[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Urs Baumann via swinog]

I could hack your computer and spy on you.
Even it it's not permitted by laws, what stops me from doing it?

Von: Samuel B. via swinog 
Gesendet: Dienstag, 23. April 2024 12:43
An: swinog@lists.swinog.ch 
Betreff: [swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully 
resolves to a bluewin address in swisscom mobile networks

Public DNS Providers could possibly abuse their position and see what users of 
it are doing on the internet. It‘s different though, because a public dns 
provider cannot see who the user is exactly, they could take a good guess at 
it, but it‘s not always certain. ISPs (atleast swiss providers) have logs of 
IPs to Customer. This would allow the ISP to see exactly what customer XYZ is 
doing on the internet. Even if it‘s not permitted by privacy laws, what stops 
the provider from accessing it? Public Providers could do the same, but they 
most definitely do not know the exact name, address and other details about the 
customer, as the ISP can.
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Samuel B. via swinog]

Public DNS Providers could possibly abuse their position and see what users of 
it are doing on the internet. It‘s different though, because a public dns 
provider cannot see who the user is exactly, they could take a good guess at 
it, but it‘s not always certain. ISPs (atleast swiss providers) have logs of 
IPs to Customer. This would allow the ISP to see exactly what customer XYZ is 
doing on the internet. Even if it‘s not permitted by privacy laws, what stops 
the provider from accessing it? Public Providers could do the same, but they 
most definitely do not know the exact name, address and other details about the 
customer, as the ISP can.
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Benoit Panizzon via swinog]

Hi Samuel

> That still does not answer why you as an ISP try to convince your
> customers to not use Public DNS Servers, or „not seeing a reason“ in
> them doing so.

Let's see... why would those companies operate those public DNS Servers
'for free'? Nothing's free, right? Probably they get some benefit of
it...

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Samuel B. via swinog]

That‘s the legal aspect of things. That is of course totally normal. Every ISP 
has to follow that. Blocking other sites at your own will, just like swisscom 
is doing here, is not. 

Having users that simply do not wish to be blocked by your blocking service for 
„gambling”, or those that simply do not trust your DNS servers should still be 
free to use public DNS servers.

That still does not answer why you as an ISP try to convince your customers to 
not use Public DNS Servers, or „not seeing a reason“ in them doing so.
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Benoit Panizzon via swinog]

Hi Samuel

> Matter of fact! That‘s what it looks like IMP is also (atleast attempting to 
> be) doing. (blocklist.imp.ch)

I don't know this host.

https://refused.breitband.ch/ here you go, not a secret. Legal background 
explained.
 
> This is the exact same behaviour as Swisscom in this case. 

As required by law, implemented as (broken as) requested. Not a secret,
all Swiss ISP are affected.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Samuel B. via swinog]

I find your last statement very ironic. 

There are valid reasons for using a different server than the ISP provided 
ones. Whether it‘s latency, as mentioned before deciding who gets to have 
access to the „valuable personal information“ or simply distrusting the ISP, as 
any ISP could „unintentionally“ or intentionally do the same as Swisscom has 
done here. That wouldn‘t colide with privacy laws in any way.

ISP XYZ could say; Well that Website is „dangerous for our users“, let‘s send 
it to our blackhole / blocking „service“!

-> And then the ISP wonders why users are switching DNS Servers?

Matter of fact! That‘s what it looks like IMP is also (atleast attempting to 
be) doing. (blocklist.imp.ch)

This is the exact same behaviour as Swisscom in this case. 

Getting back on topic, there are many valid reasons. The provider in this case 
shouldn‘t judge upon this user behaviour. Users are totally free to use their 
own or public large DNS servers to avoid ISP blocking.
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Benoit Panizzon via swinog]

Hi

> So you are saying that relying on the provider dns and having to use
> it instead of other public (non-modifying) DNS Servers will not feed
> the internet provider with this „valuable personal data“? 

There are privacy laws in place.
I would not consider this good practice.
I don't think (maybe I'm mistaking) that an ISP would have any benefit
of collecting, analyzing such data. Selling / using such data for
marketing would probably cash with privacy laws. Disclaimer: IANAL.

> Also are you saying that the user shouldn‘t use any public,
> non-modified DNS Servers, just for that fact? Are you implementing the
> same measures as Swisscom?

