Tuesday, March 17, 2009

A Host of Problems

Let's talk about the HOSTS file. It's a topic that causes all kind of confusion for Online Armor users, especially when they're running other software such as Spybot which writes entries into the hosts file because it's such a technical topic.


Let's take a step back in history...

Once upon a time in the early days of the internet - before it was the internet, there was no such thing as DNS. It was called ARPANET - and the way you'd map from a human readable name like "computer2" to an IP address like "192.168.0.51" was to write an entry in the HOSTS file on each computer, like this:

192.168.0.51 computer2

You'd write that entry on all 6 computers that made up the internet, and life was good, you could find things easily. Just type "Computer2" and the computer would look in the hosts file, and think "Aha, this pathetic human cannot remember 6 IP addresses - it wants to connect to 192.168.0.51"

Of course, there are a lot more than 6 computers on the internet now - so a new system was born - the DNS - which did the same sort of thing, but without having to copy and paste 400 million entries into the hosts files on 400 million computers. A lot more convenient.

Programmers, Network admins and the hosts file

Although the hosts file was mostly made extinct by the DNS system, certain folks still used it - mostly for practical jokes, or testing websites. For example, if I were working on a new version of the site "www.tallemu.com" then I could write an entry in the hosts file on my computer, and tell it to send requests for www.tallemu.com to my test server , not to the live server.

This meant that it would be easy to test new versions working as they should, without inconveniencing everyone on the internet. It also meant that you could play tricks on your colleagues by messing with their hosts file - redirecting them to fake sites you'd made running on the company webserver, so when they went to their favorite timewasting site, it would redirect it to a site under your control which would tell them to get back to work.


Bad things start to happen

There's a special address called the loopback address - 127.0.0.1 - what it means on any computer is basically "Me!!" - so, if I was running a webserver on my laptop to test sites I was developing, I could again write an entry in my HOSTS file and say that tallemu.com should go to 127.0.0.1 - which would mean my laptop. Again, I can use this to test.

Of course - most people don't run a webserver on their laptop. It would be crazy. In that situation, what happens to traffic that you redirect to 127.0.0.1 ? It just times out, and goes nowhere.

Malware writers know this - and if they write the domain names of your antivirus company into the hosts file, they can either redirect you to a server that they control - or - redirect it to your local, webserverless computer - in effect blocking the site. Naughty.

The good guys got onto this trick too. Of course, being good guys, they started to write lists of dangerous sites and point them to 127.0.0.1 - making them inaccessible if you accidentally went to that site, or went to a website that had references to those sites. In other words:

www.NeverGoHere.com 127.0.0.1

in your hosts file would usually mean you would never get to visit www.nevergohere.com - so it's a quick and dirty way of blocking a site.

Confusion Reigns!

This is where it gets confusing. When we released Online Armor, we were very worried about malware re-directing our users to fake banking sites using the hosts files, or by writing entries in the hosts file that were designed to deny people access to the sites that they wanted to visit, such as Antivirus companies.

To stop these attacks, we designed a nice system that controlled which entries are allowed to exist in the HOSTS file. The idea was simple - we'd pop up a warning that said words to the effect of "Hey! Something is trying to mess with your hosts file!" - if you let it make the modification it would be allowed and if you didn't, it would be blocked and automatically prevented from happening again. The idea - if a bad guy wanted to write www.yourbank.com into the hosts file to trick you, you could say "Block" and it could never appear in the hosts file.

Makes perfect sense, right ?

Unfortunately, what messes this up for everyone is that the good guys and the bad guys are using the same trick. So,

1) Your Anti-Spyware program writes www.nastysite.com into the HOSTS file with 127.0.0.1 - this would prevent your computer connecting to it.

2) Online Armor sees this and says "Hey, this is trying to update the hostsfile man, you sure you wanna do that ?" - and of course, you trust your Anti-Spyware program so you allow it.

This then leads to the bizarre status of you having an entry in Online Armor for a bad site (pointing to 127.0.0.1) which is allowed. And that status being perfectly correct and safe.

What it actually means is that the entry is allowed to exist in the hosts file. The hosts file entry then does what it does.


I'm almost confused myself. We'll be trying to find a way to make this more understandable in future releases of Online Armor.

Add to Technorati Favorites

Add to Technorati Favorites