Sites using subdomains to redirect to third party sites
Sites using subdomains to redirect to third party sites
There seems to be a growing trend (maybe I just started to notice it) of sites using subdomains to redirect requests on their pages to third party sites. For example, fnbodirect.com uses a subdomain of sanalytics.fnbodirect.com which really is: fnbodirect.com.102.112.2o7.net
So if I allow content from fnbodirect.com but block content from 2o7.net, noscript doesn't know so doesn't block the sanalytics.fnbodirect.com content. I am also assuming that the surrogate function of NS would be bypassed - unless I manually make another source in about:config for a specific resource.
I find this disturbing - it seems like sites are actively trying to fool their users into not knowing they are using 3rd party content, which I find disgusting. Especially when it is done by financial related sites like banks, brokerages, insurance, etc.
Some questions:
1) Is there a specific term for this type of redirect action? I tried to research this topic, but didn't have much luck - either because nobody cares, nobody notices, or because I don't know what to search on!
2) In the past, I would allow all subdomains of a site I trust to be trusted as well. I have stopped doing that, but getting sites I need to use to work is a much bigger task. Obviously, one solution is to simply stop using sites that do this - since if they are trying to fool me this way, why should I trust them at all!
3) I also use ABE to anonymize almost everything that I don't specifically allow or deny, which is probably complicating things. In the example above, ABE anonymizes fnbodirect.com's access to sanalytics.fnbodirect.com - as it should be doing the way I have things set up. I know how to make ABE allow access, but don't want to.
4) Am I being to paranoid? I don't like sites using 3rd party access, since you don't know what they are sharing or tracking, especially to mega companies like adobe (2o7.net, omiture,etc.) and especially google.
So is this a new trend, or is it something I just started noticing? What are other NS users doing about this?
So if I allow content from fnbodirect.com but block content from 2o7.net, noscript doesn't know so doesn't block the sanalytics.fnbodirect.com content. I am also assuming that the surrogate function of NS would be bypassed - unless I manually make another source in about:config for a specific resource.
I find this disturbing - it seems like sites are actively trying to fool their users into not knowing they are using 3rd party content, which I find disgusting. Especially when it is done by financial related sites like banks, brokerages, insurance, etc.
Some questions:
1) Is there a specific term for this type of redirect action? I tried to research this topic, but didn't have much luck - either because nobody cares, nobody notices, or because I don't know what to search on!
2) In the past, I would allow all subdomains of a site I trust to be trusted as well. I have stopped doing that, but getting sites I need to use to work is a much bigger task. Obviously, one solution is to simply stop using sites that do this - since if they are trying to fool me this way, why should I trust them at all!
3) I also use ABE to anonymize almost everything that I don't specifically allow or deny, which is probably complicating things. In the example above, ABE anonymizes fnbodirect.com's access to sanalytics.fnbodirect.com - as it should be doing the way I have things set up. I know how to make ABE allow access, but don't want to.
4) Am I being to paranoid? I don't like sites using 3rd party access, since you don't know what they are sharing or tracking, especially to mega companies like adobe (2o7.net, omiture,etc.) and especially google.
So is this a new trend, or is it something I just started noticing? What are other NS users doing about this?
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Re: Sites using subdomains to redirect to third party sites
Is it really much more than just that one site that does this? I haven't seen this as far as I can remember.
Bear in mind that what makes this special is that they are redirecting a entire subdomain of their site to a tracking domain, not just that they're redirecting to a 3rd-party site - some 3rd parties may even contain content authored by the site itself.
Basically you have the right idea IMO.
You can also mark the subdomain as Untrusted if you want.
Bear in mind that what makes this special is that they are redirecting a entire subdomain of their site to a tracking domain, not just that they're redirecting to a 3rd-party site - some 3rd parties may even contain content authored by the site itself.
Er, those aren't questions..skkukuk wrote:Some questions:
[...]
2) In the past, I would allow all subdomains of a site I trust to be trusted as well. I have stopped doing that, but getting sites I need to use to work is a much bigger task. Obviously, one solution is to simply stop using sites that do this - since if they are trying to fool me this way, why should I trust them at all!
