Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks
The domain name spectrum-conference.org http://spectrum-conference.org/ wrongfully resolves to 195.186.208.193 when queried from bluewin/swisscom mobile networks.
It is registered to 46.175.8.9, which is the correct address.
Please fix the swisscom/bluewin.ch http://bluewin.ch/ DNS resolvers.
Swisscom returns this IP address for blocked domain names most likely because it assumes this website is compromised (phishing, malware).
If you visit this IP address in a web browser you are redirected to https://www.swisscom.ch/abuse-info
This website has a form to report false positive.
Daniel
On 22.04.2024 23:51, Marc Balmer via swinog wrote:
The domain name spectrum-conference.org http://spectrum-conference.org/ wrongfully resolves to 195.186.208.193 when queried from bluewin/swisscom mobile networks.
It is registered to 46.175.8.9, which is the correct address.
Please fix the swisscom/bluewin.ch http://bluewin.ch/ DNS resolvers.
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
Swisscom returns this IP address for blocked domain names most likely because it assumes this website is compromised (phishing, malware).
If you visit this IP address in a web browser you are redirected to https://www.swisscom.ch/abuse-info
That explains. From a technical point of view, that is one of the most stupid things one can possibly do. Whoever invented this, has no clue how the web works:
1) I point my browser to https://spectrum-conference.org https://spectrum-conference.org/ (or any other domain where swisscom acts as the internet police) 2) Swisscom tampers with DNS and returns the address of one of their own servers 3) My browser opens a connection to it *and of course the website's HTTPS certificate does not match* 4) My browser shows an error message that a secure connection can not be made (at least all Apple device do this) 5) Swisscom malware page is not even displayed.
This website has a form to report false positive.
Daniel
Thank you.
It's actually a pretty smart and light way of protection the majority of users from malware. And yes, there will always be false positives.
And yes, it's sad we have to do this, but that's mostly because our industry, despite promising the contrary for years, doesn't seem to be able to offer secure services and products.
The fact is, that states are getting feed up with this and will start legislating because we keep making empty promises and tell them they are stupid.
You don't have to believe me, but maybe you listen to John Curran: https://www.youtube.com/watch?v=U1Ip39Qv-Zk
Sorry for the rant, but I feel your reply is condescending and uninformed. Just throwing around words like "internet police" etc doesn't solve anything.
Best Serge
On 23.04.24 08:38, Marc Balmer via swinog wrote:
Swisscom returns this IP address for blocked domain names most likely because it assumes this website is compromised (phishing, malware).
If you visit this IP address in a web browser you are redirected to https://www.swisscom.ch/abuse-info
That explains. From a technical point of view, that is one of the most stupid things one can possibly do. Whoever invented this, has no clue how the web works:
- I point my browser to https://spectrum-conference.org
https://spectrum-conference.org (or any other domain where swisscom acts as the internet police) 2) Swisscom tampers with DNS and returns the address of one of their own servers 3) My browser opens a connection to it *and of course the website's HTTPS certificate does not match* 4) My browser shows an error message that a secure connection can not be made (at least all Apple device do this) 5) Swisscom malware page is not even displayed.
This website has a form to report false positive.
Daniel
Thank you.
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
Am 23.04.2024 um 08:51 schrieb Serge Droz via swinog swinog@lists.swinog.ch:
It's actually a pretty smart and light way of protection the majority of users from malware. And yes, there will always be false positives.
And yes, it's sad we have to do this, but that's mostly because our industry, despite promising the contrary for years, doesn't seem to be able to offer secure services and products.
The fact is, that states are getting feed up with this and will start legislating because we keep making empty promises and tell them they are stupid.
You don't have to believe me, but maybe you listen to John Curran: https://www.youtube.com/watch?v=U1Ip39Qv-Zk
Sorry for the rant, but I feel your reply is condescending and uninformed. Just throwing around words like "internet police" etc doesn't solve anything.
Did you understand the technical issue this approach has? Certificates don’t match, that is the issue.
Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
On 23.04.24 08:53, Marc Balmer wrote:
Am 23.04.2024 um 08:51 schrieb Serge Droz via swinog swinog@lists.swinog.ch:
It's actually a pretty smart and light way of protection the majority of users from malware. And yes, there will always be false positives.
And yes, it's sad we have to do this, but that's mostly because our industry, despite promising the contrary for years, doesn't seem to be able to offer secure services and products.
The fact is, that states are getting feed up with this and will start legislating because we keep making empty promises and tell them they are stupid.
