if site functionality is broken without them.

If you don't mind a lot of sites breaking you can block cloudfront.net entirely with ABE and whitelist it on a per-site basis as you need/want depending how a site breaks. see viewtopic.php?f=7&t=18206

Re: Sites using subdomains to redirect to third party sites

by skkukuk » Fri May 08, 2015 6:15 pm

barbaz wrote:akamai(edge) is a CDN / hosting, that is probably a perfectly legitimate DNS aliasing as the content you get there is likely just the site's content. The site is just mapping it to their subdomains for convenience.
Personally I wouldn't worry about that one at all.
Thanks. I will still anonymize, but at least I will now worry about akamai less. Would you say that the same thing applies to cloudfront (haven't seen the subdomain alias to them... Yet) but since cloudfront references seem to always use a subdomain (xyz1234.cloudfront.net), is it relatively safe to assume that the content from clouldfront is really the requesting sites content being stored on cloudfront? (I also anonymize anything from cloudfront, which has never seemed to be a problem)

Edit: I will still only allow scripts from whatever.cloudfront.net on a temporary basis using full addresses!
Edit2: Changed references to cloudfront.net (not .com) in text above after reading reply that follows

Thank for your help/feedback!

Re: Sites using subdomains to redirect to third party sites

by barbaz » Fri May 08, 2015 6:04 pm

akamai(edge) is a CDN / hosting, that is probably a perfectly legitimate DNS aliasing as the content you get there is likely just the site's content. The site is just mapping it to their subdomains for convenience.
Personally I wouldn't worry about that one at all.

Re: Sites using subdomains to redirect to third party sites

by skkukuk » Fri May 08, 2015 6:02 pm

Here are a few more examples:

Code: Select all

cdn.etrade.net				e5375.b.akamaiedge.net
personal.fidelity.com		a445.b.akamai.net.
www.fidelity.com			e11365.b.akamaiedge.net
www.fid-inv.com			e10141.b.akamaiedge.net
Had to work to be able to get logged on to Fidelity today after removing fidelity.com from my NS whitelist and swithching to only allowing full addresses. Now have NS allowing scripts from 3 true Fidelity subdomains (using full addressess) for scs.fidelity.com, oltx.fidelity.com, and login.fidelity.com

To get things to work, I also have to allow scripts from two aliased subdomains: www.fidelity.com and www.fid-inv.com (both anonymized by ABE at least)

Not sure what akamai/akamaiedge is, but I still want to anonymize/strip cookies. Here are my current ABE rules for Fidelity (work in progress!)

Code: Select all

# Note that this next Site statement does NOT include .fidelity.com, just fidelity.com and specific subdomains
# True Fidelity subdomains (not aliased) to Accept
Site fidelity.com login.fidelity.com scs.fidelity.com oltx.fidelity.com statements.fidelity.com servicemessages.fidelity.com
Accept from fidelity.com login.fidelity.com scs.fidelity.com oltx.fidelity.com statements.fidelity.com servicemessages.fidelity.com
Deny

# Aliased Fidelity subdomains to Anonymize
Site www.fidelity.com www.fid-inv.com
Anonymize from .fidelity.com www.fid-inv.com
Deny

# Aliased Fidelity subdomains that MAY not be needed by me, so can be denied
Site personal.fidelity.com
Deny

# Catch all to Deny everything not specifically accounted for above (review ABE messages in console log)
# Temporarily Uncomment the Anonymize statement if Deny breaks too much and time is not available to research issues.
Site .fidelity.com
#Anonymize from .fidelity.com
Deny
I think this set of ABE rules does what I want, but I may hit other fidelity subdomains or other snags as time goes on. Please feel free to comment if you see any flaws in the above.

Re: Sites using subdomains to redirect to third party sites

by Thrawn » Thu May 07, 2015 11:31 pm

How cute! They're mapping one of their subdomains to their tracker's IP address so that the cookies are considered first-party.

It just goes to show that the usual browser security policies were not designed to stop sites from willingly collaborating. Conspirators will always find a way...of course, sometimes it's a much worse way, but they'll always find a way.

Re: Sites using subdomains to redirect to third party sites

by barbaz » Thu May 07, 2015 4:42 pm

Gak. I was assuming you meant "HTTP/301". This isn't a "redirect", I don't know the term either but it's something more like "DNS alias".

It's normal for cookies to "transfer" in that situation because it's all in the same domain to the browser.

My suggestion now is to not trust that site at all if possible. And I too think NoScript should try to be aware of this if possible.
(TMK I have never seen CNAME used like that before.)

Re: Sites using subdomains to redirect to third party sites

by skkukuk » Thu May 07, 2015 12:49 pm

Thrawn wrote:I don't think I'm entirely following what you mean by a 'redirected' subdomain. Do you mean that it resolves to the same IP address? Or that there is an actual HTTP redirect happening (which would restore the usual domain-based controls)? Or something else?
Maybe I should have called it a subdomain alias (As stated in my original post, I wasn't what this should be called). Using the original example of sanalytics.fnbodirect.com, the DNS entries contain a CNAME record that points to fnbodirect.com.102.112.2o7.net. According to wikipedia: "A CNAME record is an abbreviation for Canonical Name record" which is an "Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name."