There are legal requirements regarding DNS which OFCOM registered TSP
have to follow.

So, yes, I understand every nerd who operates their own DNS server to
avoid his personal data being used by the 'big ones' and to get 'free'
access to the whole internet, but I don't understand why customers
would want to use 8.8.8.8 or 1.1.1.1 instead of their providers DNS for
those reasons.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[mail--- via swinog]

So you are saying that relying on the provider dns and having to use it instead 
of other public (non-modifying) DNS Servers will not feed the internet provider 
with this „valuable personal data“? Also are you saying that the user shouldn‘t 
use any public, non-modified DNS Servers, just for that fact? Are you 
implementing the same measures as Swisscom?
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Andreas Fink via swinog]

it would only be fair if swisscom declare their offer not to be "internet" but 
some "protected network connectivity including part of the internet". At least 
then the end user can decide.
I don't think their concept is compatible with net neutrality otherwise.

And you can not opt-in or opt-out if you are not aware.

> On 23 Apr 2024, at 12:30, Marc SCHAEFER via swinog  
> wrote:
> 
> Hello,
> 
> On Tue, Apr 23, 2024 at 10:04:14AM +0200, Stefan via swinog wrote:
>> But you know that it is already daily business that Swiss ISP's are blocking
>> websites?
> 
> One of the example you give was voted by the Swiss people (Casino blocking).
> ISP have no say in that matter.  Some countries go way further in blocking
> "content" (as was mentionned on the list earlier).
> 
> But here, we are discussing additional security measures that some ISPs,
> including Swisscom, are taking: Swiss people did not vote yet about blocking
> malware.
> 
> And Swisscom also blocks / intercepts / redirects SMTP for quite a few years
> now, for end users.  On port 25 (not on 587 nor 465 AFAIK).  I think they are
> pretty unique in that aspect (other ISPs usually simply block incoming
> port 25, they don't AFAIK filter out outgoing).
> 
>> Use other DNS-Servers if you want to be "free", but accept the risk.
> 
> That could be a solution: an opt-out.  It *seems* to me that Sunrise, e.g.,
> actually even offers an opt-in, as their firewalling service is usually
> valued at 5 CHF/month but in essence free to the end user (not sure what it
> really does) and can be refused when ordering.
> 
> In my opinion, the most important thing is that the blocking be documented to
> the end-user, even on every month's invoice, and that opt-out (or opt-in) be
> offered for everything that is not compulsory by law.
> 
> Have a nice day.
> ___
> swinog mailing list -- swinog@lists.swinog.ch
> To unsubscribe send an email to swinog-le...@lists.swinog.ch


___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Marc SCHAEFER via swinog]

Hello,

On Tue, Apr 23, 2024 at 10:04:14AM +0200, Stefan via swinog wrote:
> But you know that it is already daily business that Swiss ISP's are blocking
> websites?

One of the example you give was voted by the Swiss people (Casino blocking).
ISP have no say in that matter.  Some countries go way further in blocking
"content" (as was mentionned on the list earlier).

But here, we are discussing additional security measures that some ISPs,
including Swisscom, are taking: Swiss people did not vote yet about blocking
malware.

And Swisscom also blocks / intercepts / redirects SMTP for quite a few years
now, for end users.  On port 25 (not on 587 nor 465 AFAIK).  I think they are
pretty unique in that aspect (other ISPs usually simply block incoming
port 25, they don't AFAIK filter out outgoing).

> Use other DNS-Servers if you want to be "free", but accept the risk.

That could be a solution: an opt-out.  It *seems* to me that Sunrise, e.g.,
actually even offers an opt-in, as their firewalling service is usually
valued at 5 CHF/month but in essence free to the end user (not sure what it
really does) and can be refused when ordering.

In my opinion, the most important thing is that the blocking be documented to
the end-user, even on every month's invoice, and that opt-out (or opt-in) be
offered for everything that is not compulsory by law.

Have a nice day.
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Stefan via swinog]

But you know that it is already daily business that Swiss ISP's are 
blocking websites?


Just an example:
https://www.esbk.admin.ch/esbk/de/home/illegalesspiel/zugangssperren.html
https://abuse.ch/

I had already requests from customers to grant them access to phishing 
sites, only that they can enter their usernames and passwords (facepalm)...
Then phishing and malware is one thing, but there are also connections 
to botnets which are used for DDoS etc., so it is also a precaution for 
ISP's to protect themselves (Infrastructure, IP-Reputation and so on).