3) I also use ABE to anonymize almost everything that I don't specifically allow or deny, which is probably complicating things. In the example above, ABE anonymizes fnbodirect.com's access to sanalytics.fnbodirect.com - as it should be doing the way I have things set up. I know how to make ABE allow access, but don't want to.
You're not being too paranoid, no. It's reasonable to be concerned about this kind of behavior.skkukuk wrote:4) Am I being to paranoid? I don't like sites using 3rd party access, since you don't know what they are sharing or tracking, especially to mega companies like adobe (2o7.net, omiture,etc.) and especially google.
What is there to be done? NoScript blocks all active content, if that's not enough create an ABE rule to anon or deny the request.skkukuk wrote:What are other NS users doing about this?
Basically you have the right idea IMO.
You can also mark the subdomain as Untrusted if you want.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Sites using subdomains to redirect to third party sites
I have seen it in at least 4 places, although 1 of those was a 3rd party statement processor. While I don't like that, I am less concerned than when the 3rd party is adobe, google, etc.barbaz wrote:Is it really much more than just that one site that does this? I haven't seen this as far as I can remember.
Bear in mind that what makes this special is that they are redirecting a entire subdomain of their site to a tracking domain, not just that they're redirecting to a 3rd-party site - some 3rd parties may even contain content authored by the site itself.
I guess I was wondering if others had noticed this, and what they are doing about it. I don't know that there is any automatic way of detecting/blocking this type of activity, but if there is - I would be interested in knowing about it.barbaz wrote: What is there to be done? NoScript blocks all active content, if that's not enough create an ABE rule to anon or deny the request.
Basically you have the right idea IMO.
You can also mark the subdomain as Untrusted if you want.
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Re: Sites using subdomains to redirect to third party sites
NoRedirect can help with some of that.skkukuk wrote:I guess I was wondering if others had noticed this, and what they are doing about it. I don't know that there is any automatic way of detecting/blocking this type of activity, but if there is - I would be interested in knowing about it.
As for the rest... maybe try Policeman?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Sites using subdomains to redirect to third party sites
It's not uncommon for sites to have a tracking/advertising subdomain. Consider stats.wordpress.com, or analytics.yahoo.com.
Personally, I solve this problem by allowing full addresses, not base 2nd-level domains (under Options-Appearance). It means more work on sites that have lots of subdomains, but it's a price I've been willing to pay - and I still have the option of allowing a base domain if I want to. NoScript is quite good at letting different rule granularities co-exist.
Personally, I solve this problem by allowing full addresses, not base 2nd-level domains (under Options-Appearance). It means more work on sites that have lots of subdomains, but it's a price I've been willing to pay - and I still have the option of allowing a base domain if I want to. NoScript is quite good at letting different rule granularities co-exist.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Re: Sites using subdomains to redirect to third party sites
This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.Thrawn wrote:It's not uncommon for sites to have a tracking/advertising subdomain. Consider stats.wordpress.com, or analytics.yahoo.com.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Sites using subdomains to redirect to third party sites
OK, but handling them works about the same way.barbaz wrote:This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Fedora; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0
Re: Sites using subdomains to redirect to third party sites
Both correct, but still a concern I am not sure most are aware of. Here is another example:Thrawn wrote:OK, but handling them works about the same way.barbaz wrote:This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.
Brokers Ameritrade and Scottrade are doing this subdomain aliasing/redirecting. Ameritrade has several:
research.ameritrade.com is really research.ameritrade.wallst.com
valubond.ameritrade.com is really ameritrade.valubond.com
morningstar.ameritrade.com is really morningstar.ameritrade.com.3.web.morningstar.com
sstats.tdameritrade.com is really tdameritrade.com.102.112.2o7.net
Scottrade has the same redirect to wallst.com
research.scottrade.com is really research.scottrade.wallst.com
While investigating the above, it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com. Potentially worse, since Ameritrade does the same thing, wallst.com now has the potential of seeing that I use both. However, since wallst.com may not be able to set their own wallst.com cookie when coming through the redirected subdomain, that may not be as bad is it seems - but I am now past my level of understanding of how all of this works.