You don't have to believe me, but maybe you listen to John Curran: https://www.youtube.com/watch?v=U1Ip39Qv-Zk
Sorry for the rant, but I feel your reply is condescending and uninformed. Just throwing around words like "internet police" etc doesn't solve anything.
Did you understand the technical issue this approach has? Certificates don’t match, that is the issue.
Hi,
On Tue, Apr 23, 2024 at 08:55:49AM +0200, Serge Droz via swinog wrote:
Yes, I understand the technical issues. And yes it's ugly.
It's not "ugly", it's outright failing to achieve anything, except signal "things are not working". Why have a report form at all if it can not be loaded due to certificate mismatch? The world is no longer HTTP-only...
But do you have a better solution?
Since this is not a "solution", just a new sort of problem, it doesn't even qualify for a comparison.
Gert Doering -- NetMaster
On Tue, 23 Apr 2024 08:59:07 +0200 Gert Doering via swinog swinog@lists.swinog.ch wrote:
On Tue, Apr 23, 2024 at 08:55:49AM +0200, Serge Droz via swinog wrote:
Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
Since this is not a "solution", just a new sort of problem, it doesn't even qualify for a comparison.
Even IF it would have a relevant impact on the spread of malware (and I agree with you that it definitely CAN'T), triggering actions that you CAN'T know the further consequences of is not a good idea.
And furthermore, breaking protocols is usually an approach to do as much damage as you want. It is not technically intended for providers to do this. There is no interface to indicate that you are bending DNS for security reasons.
In the end, this is just another approach to justify interfering with the network. Once the lever has been successfully applied because of cybercrime or malware, this will be extended more and more politically. All experience to date simply shows that.
The Russians are evil? So block the network. The Chinese are evil? So network blocking. Wikileaks is evil? Network blocking. Because the users are poor sheep that we have to protect from evil information. And it's not the users who decide what information is evil.
Best Regards Oli
Am 23.04.2024 um 08:55 schrieb Serge Droz via swinog swinog@lists.swinog.ch:
Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no solution to the problem.
Part of the problem is that the user doesn’t get an error message at all, and then mails us „hey, your website is down“.
Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no solution to the problem.
I disagree, Swisscom still misses a lot of phishing and malware websites. I would like them to be way more aggressive. Their support staff has to deal with calls from infected customers. They might as well try as good a possible to prevent it from happening in the first place. If you belong to the <0.1% of people who want unfiltered DNS, just run your recursive resolver.
Part of the problem is that the user doesn’t get an error message at all, and then mails us „hey, your website is down“.
Eventually, web browser will show better responses for none resolvable domain names e.g. by utilizing Extended DNS Errors (RFC 8914).
EDE has code points for filtered or blocked DNS responses. Until web browser care more about DNS, I advice to be as verbose as possible when you block something.
For example, make the DNS output more verbose so that at least administrators realize why a domain name is blocked. Swisscom could have used a CNAME in the answer section to blocked.swisscom.com and they could also add an additional section with a SOA indicating the origin of the blocking. The RNAME field could be their report false positive email address and so on.
Daniel
As a former malware researcher: no, this is not an ideal solution. Yes, we don't have anything better (well, there is the Google Safe Browsing list which most of the major browsers use). And, yes, it is a widely used method and it's effective.
Attila
On Tue, Apr 23, 2024 at 9:34 AM Daniel Stirnimann via swinog - swinog at lists.swinog.ch swinog_at_lists_swinog_ch_tpveugmui@simplelogin.co wrote:
Yes, I understand the technical issues. And yes it's ugly. But do you
have a better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no
solution to the problem.
I disagree, Swisscom still misses a lot of phishing and malware websites. I would like them to be way more aggressive. Their support staff has to deal with calls from infected customers. They might as well try as good a possible to prevent it from happening in the first place. If you belong to the <0.1% of people who want unfiltered DNS, just run your recursive resolver.
Part of the problem is that the user doesn’t get an error message at
all, and then mails us „hey, your website is down“.
Eventually, web browser will show better responses for none resolvable domain names e.g. by utilizing Extended DNS Errors (RFC 8914).
EDE has code points for filtered or blocked DNS responses. Until web browser care more about DNS, I advice to be as verbose as possible when you block something.
For example, make the DNS output more verbose so that at least administrators realize why a domain name is blocked. Swisscom could have used a CNAME in the answer section to blocked.swisscom.com and they could also add an additional section with a SOA indicating the origin of the blocking. The RNAME field could be their report false positive email address and so on.