Use other DNS-Servers if you want to be "free", but accept the risk.


Am 23.04.2024 um 09:45 schrieb Andreas Fink via swinog:

I disagree. Its not swisscoms role to censorship the internet. Even if the idea 
might be honorable,  to keep the bad guys out, the machinery put in place is 
resulting in something which will be abused for political agendas. Given 
swisscom is state owned, the risk is even higher. Its a risk to democracy you 
should not under estimate. Maybe you are too young but you should read George 
Orwells 1984 to see where this is going. I have been an indirect victim of a 
blocking which costed me 10 years in court case and legal fees of half a 
million stacking up. You can not imagine what political blocking can do to your 
business. And here we have swisscom put a machinery in place that politicians 
can just ask for it by the clock of a button. Now dont tell me they will not 
use this powerful weapon one day agains someone they dont like their political 
views of. Totalitarian states do it already up to certain extent (Russia, 
Turkmenistan, US, Iran, middle east, Turkey...)


Am 23.04.2024 um 11:34 schrieb Daniel Stirnimann via swinog 
:



Yes, I understand the technical issues. And yes it's ugly. But do you have a 
better solution?

Swisscom should stop tampering with DNS, as it does not work, and is no 
solution to the problem.

I disagree, Swisscom still misses a lot of phishing and malware websites. I would 
like them to be way more aggressive. Their support staff has to deal with calls 
from infected customers. They might as well try as good a possible to prevent it 
from happening in the first place. If you belong to the <0.1% of people who 
want unfiltered DNS, just run your recursive resolver.


Part of the problem is that the user doesn’t get an error message at all, and 
then mails us „hey, your website is down“.

Eventually, web browser will show better responses for none resolvable domain 
names e.g. by utilizing Extended DNS Errors (RFC 8914).

EDE has code points for filtered or blocked DNS responses. Until web browser 
care more about DNS, I advice to be as verbose as possible when you block 
something.

For example, make the DNS output more verbose so that at least administrators 
realize why a domain name is blocked. Swisscom could have used a CNAME in the 
answer section to blocked.swisscom.com and they could also add an additional 
section with a SOA indicating the origin of the blocking. The RNAME field could 
be their report false positive email address and so on.

Daniel

___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch


___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Andreas Fink via swinog]

I disagree. Its not swisscoms role to censorship the internet. Even if the idea 
might be honorable,  to keep the bad guys out, the machinery put in place is 
resulting in something which will be abused for political agendas. Given 
swisscom is state owned, the risk is even higher. Its a risk to democracy you 
should not under estimate. Maybe you are too young but you should read George 
Orwells 1984 to see where this is going. I have been an indirect victim of a 
blocking which costed me 10 years in court case and legal fees of half a 
million stacking up. You can not imagine what political blocking can do to your 
business. And here we have swisscom put a machinery in place that politicians 
can just ask for it by the clock of a button. Now dont tell me they will not 
use this powerful weapon one day agains someone they dont like their political 
views of. Totalitarian states do it already up to certain extent (Russia, 
Turkmenistan, US, Iran, middle east, Turkey...)

> Am 23.04.2024 um 11:34 schrieb Daniel Stirnimann via swinog 
> :
> 
> 
>> 
>>> Yes, I understand the technical issues. And yes it's ugly. But do you have 
>>> a better solution?
>> Swisscom should stop tampering with DNS, as it does not work, and is no 
>> solution to the problem.
> 
> I disagree, Swisscom still misses a lot of phishing and malware websites. I 
> would like them to be way more aggressive. Their support staff has to deal 
> with calls from infected customers. They might as well try as good a possible 
> to prevent it from happening in the first place. If you belong to the <0.1% 
> of people who want unfiltered DNS, just run your recursive resolver.
> 
>> Part of the problem is that the user doesn’t get an error message at all, 
>> and then mails us „hey, your website is down“.
> 
> Eventually, web browser will show better responses for none resolvable domain 
> names e.g. by utilizing Extended DNS Errors (RFC 8914).
> 
> EDE has code points for filtered or blocked DNS responses. Until web browser 
> care more about DNS, I advice to be as verbose as possible when you block 
> something.
> 
> For example, make the DNS output more verbose so that at least administrators 
> realize why a domain name is blocked. Swisscom could have used a CNAME in the 
> answer section to blocked.swisscom.com and they could also add an additional 
> section with a SOA indicating the origin of the blocking. The RNAME field 
> could be their report false positive email address and so on.
> 
> Daniel
> 
> ___
> swinog mailing list -- swinog@lists.swinog.ch
> To unsubscribe send an email to swinog-le...@lists.swinog.ch


