InformAction Forums

There seems to be a growing trend (maybe I just started to notice it) of sites using subdomains to redirect requests on their pages to third party sites. For example, fnbodirect.com uses a subdomain of sanalytics.fnbodirect.com which really is: fnbodirect.com.102.112.2o7.net

So if I allow content from fnbodirect.com but block content from 2o7.net, noscript doesn't know so doesn't block the sanalytics.fnbodirect.com content. I am also assuming that the surrogate function of NS would be bypassed - unless I manually make another source in about:config for a specific resource.

I find this disturbing - it seems like sites are actively trying to fool their users into not knowing they are using 3rd party content, which I find disgusting. Especially when it is done by financial related sites like banks, brokerages, insurance, etc.

Some questions:

1) Is there a specific term for this type of redirect action? I tried to research this topic, but didn't have much luck - either because nobody cares, nobody notices, or because I don't know what to search on!

2) In the past, I would allow all subdomains of a site I trust to be trusted as well. I have stopped doing that, but getting sites I need to use to work is a much bigger task. Obviously, one solution is to simply stop using sites that do this - since if they are trying to fool me this way, why should I trust them at all!

3) I also use ABE to anonymize almost everything that I don't specifically allow or deny, which is probably complicating things. In the example above, ABE anonymizes fnbodirect.com's access to sanalytics.fnbodirect.com - as it should be doing the way I have things set up. I know how to make ABE allow access, but don't want to.

4) Am I being to paranoid? I don't like sites using 3rd party access, since you don't know what they are sharing or tracking, especially to mega companies like adobe (2o7.net, omiture,etc.) and especially google.

So is this a new trend, or is it something I just started noticing? What are other NS users doing about this?

Is it really much more than just that one site that does this? I haven't seen this as far as I can remember.

Bear in mind that what makes this special is that they are redirecting a entire subdomain of their site to a tracking domain, not just that they're redirecting to a 3rd-party site - some 3rd parties may even contain content authored by the site itself.

skkukuk wrote:Some questions:

[...]

2) In the past, I would allow all subdomains of a site I trust to be trusted as well. I have stopped doing that, but getting sites I need to use to work is a much bigger task. Obviously, one solution is to simply stop using sites that do this - since if they are trying to fool me this way, why should I trust them at all!

3) I also use ABE to anonymize almost everything that I don't specifically allow or deny, which is probably complicating things. In the example above, ABE anonymizes fnbodirect.com's access to sanalytics.fnbodirect.com - as it should be doing the way I have things set up. I know how to make ABE allow access, but don't want to.

Er, those aren't questions..

skkukuk wrote:4) Am I being to paranoid? I don't like sites using 3rd party access, since you don't know what they are sharing or tracking, especially to mega companies like adobe (2o7.net, omiture,etc.) and especially google.

You're not being too paranoid, no. It's reasonable to be concerned about this kind of behavior.

skkukuk wrote:What are other NS users doing about this?

What is there to be done? NoScript blocks all active content, if that's not enough create an ABE rule to anon or deny the request.
Basically you have the right idea IMO.

You can also mark the subdomain as Untrusted if you want.

barbaz wrote:Is it really much more than just that one site that does this? I haven't seen this as far as I can remember.

Bear in mind that what makes this special is that they are redirecting a entire subdomain of their site to a tracking domain, not just that they're redirecting to a 3rd-party site - some 3rd parties may even contain content authored by the site itself.

I have seen it in at least 4 places, although 1 of those was a 3rd party statement processor. While I don't like that, I am less concerned than when the 3rd party is adobe, google, etc.

barbaz wrote: What is there to be done? NoScript blocks all active content, if that's not enough create an ABE rule to anon or deny the request.
Basically you have the right idea IMO.

You can also mark the subdomain as Untrusted if you want.

I guess I was wondering if others had noticed this, and what they are doing about it. I don't know that there is any automatic way of detecting/blocking this type of activity, but if there is - I would be interested in knowing about it.

skkukuk wrote:I guess I was wondering if others had noticed this, and what they are doing about it. I don't know that there is any automatic way of detecting/blocking this type of activity, but if there is - I would be interested in knowing about it.

NoRedirect can help with some of that.
As for the rest... maybe try Policeman?

It's not uncommon for sites to have a tracking/advertising subdomain. Consider stats.wordpress.com, or analytics.yahoo.com.

Personally, I solve this problem by allowing full addresses, not base 2nd-level domains (under Options-Appearance). It means more work on sites that have lots of subdomains, but it's a price I've been willing to pay - and I still have the option of allowing a base domain if I want to. NoScript is quite good at letting different rule granularities co-exist.

Thrawn wrote:It's not uncommon for sites to have a tracking/advertising subdomain. Consider stats.wordpress.com, or analytics.yahoo.com.

This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.

barbaz wrote:This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.

OK, but handling them works about the same way.

Thrawn wrote:

barbaz wrote:This is not just a tracking/advertising subdomain of a site.. the situation here is that a subdomain of a site is an alias for a 3rd-party tracker.

OK, but handling them works about the same way.

Both correct, but still a concern I am not sure most are aware of. Here is another example:

Brokers Ameritrade and Scottrade are doing this subdomain aliasing/redirecting. Ameritrade has several:

research.ameritrade.com is really research.ameritrade.wallst.com
valubond.ameritrade.com is really ameritrade.valubond.com
morningstar.ameritrade.com is really morningstar.ameritrade.com.3.web.morningstar.com
sstats.tdameritrade.com is really tdameritrade.com.102.112.2o7.net

Scottrade has the same redirect to wallst.com

research.scottrade.com is really research.scottrade.wallst.com

While investigating the above, it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com. Potentially worse, since Ameritrade does the same thing, wallst.com now has the potential of seeing that I use both. However, since wallst.com may not be able to set their own wallst.com cookie when coming through the redirected subdomain, that may not be as bad is it seems - but I am now past my level of understanding of how all of this works.

