Sunday, July 5, 2009

Redirecting Hosts Files

Proposed: I suggest we change the term blocking hosts files be replaced with the term redirecting hosts files since that is exactly what they do for most people.
After NoScript author Giorgio stated that the 127.0.0.1 in hosts files should be changed to 255.255.255.0 I felt I had to make some comments here. First, he intimated that we were blocking ads. The order of my redirecting hosts file and PAC filter were to redirect in the following hierarchy by priority:
[1] Malware disseminating hosts, hosts that do cross domain cookie setting or something else bad.
[2] Hosts that are actively engaged in tracking
[3] Hosts that were engaged in Pornography since many are also in category 1.
Since almost nobody used what I provided or gave feedback I changed the order of priority to be:
[1] Malware disseminating hosts, hosts that do cross domain cookie setting or something else bad.
[2] Hosts that are actively engaged in tracking
[3] Hosts that were pushing ads. I still advise ABP & EasyPrivacy+EasyList for this for Firefox users.
It isn't as drastic of a change as you think. All of the porn patterns that were identified as high risk by a look at the actual count at MalwareDomainList and my friend Airelle of France, http://rlwpx.free.fr/WPFF/hosts.htm in his hosts.rsk file were retained in the PAC filter. Some needed to be downgraded from URL to host rules. Some of the remaining "porn" rules that are working at the URL level may also need to be downgraded in the future but I do subscribe to the NoScript philosophy of expressly disallow by default, white-list by choice, especially when it comes to hosts that do some particularly nasty stuff.
Now in addressing the change of the 127.0.0.1 to 255.255.255.0, I have only the following to say - do not do it if you are using any but one of the following to handle the redirected requests:
http://sysctl.org/cameleon/
http://preview.tinyurl.com/8ujj9j
http://preview.tinyurl.com/mavx9m
http://www.abelhadigital.com/ (has a program called hostssrv.exe)
http://www.securemecca.com/phttpd.html (only for 'nix machines and I recommend Cameleon)
Almost everybody who uses some sort of redirection mechanism (hosts file, pseudo DNS server, PAC filter, etc.) uses one of these servers to handle the redirection except for AdBlock Plus which rather than blocking them (er, redirecting you to something else) strips them out of the file and then passes that on to the browser. But the only one that is designed to handle them on something other than 127.0.0.1 by default is Cameleon's phttpd. Mine can be used to do that and you could even shift it to a port other than 80 but I would not advise that you do either. The port change would work only for the PAC filter and only if the PAC filter's port is also changed. IOW, you are stuck with port 80. Nobody handles port 443 or 8080 requests. Also, what I have is written in PERL (but it is a true daemon with the double forks and setsid) and IMHO is not up to the level of handling a lot of requests safely. One ponders whether it is safe at all being written in PERL but I don't have time to write one in C and one already exists. I just didn't know about it at the time I wrote mine.
I propose the following change in terminology. knowing full well that the proposal will fail: From henceforth blocking hosts files shall be known as redirecting hosts files. That is because with these phttpds that is precisely what they are doing.
Now, some may think I am angry with NoScript author Giorgio. I am not angry. I still recommend Firefox + NoScript, especially on Windows machines to mitigate some of the problems people have. I still think it is overkill on 'nix machines but the security hole opened up by using Privoxy + PAC filter to allow unrestricted ftp access (and worms and other nasty stuff are now actively utilizing ftp) leaves me no choice - I must recommend NoScript to Windows users. But there are times you have hosts that you don't want to just restrict what they can do. You want no part of them! For these hosts a redirecting hosts file or redirecting PAC filter are your only options until somebody has the time and resources to shrink wrap all of this stuff into the broadband router which is where it should be, especially in a home situation.