Again, I am bringing this up for discussion to make this practice known to people, and to discuss what to do about it for those paranoids out there like me! My approach now is as follows:
1) Stop allowing base 2nd level domains (whatever.com) and only allow full domains or full addresses. Certainly full addresses for 2nd level domains (full address only allows http://whatever.com)
2) Use ABE to anonymize all references that go through a redirected subdomain. Of course, this may not allow that content to work, but in many cases it still works fine.
3) Where anonymizing in 2) above doesn't work, and if I really need the functions, only allow session cookies for the main site and all subdomains. For the examples above, both scottrade and ameritrade actually use their own subdomains for most of their own content (trading.scottrade.com and invest.ameritrade.com) so if necessary those cookies could be kept beyond the session, since they would not be sent to research.scottrade.com or research.ameritrade.com.
3a) In case you are wondering why it is necessary to keep any cookies beyond the end of the session, several sites I use require extensive extra login steps (security questions) if you don't keep cookies. However, scottrade at least doesn't do that. Yet. (And if they do, hopefully the related cookies will be kept under trading.scottrade.com)
So the biggest problem I still have, is the amount of work it takes to do the above (which is fine), but more importantly how to identify when this activity is happening, which is a bigger problem. I did at least find a feature of noscript that I was not aware of that helps a bit: When you right click on the Allow or (Temporarily allow) menu item in the noscript icon menu, the site you would be allowing is copied to the clipboard so it can be pasted into whatever utility you use to examine the subdomain to see where it really goes.
Thanks for listening - and I look forward to whatever anyone else thinks or is doing. And special thanks to Giorgio for giving us noscript - and maybe even more important giving us ABE. They are the best defensive weapons in this war on privacy!
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Re: Sites using subdomains to redirect to third party sites
Thank you so much for posting that.
Don't like that. I'll have to look into it.
It's not obvious to me at all! Unless, of course, you Allow 3rd party cookies only from sites you visited. But it doesn't sound like that's your case...skkukuk wrote:it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com.
Don't like that. I'll have to look into it.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Sites using subdomains to redirect to third party sites
I don't think I'm entirely following what you mean by a 'redirected' subdomain. Do you mean that it resolves to the same IP address? Or that there is an actual HTTP redirect happening (which would restore the usual domain-based controls)? Or something else?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Fedora; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0
Re: Sites using subdomains to redirect to third party sites
Maybe I should have called it a subdomain alias (As stated in my original post, I wasn't what this should be called). Using the original example of sanalytics.fnbodirect.com, the DNS entries contain a CNAME record that points to fnbodirect.com.102.112.2o7.net. According to wikipedia: "A CNAME record is an abbreviation for Canonical Name record" which is an "Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name."Thrawn wrote:I don't think I'm entirely following what you mean by a 'redirected' subdomain. Do you mean that it resolves to the same IP address? Or that there is an actual HTTP redirect happening (which would restore the usual domain-based controls)? Or something else?
Code: Select all
ping sanalytics.fnbodirect.com
Pinging fnbodirect.com.102.112.2o7.net [63.140.58.18] with 32 bytes of data:
Reply from 63.140.58.18: bytes=32 time=71ms TTL=244
Reply from 63.140.58.18: bytes=32 time=71ms TTL=244
Reply from 63.140.58.18: bytes=32 time=70ms TTL=244
Reply from 63.140.58.18: bytes=32 time=71ms TTL=244
Anyway, I hope that clarifies what I am talking about.
Edit: Added nslookup below, in case it helps:
Code: Select all
nslookup sanalytics.fnbodirect.com
Server: UnKnown
Address: 127.0.0.1
Non-authoritative answer:
Name: fnbodirect.com.102.112.2o7.net
Address: 63.140.58.18
Aliases: sanalytics.fnbodirect.com
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Re: Sites using subdomains to redirect to third party sites
Gak. I was assuming you meant "HTTP/301". This isn't a "redirect", I don't know the term either but it's something more like "DNS alias".