___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Benoit Panizzon via swinog]

> Part of the problem is that the user doesn’t get an error message at all, and 
> then mails us „hey, your website is down“.

Also throwing in my 2 rappen:

User notices: Provider DNS is misbehaving, blames Provider, and uses
DNS of Google / Cloudflare feeding them valuable personal data.

But no, I have no solution either.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[sygon--- via swinog]

As a former malware researcher: no, this is not an ideal solution. Yes, we
don't have anything better (well, there is the Google Safe Browsing list
which most of the major browsers use).  And, yes, it is a widely used
method and it's effective.

Attila

On Tue, Apr 23, 2024 at 9:34 AM Daniel Stirnimann via swinog - swinog at
lists.swinog.ch  wrote:

> >> Yes, I understand the technical issues. And yes it's ugly. But do you
> have a better solution?
> >
> > Swisscom should stop tampering with DNS, as it does not work, and is no
> solution to the problem.
>
> I disagree, Swisscom still misses a lot of phishing and malware
> websites. I would like them to be way more aggressive. Their support
> staff has to deal with calls from infected customers. They might as well
> try as good a possible to prevent it from happening in the first place.
> If you belong to the <0.1% of people who want unfiltered DNS, just run
> your recursive resolver.
>
> > Part of the problem is that the user doesn’t get an error message at
> all, and then mails us „hey, your website is down“.
>
> Eventually, web browser will show better responses for none resolvable
> domain names e.g. by utilizing Extended DNS Errors (RFC 8914).
>
> EDE has code points for filtered or blocked DNS responses. Until web
> browser care more about DNS, I advice to be as verbose as possible when
> you block something.
>
> For example, make the DNS output more verbose so that at least
> administrators realize why a domain name is blocked. Swisscom could have
> used a CNAME in the answer section to blocked.swisscom.com and they
> could also add an additional section with a SOA indicating the origin of
> the blocking. The RNAME field could be their report false positive email
> address and so on.
>
> Daniel
>
> ___
> swinog mailing list -- swinog@lists.swinog.ch
> To unsubscribe send an email to swinog-le...@lists.swinog.ch
>
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Daniel Stirnimann via swinog]

Yes, I understand the technical issues. And yes it's ugly. But do you have a 
better solution?


Swisscom should stop tampering with DNS, as it does not work, and is no 
solution to the problem.


I disagree, Swisscom still misses a lot of phishing and malware 
websites. I would like them to be way more aggressive. Their support 
staff has to deal with calls from infected customers. They might as well 
try as good a possible to prevent it from happening in the first place. 
If you belong to the <0.1% of people who want unfiltered DNS, just run 
your recursive resolver.



Part of the problem is that the user doesn’t get an error message at all, and 
then mails us „hey, your website is down“.


Eventually, web browser will show better responses for none resolvable 
domain names e.g. by utilizing Extended DNS Errors (RFC 8914).


EDE has code points for filtered or blocked DNS responses. Until web 
browser care more about DNS, I advice to be as verbose as possible when 
you block something.


For example, make the DNS output more verbose so that at least 
administrators realize why a domain name is blocked. Swisscom could have 
used a CNAME in the answer section to blocked.swisscom.com and they 
could also add an additional section with a SOA indicating the origin of 
the blocking. The RNAME field could be their report false positive email 
address and so on.


Daniel

___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Oliver Schad via swinog]

On Tue, 23 Apr 2024 08:59:07 +0200
Gert Doering via swinog  wrote:

> On Tue, Apr 23, 2024 at 08:55:49AM +0200, Serge Droz via swinog wrote:
> > Yes, I understand the technical issues. And yes it's ugly.   
> > But do you have a better solution?  
> 
> Since this is not a "solution", just a new sort of problem, it doesn't
> even qualify for a comparison.