Daniel
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
I disagree. Its not swisscoms role to censorship the internet. Even if the idea might be honorable, to keep the bad guys out, the machinery put in place is resulting in something which will be abused for political agendas. Given swisscom is state owned, the risk is even higher. Its a risk to democracy you should not under estimate. Maybe you are too young but you should read George Orwells 1984 to see where this is going. I have been an indirect victim of a blocking which costed me 10 years in court case and legal fees of half a million stacking up. You can not imagine what political blocking can do to your business. And here we have swisscom put a machinery in place that politicians can just ask for it by the clock of a button. Now dont tell me they will not use this powerful weapon one day agains someone they dont like their political views of. Totalitarian states do it already up to certain extent (Russia, Turkmenistan, US, Iran, middle east, Turkey...)
Am 23.04.2024 um 11:34 schrieb Daniel Stirnimann via swinog swinog@lists.swinog.ch:
Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no solution to the problem.
I disagree, Swisscom still misses a lot of phishing and malware websites. I would like them to be way more aggressive. Their support staff has to deal with calls from infected customers. They might as well try as good a possible to prevent it from happening in the first place. If you belong to the <0.1% of people who want unfiltered DNS, just run your recursive resolver.
Part of the problem is that the user doesn’t get an error message at all, and then mails us „hey, your website is down“.
Eventually, web browser will show better responses for none resolvable domain names e.g. by utilizing Extended DNS Errors (RFC 8914).
EDE has code points for filtered or blocked DNS responses. Until web browser care more about DNS, I advice to be as verbose as possible when you block something.
For example, make the DNS output more verbose so that at least administrators realize why a domain name is blocked. Swisscom could have used a CNAME in the answer section to blocked.swisscom.com and they could also add an additional section with a SOA indicating the origin of the blocking. The RNAME field could be their report false positive email address and so on.
Daniel
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
But you know that it is already daily business that Swiss ISP's are blocking websites?
Just an example: https://www.esbk.admin.ch/esbk/de/home/illegalesspiel/zugangssperren.html https://abuse.ch/
I had already requests from customers to grant them access to phishing sites, only that they can enter their usernames and passwords (facepalm)... Then phishing and malware is one thing, but there are also connections to botnets which are used for DDoS etc., so it is also a precaution for ISP's to protect themselves (Infrastructure, IP-Reputation and so on).
Use other DNS-Servers if you want to be "free", but accept the risk.
Am 23.04.2024 um 09:45 schrieb Andreas Fink via swinog:
I disagree. Its not swisscoms role to censorship the internet. Even if the idea might be honorable, to keep the bad guys out, the machinery put in place is resulting in something which will be abused for political agendas. Given swisscom is state owned, the risk is even higher. Its a risk to democracy you should not under estimate. Maybe you are too young but you should read George Orwells 1984 to see where this is going. I have been an indirect victim of a blocking which costed me 10 years in court case and legal fees of half a million stacking up. You can not imagine what political blocking can do to your business. And here we have swisscom put a machinery in place that politicians can just ask for it by the clock of a button. Now dont tell me they will not use this powerful weapon one day agains someone they dont like their political views of. Totalitarian states do it already up to certain extent (Russia, Turkmenistan, US, Iran, middle east, Turkey...)
Am 23.04.2024 um 11:34 schrieb Daniel Stirnimann via swinog swinog@lists.swinog.ch:
Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no solution to the problem.
I disagree, Swisscom still misses a lot of phishing and malware websites. I would like them to be way more aggressive. Their support staff has to deal with calls from infected customers. They might as well try as good a possible to prevent it from happening in the first place. If you belong to the <0.1% of people who want unfiltered DNS, just run your recursive resolver.
Part of the problem is that the user doesn’t get an error message at all, and then mails us „hey, your website is down“.
Eventually, web browser will show better responses for none resolvable domain names e.g. by utilizing Extended DNS Errors (RFC 8914).
EDE has code points for filtered or blocked DNS responses. Until web browser care more about DNS, I advice to be as verbose as possible when you block something.
For example, make the DNS output more verbose so that at least administrators realize why a domain name is blocked. Swisscom could have used a CNAME in the answer section to blocked.swisscom.com and they could also add an additional section with a SOA indicating the origin of the blocking. The RNAME field could be their report false positive email address and so on.
Daniel
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
Hello,
On Tue, Apr 23, 2024 at 10:04:14AM +0200, Stefan via swinog wrote:
But you know that it is already daily business that Swiss ISP's are blocking websites?
One of the example you give was voted by the Swiss people (Casino blocking). ISP have no say in that matter. Some countries go way further in blocking "content" (as was mentionned on the list earlier).
But here, we are discussing additional security measures that some ISPs, including Swisscom, are taking: Swiss people did not vote yet about blocking malware.
