Page 1 of 1
Cloudfront appearing in a lot of sites
Posted: Fri Dec 05, 2014 6:18 pm
by Sharcs
Just a quick question. I've been using NoScript for a while now and I've noticed the sudden surge in sites that have "cloudfront.net" included in their list to allow. I'm talking like one in every 4 or 5 sites (rough estimate) I come across has some kind of something that ends with "cloudfront.net". Here's the one I found in change.org "d22r54gnmuhwmk.cloudfront.net". Another url I've notices is "s3.amazonaws.com".
I've looked into these and the domain seems to be a legitimate Amazon service but I can't help feel something is not right considering that they all just started appearing suddenly with no gradual increase, they basically just appeared one day.
I'm I being over-paranoid or is my system infected?
Re: Cloudfront appearing in a lot of sites
Posted: Sat Dec 06, 2014 2:03 am
by barbaz
Well, cloudfront.net and s3.amazonaws.com are both Amazon-hosted CDNs which could be used by anyone...
Sharcs wrote:Here's the one I found in change.org "d22r54gnmuhwmk.cloudfront.net"
You haven't given enough information to judge whether "generally" these cloudfront appearances are malware, but that one is legitimate - I completely block cloudfront.net everywhere, and the site was missing all its style.
Can you give other examples?
Re: Cloudfront appearing in a lot of sites
Posted: Sat Dec 06, 2014 3:44 am
by Sharcs
barbaz wrote:Well, cloudfront.net and s3.amazonaws.com are both Amazon-hosted CDNs which could be used by anyone...
Sharcs wrote:Here's the one I found in change.org "d22r54gnmuhwmk.cloudfront.net"
You haven't given enough information to judge whether "generally" these cloudfront appearances are malware, but that one is legitimate - I completely block cloudfront.net everywhere, and the site was missing all its style.
Can you give other examples?
Thanks
So as long as it ends in "cloudfront.net" and "s3.amazonaws.com" they're ok right? And there is no known way of exploiting that... right?
Re: Cloudfront appearing in a lot of sites
Posted: Sat Dec 06, 2014 3:46 am
by Sharcs
Also I'll try and collect a few of them and dump them here in a few days and you guys can decide.
Re: Cloudfront appearing in a lot of sites
Posted: Sat Dec 06, 2014 4:43 am
by barbaz
Sharcs wrote:So as long as it ends in "cloudfront.net" and "s3.amazonaws.com" they're ok right? And there is no known way of exploiting that... right?
I don't know what you mean here. What I'm saying is that if you see "cloudfront.net" or "s3.amazonaws.com" in the NoScript menu, that's no indication of what it is, because it could come from pretty much anyone. If you're really worried about it, good test is to block cloudfront/amazonaws completely using ABE (add this NoScript Options > Advanced > ABE > USER)
Code: Select all
Site .cloudfront.net .s3.amazonaws.com
Deny
and see what breaks. If it completely breaks a site, the specific cloudfront/s3.amazonaws domain(s) does belong to the site you're visiting (or is legitimately used by it), so add above your ABE rule
Code: Select all
Site [exact-cloudfront-or-amazonaws-full-domain] [other-exact-cloudfront-or-amazonaws-full-domain-if-the-site-has-more-than-one]
Accept from [site-that-breaks-without-it-allowed]
replacing the things in [] with what they say.
(If the site requires dynamic cloudfront/amazonaws domains use ".cloudfront.net" for cloudfront and ".s3.amazonaws.com" for amazonaws.)
If a site tries to load cloudfront/amazonaws but works with it blocked then just leave it blocked, it's not gonna be something you want anyway.
Note this can be a bit of a PITA but if you're concerned enough about it you'll find it's worth the time (and does catch some trackers/crap).