Code: Select all

ping sanalytics.fnbodirect.com

Pinging fnbodirect.com.102.112.2o7.net [63.140.58.18] with 32 bytes of data:
Reply from 63.140.58.18: bytes=32 time=71ms TTL=244
Reply from 63.140.58.18: bytes=32 time=71ms TTL=244
Reply from 63.140.58.18: bytes=32 time=70ms TTL=244
Reply from 63.140.58.18: bytes=32 time=71ms TTL=244
I don't think the browser or NoScript or ABE are aware of the fact that the sanalytics.fnbodirect.com is really an alias. I don't know if NoScript or ABE could be made aware of the fact it is an alias without doing some kind of additional DNS lookup of their own, or what the overhead would be.

Anyway, I hope that clarifies what I am talking about.

Edit: Added nslookup below, in case it helps:

Code: Select all

nslookup sanalytics.fnbodirect.com
Server:  UnKnown
Address:  127.0.0.1

Non-authoritative answer:
Name:    fnbodirect.com.102.112.2o7.net
Address:  63.140.58.18
Aliases:  sanalytics.fnbodirect.com

Re: Sites using subdomains to redirect to third party sites

by Thrawn » Thu May 07, 2015 3:44 am

I don't think I'm entirely following what you mean by a 'redirected' subdomain. Do you mean that it resolves to the same IP address? Or that there is an actual HTTP redirect happening (which would restore the usual domain-based controls)? Or something else?

Re: Sites using subdomains to redirect to third party sites

by barbaz » Tue May 05, 2015 3:52 pm

Thank you so much for posting that.
skkukuk wrote:it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com.
It's not obvious to me at all! :shock: :o Unless, of course, you Allow 3rd party cookies only from sites you visited. But it doesn't sound like that's your case... :!:

Don't like that. I'll have to look into it.

Re: Sites using subdomains to redirect to third party sites

by skkukuk » Tue May 05, 2015 2:33 pm

Thrawn wrote:
barbaz wrote:This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.
OK, but handling them works about the same way.
Both correct, but still a concern I am not sure most are aware of. Here is another example:

Brokers Ameritrade and Scottrade are doing this subdomain aliasing/redirecting. Ameritrade has several:

research.ameritrade.com is really research.ameritrade.wallst.com
valubond.ameritrade.com is really ameritrade.valubond.com
morningstar.ameritrade.com is really morningstar.ameritrade.com.3.web.morningstar.com
sstats.tdameritrade.com is really tdameritrade.com.102.112.2o7.net

Scottrade has the same redirect to wallst.com

research.scottrade.com is really research.scottrade.wallst.com

While investigating the above, it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com. Potentially worse, since Ameritrade does the same thing, wallst.com now has the potential of seeing that I use both. However, since wallst.com may not be able to set their own wallst.com cookie when coming through the redirected subdomain, that may not be as bad is it seems - but I am now past my level of understanding of how all of this works.

Again, I am bringing this up for discussion to make this practice known to people, and to discuss what to do about it for those paranoids out there like me! My approach now is as follows:

1) Stop allowing base 2nd level domains (whatever.com) and only allow full domains or full addresses. Certainly full addresses for 2nd level domains (full address only allows http://whatever.com)

2) Use ABE to anonymize all references that go through a redirected subdomain. Of course, this may not allow that content to work, but in many cases it still works fine.

3) Where anonymizing in 2) above doesn't work, and if I really need the functions, only allow session cookies for the main site and all subdomains. For the examples above, both scottrade and ameritrade actually use their own subdomains for most of their own content (trading.scottrade.com and invest.ameritrade.com) so if necessary those cookies could be kept beyond the session, since they would not be sent to research.scottrade.com or research.ameritrade.com.

3a) In case you are wondering why it is necessary to keep any cookies beyond the end of the session, several sites I use require extensive extra login steps (security questions) if you don't keep cookies. However, scottrade at least doesn't do that. Yet. (And if they do, hopefully the related cookies will be kept under trading.scottrade.com)

So the biggest problem I still have, is the amount of work it takes to do the above (which is fine), but more importantly how to identify when this activity is happening, which is a bigger problem. I did at least find a feature of noscript that I was not aware of that helps a bit: When you right click on the Allow or (Temporarily allow) menu item in the noscript icon menu, the site you would be allowing is copied to the clipboard so it can be pasted into whatever utility you use to examine the subdomain to see where it really goes.

Thanks for listening - and I look forward to whatever anyone else thinks or is doing. And special thanks to Giorgio for giving us noscript - and maybe even more important giving us ABE. They are the best defensive weapons in this war on privacy!

Re: Sites using subdomains to redirect to third party sites

by Thrawn » Tue May 05, 2015 1:48 am

barbaz wrote:This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.
OK, but handling them works about the same way.

Re: Sites using subdomains to redirect to third party sites

by barbaz » Mon May 04, 2015 11:09 pm

Thrawn wrote:It's not uncommon for sites to have a tracking/advertising subdomain. Consider stats.wordpress.com, or analytics.yahoo.com.
This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.

Re: Sites using subdomains to redirect to third party sites

by Thrawn » Mon May 04, 2015 10:28 pm

It's not uncommon for sites to have a tracking/advertising subdomain. Consider stats.wordpress.com, or analytics.yahoo.com.

Personally, I solve this problem by allowing full addresses, not base 2nd-level domains (under Options-Appearance). It means more work on sites that have lots of subdomains, but it's a price I've been willing to pay - and I still have the option of allowing a base domain if I want to. NoScript is quite good at letting different rule granularities co-exist.

Top