And Swisscom also blocks / intercepts / redirects SMTP for quite a few years now, for end users. On port 25 (not on 587 nor 465 AFAIK). I think they are pretty unique in that aspect (other ISPs usually simply block incoming port 25, they don't AFAIK filter out outgoing).
Use other DNS-Servers if you want to be "free", but accept the risk.
That could be a solution: an opt-out. It *seems* to me that Sunrise, e.g., actually even offers an opt-in, as their firewalling service is usually valued at 5 CHF/month but in essence free to the end user (not sure what it really does) and can be refused when ordering.
In my opinion, the most important thing is that the blocking be documented to the end-user, even on every month's invoice, and that opt-out (or opt-in) be offered for everything that is not compulsory by law.
Have a nice day.
it would only be fair if swisscom declare their offer not to be "internet" but some "protected network connectivity including part of the internet". At least then the end user can decide. I don't think their concept is compatible with net neutrality otherwise.
And you can not opt-in or opt-out if you are not aware.
On 23 Apr 2024, at 12:30, Marc SCHAEFER via swinog swinog@lists.swinog.ch wrote:
Hello,
On Tue, Apr 23, 2024 at 10:04:14AM +0200, Stefan via swinog wrote:
But you know that it is already daily business that Swiss ISP's are blocking websites?
One of the example you give was voted by the Swiss people (Casino blocking). ISP have no say in that matter. Some countries go way further in blocking "content" (as was mentionned on the list earlier).
But here, we are discussing additional security measures that some ISPs, including Swisscom, are taking: Swiss people did not vote yet about blocking malware.
And Swisscom also blocks / intercepts / redirects SMTP for quite a few years now, for end users. On port 25 (not on 587 nor 465 AFAIK). I think they are pretty unique in that aspect (other ISPs usually simply block incoming port 25, they don't AFAIK filter out outgoing).
Use other DNS-Servers if you want to be "free", but accept the risk.
That could be a solution: an opt-out. It *seems* to me that Sunrise, e.g., actually even offers an opt-in, as their firewalling service is usually valued at 5 CHF/month but in essence free to the end user (not sure what it really does) and can be refused when ordering.
In my opinion, the most important thing is that the blocking be documented to the end-user, even on every month's invoice, and that opt-out (or opt-in) be offered for everything that is not compulsory by law.
Have a nice day. _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
Part of the problem is that the user doesn’t get an error message at all, and then mails us „hey, your website is down“.
Also throwing in my 2 rappen:
User notices: Provider DNS is misbehaving, blames Provider, and uses DNS of Google / Cloudflare feeding them valuable personal data.
But no, I have no solution either.
Mit freundlichen Grüssen
-Benoît Panizzon-
So you are saying that relying on the provider dns and having to use it instead of other public (non-modifying) DNS Servers will not feed the internet provider with this „valuable personal data“? Also are you saying that the user shouldn‘t use any public, non-modified DNS Servers, just for that fact? Are you implementing the same measures as Swisscom?
Hi
So you are saying that relying on the provider dns and having to use it instead of other public (non-modifying) DNS Servers will not feed the internet provider with this „valuable personal data“?
There are privacy laws in place. I would not consider this good practice. I don't think (maybe I'm mistaking) that an ISP would have any benefit of collecting, analyzing such data. Selling / using such data for marketing would probably cash with privacy laws. Disclaimer: IANAL.
Also are you saying that the user shouldn‘t use any public, non-modified DNS Servers, just for that fact? Are you implementing the same measures as Swisscom?
There are legal requirements regarding DNS which OFCOM registered TSP have to follow.
So, yes, I understand every nerd who operates their own DNS server to avoid his personal data being used by the 'big ones' and to get 'free' access to the whole internet, but I don't understand why customers would want to use 8.8.8.8 or 1.1.1.1 instead of their providers DNS for those reasons.
Mit freundlichen Grüssen
-Benoît Panizzon-
I find your last statement very ironic.
There are valid reasons for using a different server than the ISP provided ones. Whether it‘s latency, as mentioned before deciding who gets to have access to the „valuable personal information“ or simply distrusting the ISP, as any ISP could „unintentionally“ or intentionally do the same as Swisscom has done here. That wouldn‘t colide with privacy laws in any way.
ISP XYZ could say; Well that Website is „dangerous for our users“, let‘s send it to our blackhole / blocking „service“!
-> And then the ISP wonders why users are switching DNS Servers?
Matter of fact! That‘s what it looks like IMP is also (atleast attempting to be) doing. (blocklist.imp.ch)
This is the exact same behaviour as Swisscom in this case.
Getting back on topic, there are many valid reasons. The provider in this case shouldn‘t judge upon this user behaviour. Users are totally free to use their own or public large DNS servers to avoid ISP blocking.