Even IF it would have a relevant impact on the spread of malware (and I
agree with you that it definitely CAN'T), triggering actions that you
CAN'T know the further consequences of is not a good idea.

And furthermore, breaking protocols is usually an approach to do as
much damage as you want. It is not technically intended for providers
to do this. There is no interface to indicate that you are bending DNS
for security reasons.

In the end, this is just another approach to justify interfering with
the network. Once the lever has been successfully applied because of
cybercrime or malware, this will be extended more and more politically.
All experience to date simply shows that.

The Russians are evil? So block the network. The Chinese are evil? So
network blocking. Wikileaks is evil? Network blocking. Because the
users are poor sheep that we have to protect from evil information. And
it's not the users who decide what information is evil.

Best Regards
Oli

-- 
Automatic-Server AG •
Oliver Schad
Geschäftsführer
Hardstr. 46
9434 Au | Schweiz

www.automatic-server.com | oliver.sc...@automatic-server.com
Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47


pgpijCkOaZy5M.pgp
Description: OpenPGP digital signature
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Oliver Schad via swinog]

On Tue, 23 Apr 2024 08:51:41 +0200
Serge Droz via swinog  wrote:

> It's actually a pretty smart and light way of protection the majority
> of users from malware. And yes, there will always be false positives.

Do you plan to compensate financial losses through that behaviour, i.e.
you block a webshop, a bank, an insurance?

Do you plan to compensate health issues through that behaviour, i.e.
you block an important health service?

Do you plan to compensate social issues through that behaviour, i.e.
you block an important social service, maybe a forum for unstable
personalities, who rely on that platform? Maybe to avoid suicide?

Are you sure, that this mechanism is "smart"? Maybe protection against
malware is less important, than you think when you don't know the
consequences of your actions.

Best Regards
Oli

-- 
Automatic-Server AG •
Oliver Schad
Geschäftsführer
Hardstr. 46
9434 Au | Schweiz

www.automatic-server.com | oliver.sc...@automatic-server.com
Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47


pgpA_fGXM9M7j.pgp
Description: OpenPGP digital signature
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Marc Balmer via swinog]

> Am 23.04.2024 um 08:55 schrieb Serge Droz via swinog :
> 
> Yes, I understand the technical issues. And yes it's ugly. But do you have a 
> better solution?

Swisscom should stop tampering with DNS, as it does not work, and is no 
solution to the problem.

Part of the problem is that the user doesn’t get an error message at all, and 
then mails us „hey, your website is down“.


___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Gert Doering via swinog]

Hi,

On Tue, Apr 23, 2024 at 08:55:49AM +0200, Serge Droz via swinog wrote:
> Yes, I understand the technical issues. And yes it's ugly. 

It's not "ugly", it's outright failing to achieve anything, except 
signal "things are not working".  Why have a report form at all if it
can not be loaded due to certificate mismatch?  The world is no longer
HTTP-only...

> But do you have a better solution?

Since this is not a "solution", just a new sort of problem, it doesn't
even qualify for a comparison.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard,
   Ingo Lalla, Karin Schuler
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Serge Droz via swinog]

Yes, I understand the technical issues. And yes it's ugly. But do you 
have a better solution?




On 23.04.24 08:53, Marc Balmer wrote:




Am 23.04.2024 um 08:51 schrieb Serge Droz via swinog :

It's actually a pretty smart and light way of protection the majority of users 
from malware. And yes, there will always be false positives.

And yes, it's sad we have to do this, but that's mostly because our industry, 
despite promising the contrary for years, doesn't seem to be able to offer 
secure services and products.

The fact is, that states are getting feed up with this and will start 
legislating because we keep making empty promises and tell them they are stupid.

You don't have to believe me, but maybe you listen to John Curran:
https://www.youtube.com/watch?v=U1Ip39Qv-Zk

Sorry for the rant, but I feel your reply is condescending and uninformed. Just throwing 
around words like "internet police" etc doesn't solve anything.


Did you understand the technical issue this approach has?  Certificates don’t 
match, that is the issue.