Again, I am bringing this up for discussion to make this practice known to people, and to discuss what to do about it for those paranoids out there like me! My approach now is as follows:

1) Stop allowing base 2nd level domains (whatever.com) and only allow full domains or full addresses. Certainly full addresses for 2nd level domains (full address only allows http://whatever.com)

2) Use ABE to anonymize all references that go through a redirected subdomain. Of course, this may not allow that content to work, but in many cases it still works fine.

3) Where anonymizing in 2) above doesn't work, and if I really need the functions, only allow session cookies for the main site and all subdomains. For the examples above, both scottrade and ameritrade actually use their own subdomains for most of their own content (trading.scottrade.com and invest.ameritrade.com) so if necessary those cookies could be kept beyond the session, since they would not be sent to research.scottrade.com or research.ameritrade.com.

3a) In case you are wondering why it is necessary to keep any cookies beyond the end of the session, several sites I use require extensive extra login steps (security questions) if you don't keep cookies. However, scottrade at least doesn't do that. Yet. (And if they do, hopefully the related cookies will be kept under trading.scottrade.com)

So the biggest problem I still have, is the amount of work it takes to do the above (which is fine), but more importantly how to identify when this activity is happening, which is a bigger problem. I did at least find a feature of noscript that I was not aware of that helps a bit: When you right click on the Allow or (Temporarily allow) menu item in the noscript icon menu, the site you would be allowing is copied to the clipboard so it can be pasted into whatever utility you use to examine the subdomain to see where it really goes.

Thanks for listening - and I look forward to whatever anyone else thinks or is doing. And special thanks to Giorgio for giving us noscript - and maybe even more important giving us ABE. They are the best defensive weapons in this war on privacy!

Thank you so much for posting that.

skkukuk wrote:it dawned on me that there is a bigger problem with what they are doing, which may have been obvious to the two of you. Normally, at least the way I have firefox set up, cookies are not sent to third party sites. So if I am on scottrade.com, and they have something that pulls content from wallst.com, no scottrade cookies or wallst.com cookies get sent to wallst.com. However, with the subdomain research.scottrade.com redirecting to research.scottrade.wallst.com, cookies for research.scottrade.com AND scottrade.com are now all sent to wallst.com.

It's not obvious to me at all! Unless, of course, you Allow 3rd party cookies only from sites you visited. But it doesn't sound like that's your case...

Don't like that. I'll have to look into it.

I don't think I'm entirely following what you mean by a 'redirected' subdomain. Do you mean that it resolves to the same IP address? Or that there is an actual HTTP redirect happening (which would restore the usual domain-based controls)? Or something else?

Thrawn wrote:I don't think I'm entirely following what you mean by a 'redirected' subdomain. Do you mean that it resolves to the same IP address? Or that there is an actual HTTP redirect happening (which would restore the usual domain-based controls)? Or something else?

Maybe I should have called it a subdomain alias (As stated in my original post, I wasn't what this should be called). Using the original example of sanalytics.fnbodirect.com, the DNS entries contain a CNAME record that points to fnbodirect.com.102.112.2o7.net. According to wikipedia: "A CNAME record is an abbreviation for Canonical Name record" which is an "Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name."
I don't think the browser or NoScript or ABE are aware of the fact that the sanalytics.fnbodirect.com is really an alias. I don't know if NoScript or ABE could be made aware of the fact it is an alias without doing some kind of additional DNS lookup of their own, or what the overhead would be.

Anyway, I hope that clarifies what I am talking about.

Edit: Added nslookup below, in case it helps:

Gak. I was assuming you meant "HTTP/301". This isn't a "redirect", I don't know the term either but it's something more like "DNS alias".

It's normal for cookies to "transfer" in that situation because it's all in the same domain to the browser.

My suggestion now is to not trust that site at all if possible. And I too think NoScript should try to be aware of this if possible.
(TMK I have never seen CNAME used like that before.)

How cute! They're mapping one of their subdomains to their tracker's IP address so that the cookies are considered first-party.

It just goes to show that the usual browser security policies were not designed to stop sites from willingly collaborating. Conspirators will always find a way...of course, sometimes it's a much worse way, but they'll always find a way.

Here are a few more examples:
Had to work to be able to get logged on to Fidelity today after removing fidelity.com from my NS whitelist and swithching to only allowing full addresses. Now have NS allowing scripts from 3 true Fidelity subdomains (using full addressess) for scs.fidelity.com, oltx.fidelity.com, and login.fidelity.com

To get things to work, I also have to allow scripts from two aliased subdomains: www.fidelity.com and www.fid-inv.com (both anonymized by ABE at least)

Not sure what akamai/akamaiedge is, but I still want to anonymize/strip cookies. Here are my current ABE rules for Fidelity (work in progress!)
I think this set of ABE rules does what I want, but I may hit other fidelity subdomains or other snags as time goes on. Please feel free to comment if you see any flaws in the above.

akamai(edge) is a CDN / hosting, that is probably a perfectly legitimate DNS aliasing as the content you get there is likely just the site's content. The site is just mapping it to their subdomains for convenience.
Personally I wouldn't worry about that one at all.