Hi Samuel
Matter of fact! That‘s what it looks like IMP is also (atleast attempting to be) doing. (blocklist.imp.ch)
I don't know this host.
https://refused.breitband.ch/ here you go, not a secret. Legal background explained.
This is the exact same behaviour as Swisscom in this case.
As required by law, implemented as (broken as) requested. Not a secret, all Swiss ISP are affected.
Mit freundlichen Grüssen
-Benoît Panizzon-
That‘s the legal aspect of things. That is of course totally normal. Every ISP has to follow that. Blocking other sites at your own will, just like swisscom is doing here, is not.
Having users that simply do not wish to be blocked by your blocking service for „gambling”, or those that simply do not trust your DNS servers should still be free to use public DNS servers.
That still does not answer why you as an ISP try to convince your customers to not use Public DNS Servers, or „not seeing a reason“ in them doing so.
Hi Samuel
That still does not answer why you as an ISP try to convince your customers to not use Public DNS Servers, or „not seeing a reason“ in them doing so.
Let's see... why would those companies operate those public DNS Servers 'for free'? Nothing's free, right? Probably they get some benefit of it...
Mit freundlichen Grüssen
-Benoît Panizzon-
Public DNS Providers could possibly abuse their position and see what users of it are doing on the internet. It‘s different though, because a public dns provider cannot see who the user is exactly, they could take a good guess at it, but it‘s not always certain. ISPs (atleast swiss providers) have logs of IPs to Customer. This would allow the ISP to see exactly what customer XYZ is doing on the internet. Even if it‘s not permitted by privacy laws, what stops the provider from accessing it? Public Providers could do the same, but they most definitely do not know the exact name, address and other details about the customer, as the ISP can.
I could hack your computer and spy on you. Even it it's not permitted by laws, what stops me from doing it? ________________________________ Von: Samuel B. via swinog swinog@lists.swinog.ch Gesendet: Dienstag, 23. April 2024 12:43 An: swinog@lists.swinog.ch swinog@lists.swinog.ch Betreff: [swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks
Public DNS Providers could possibly abuse their position and see what users of it are doing on the internet. It‘s different though, because a public dns provider cannot see who the user is exactly, they could take a good guess at it, but it‘s not always certain. ISPs (atleast swiss providers) have logs of IPs to Customer. This would allow the ISP to see exactly what customer XYZ is doing on the internet. Even if it‘s not permitted by privacy laws, what stops the provider from accessing it? Public Providers could do the same, but they most definitely do not know the exact name, address and other details about the customer, as the ISP can. _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch
On Tue, 23 Apr 2024 08:51:41 +0200 Serge Droz via swinog swinog@lists.swinog.ch wrote:
It's actually a pretty smart and light way of protection the majority of users from malware. And yes, there will always be false positives.
Do you plan to compensate financial losses through that behaviour, i.e. you block a webshop, a bank, an insurance?
Do you plan to compensate health issues through that behaviour, i.e. you block an important health service?
Do you plan to compensate social issues through that behaviour, i.e. you block an important social service, maybe a forum for unstable personalities, who rely on that platform? Maybe to avoid suicide?
Are you sure, that this mechanism is "smart"? Maybe protection against malware is less important, than you think when you don't know the consequences of your actions.
Best Regards Oli
Swisscom returns this IP address for blocked domain names most likely because it assumes this website is compromised (phishing, malware).
If you visit this IP address in a web browser you are redirected to https://www.swisscom.ch/abuse-info
This website has a form to report false positive.
There is no such form.
Daniel
On 23.04.2024 08:40, Marc Balmer wrote:
Swisscom returns this IP address for blocked domain names most likely because it assumes this website is compromised (phishing, malware).
If you visit this IP address in a web browser you are redirected to https://www.swisscom.ch/abuse-info
This website has a form to report false positive.
There is no such form.
Am 23.04.2024 um 08:42 schrieb Daniel Stirnimann daniel.stirnimann@switch.ch:
Thanks, Daniel, that worked! Reporting it now.
On https://www.swisscom.ch/de/privatkunden/hilfe/internet/url-checker.html you can check if a URL is blocked by Swisscom or not. Seems it‘s blocked because of «Malware Distribution»…
-
Andreas Fink -
Benoit Panizzon -
Daniel Stirnimann -
Gert Doering -
mail@interwave.ch -
Marc Balmer -
Marc SCHAEFER -
Oliver Schad -
Samuel B.
-
Serge Droz -
Stefan -
sygon@grey-panther.net -
Urs Baumann