--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Marc Balmer via swinog]

> Am 23.04.2024 um 08:51 schrieb Serge Droz via swinog :
> 
> It's actually a pretty smart and light way of protection the majority of 
> users from malware. And yes, there will always be false positives.
> 
> And yes, it's sad we have to do this, but that's mostly because our industry, 
> despite promising the contrary for years, doesn't seem to be able to offer 
> secure services and products.
> 
> The fact is, that states are getting feed up with this and will start 
> legislating because we keep making empty promises and tell them they are 
> stupid.
> 
> You don't have to believe me, but maybe you listen to John Curran:
> https://www.youtube.com/watch?v=U1Ip39Qv-Zk
> 
> Sorry for the rant, but I feel your reply is condescending and uninformed. 
> Just throwing around words like "internet police" etc doesn't solve anything.

Did you understand the technical issue this approach has?  Certificates don’t 
match, that is the issue.

___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Serge Droz via swinog]

It's actually a pretty smart and light way of protection the majority of 
users from malware. And yes, there will always be false positives.


And yes, it's sad we have to do this, but that's mostly because our 
industry, despite promising the contrary for years, doesn't seem to be 
able to offer secure services and products.


The fact is, that states are getting feed up with this and will start 
legislating because we keep making empty promises and tell them they are 
stupid.


You don't have to believe me, but maybe you listen to John Curran:
https://www.youtube.com/watch?v=U1Ip39Qv-Zk

Sorry for the rant, but I feel your reply is condescending and 
uninformed. Just throwing around words like "internet police" etc 
doesn't solve anything.


Best
Serge

On 23.04.24 08:38, Marc Balmer via swinog wrote:
Swisscom returns this IP address for blocked domain names most likely 
because it assumes this website is compromised (phishing, malware).


If you visit this IP address in a web browser you are redirected to 
https://www.swisscom.ch/abuse-info


That explains.  From a technical point of view, that is one of the most 
stupid things one can possibly do.  Whoever invented this, has no clue 
how the web works:


1) I point my browser to https://spectrum-conference.org 
 (or any other domain where swisscom 
acts as the internet police)
2) Swisscom tampers with DNS and returns the address of one of their own 
servers
3) My browser opens a connection to it *and of course the website's 
HTTPS certificate does not match*
4) My browser shows an error message that a secure connection can not be 
made (at least all Apple device do this)

5) Swisscom malware page is not even displayed.



This website has a form to report false positive.

Daniel



Thank you.



___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch


--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[mail--- via swinog]

On https://www.swisscom.ch/de/privatkunden/hilfe/internet/url-checker.html you 
can check if a URL is blocked by Swisscom or not. Seems it‘s blocked because of 
«Malware Distribution»…
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Marc Balmer via swinog]

> Am 23.04.2024 um 08:42 schrieb Daniel Stirnimann 
> :
> 
> Try http://195.186.208.193/


Thanks, Daniel, that worked!  Reporting it now.
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Daniel Stirnimann via swinog]

Try http://195.186.208.193/

Daniel

On 23.04.2024 08:40, Marc Balmer wrote:



Swisscom returns this IP address for blocked domain names most likely because 
it assumes this website is compromised (phishing, malware).

If you visit this IP address in a web browser you are redirected to 
https://www.swisscom.ch/abuse-info

This website has a form to report false positive.



There is no such form.


___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Marc Balmer via swinog]

> Swisscom returns this IP address for blocked domain names most likely because 
> it assumes this website is compromised (phishing, malware).
> 
> If you visit this IP address in a web browser you are redirected to 
> https://www.swisscom.ch/abuse-info
> 
> This website has a form to report false positive.


There is no such form.

___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks

[Marc Balmer via swinog]

> Swisscom returns this IP address for blocked domain names most likely because 
> it assumes this website is compromised (phishing, malware).
> 
> If you visit this IP address in a web browser you are redirected to 
> https://www.swisscom.ch/abuse-info

That explains.  From a technical point of view, that is one of the most stupid 
things one can possibly do.  Whoever invented this, has no clue how the web 
works:

1) I point my browser to https://spectrum-conference.org 
 (or any other domain where swisscom acts as 
the internet police)
2) Swisscom tampers with DNS and returns the address of one of their own servers
3) My browser opens a connection to it *and of course the website's HTTPS 
certificate does not match*
4) My browser shows an error message that a secure connection can not be made 
(at least all Apple device do this)
5) Swisscom malware page is not even displayed.

> 
> This website has a form to report false positive.
> 
> Daniel
> 

Thank you.


___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch