NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: Liability issues in ISP-injected ad systems?

Brett Glass wrote: 
It is unclear why this would create any more or different vulnerabilities
than one might expect from any other site which contained third party
advertising.

That being said, our ISP has considered catching DNS errors for a different reason. An increasing number of our users seem to have "DNS error redirectors" installed on their machines -- either when they buy them (it seems to be a "feature" of many vendors' installations of Windows Vista) or when they install third party toolbars, etc. Some of these redirectors seem to be designed to hijack and/or mislead the user.

If we redirect the errors to our own error page, we can actually protect our users from security vulnerabilities and hijacking that might occur if we let them get an NXDOMAIN result back.

I think this may reinforce the point I made at 8:25AM today. When Earthlink did this, they did it because executives perceived that there was money to be made selling ads on this "service". I doubt that anybody who understands the protocols and the reasoning behind them was consulted.

Brett, by contrast, while acting as the executive of an ISP, is also a technically competent engineer who _does_ understand some of the issues involved. So he has taken action which _prevents_ security vulnerabilities, rather than introducing new ones. [At least as long as he keeps his servers secure -- part of the problem with the original story was that Earthlink was delegating the ad service to a third party with no understanding of the issues involved, even though Earthlink probably has many talented engineers who would (probably) have prevented this vulnerability if the ads had been presented via Earthlink's own servers.]