It's normal for cookies to "transfer" in that situation because it's all in the same domain to the browser.
My suggestion now is to not trust that site at all if possible. And I too think NoScript should try to be aware of this if possible.
(TMK I have never seen CNAME used like that before.)
It's normal for cookies to "transfer" in that situation because it's all in the same domain to the browser.
My suggestion now is to not trust that site at all if possible. And I too think NoScript should try to be aware of this if possible.
(TMK I have never seen CNAME used like that before.)
*Always* check the changelogs BEFORE updating that important software!
-
Re: Sites using subdomains to redirect to third party sites
How cute! They're mapping one of their subdomains to their tracker's IP address so that the cookies are considered first-party.
It just goes to show that the usual browser security policies were not designed to stop sites from willingly collaborating. Conspirators will always find a way...of course, sometimes it's a much worse way, but they'll always find a way.
It just goes to show that the usual browser security policies were not designed to stop sites from willingly collaborating. Conspirators will always find a way...of course, sometimes it's a much worse way, but they'll always find a way.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Fedora; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0
Re: Sites using subdomains to redirect to third party sites
Here are a few more examples:
Had to work to be able to get logged on to Fidelity today after removing fidelity.com from my NS whitelist and swithching to only allowing full addresses. Now have NS allowing scripts from 3 true Fidelity subdomains (using full addressess) for scs.fidelity.com, oltx.fidelity.com, and login.fidelity.com
To get things to work, I also have to allow scripts from two aliased subdomains: www.fidelity.com and www.fid-inv.com (both anonymized by ABE at least)
Not sure what akamai/akamaiedge is, but I still want to anonymize/strip cookies. Here are my current ABE rules for Fidelity (work in progress!)
I think this set of ABE rules does what I want, but I may hit other fidelity subdomains or other snags as time goes on. Please feel free to comment if you see any flaws in the above.
Code: Select all
cdn.etrade.net e5375.b.akamaiedge.net
personal.fidelity.com a445.b.akamai.net.
www.fidelity.com e11365.b.akamaiedge.net
www.fid-inv.com e10141.b.akamaiedge.net
To get things to work, I also have to allow scripts from two aliased subdomains: www.fidelity.com and www.fid-inv.com (both anonymized by ABE at least)
Not sure what akamai/akamaiedge is, but I still want to anonymize/strip cookies. Here are my current ABE rules for Fidelity (work in progress!)
Code: Select all
# Note that this next Site statement does NOT include .fidelity.com, just fidelity.com and specific subdomains
# True Fidelity subdomains (not aliased) to Accept
Site fidelity.com login.fidelity.com scs.fidelity.com oltx.fidelity.com statements.fidelity.com servicemessages.fidelity.com
Accept from fidelity.com login.fidelity.com scs.fidelity.com oltx.fidelity.com statements.fidelity.com servicemessages.fidelity.com
Deny
# Aliased Fidelity subdomains to Anonymize
Site www.fidelity.com www.fid-inv.com
Anonymize from .fidelity.com www.fid-inv.com
Deny
# Aliased Fidelity subdomains that MAY not be needed by me, so can be denied
Site personal.fidelity.com
Deny
# Catch all to Deny everything not specifically accounted for above (review ABE messages in console log)
# Temporarily Uncomment the Anonymize statement if Deny breaks too much and time is not available to research issues.
Site .fidelity.com
#Anonymize from .fidelity.com
Deny
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Re: Sites using subdomains to redirect to third party sites
akamai(edge) is a CDN / hosting, that is probably a perfectly legitimate DNS aliasing as the content you get there is likely just the site's content. The site is just mapping it to their subdomains for convenience.
Personally I wouldn't worry about that one at all.
Personally I wouldn't worry about that one at all.
*Always* check the changelogs BEFORE updating that important software!
-