THE FREE and enhanced DNS service provider OpenDNS had blocked last week access to one popular URL shortening service, cutting access to lots of legitimate content, and proving the pitfalls of web filtering based on whole host mames, rather than URLs, specially if it involves redirector services.
OpenDNS is one popular and free DNS service provider that is a good alternative to your Internet Service Provider’s DNS servers, as DNS is often a common point of failure at ISPs, and -depending on ISP size and location- those are often not fully patched up, making you vulnerable to MiM (man-in-the-middle) attacks as well. To make a long story short: OpenDNS rocks, this scribbler thinks.
On the other hand, HO.IO is one nifty URL shortening service operated by a bloke that goes by the name of Mark Warne. Mark lives in London and is the founder and chief head honcho at GigaTux, a new and promising hosting company with very innovative -yet affordable – virtual machine hosting (VPS) services based on Xen. Ho.io, being a relative newcomer to the URL shortening scene, has also lots of free names up for grabs to use with custom aliases (http://ho.io/yourname).
This scribbler is one of the happy users of the free and anonymous OpenDNS service. So, what happens when you use both OpenDNS and ho.io?. Well, a week ago, you got messages from OpenDNS claiming ho.io was a source of phishing. All requests for ho.io short URLs were greeted with OpenDNS’ phishing-intercept page that reads “Phishing site blocked” adding that “We prevented you from loading this page as part of our safer, faster, and smarter DNS service.”
That would be nice if it was true that the destination URL was a phishing site, but it wasn’t. See, OpenDNS in this case wasn’t preventing the destination URL from loading, but preventing you to load the short URL redirector in the first place. I can´t stress this enough: there is no way for a DNS server to know where a short URL will redirect to, until the service sends the destination -long- URL back to the browser.
OpenDNS provides what it calls “user Domain Tagging“, referred as “people-powered security”, or in the words of the firm the ability “for anyone to add (and tag) a domain, but it takes a community of accurate and active voters to include it in a category”. However, Phishing sites are identified according to submissions to Phishtank, also operated by OpenDNS and dubbed “the Internet’s largest clearinghouse of data about phishing scams”. Phishtank requires registration, as well as the domain tagging feature, which certainly might turn off users of the anonymous OpenDNS service.
See, there are two types of OpenDNS users, registered and anonymous, with anonymous you just change your operating system DNS configuration to OpenDNS´ primary and secondary servers and off you go, but the advanced features need registration, with the potential concerns about logging and privacy.
Regardless of the level of OpenDNS service you chose, this clearly shows a problem with OpenDNS labelling a URL shortening service like hot.io as “phishing”. It would be akin to labelling Google.com a source of spyware, without knowing where Google might end up leading the user to, after a web search.
Just for the record, the ho.io short URLs that this scribbler uses on a daily basis -until OpenDNS decided it knew best- were pretty harmless, these were created by yours truly to make it easier and faster to create new documents on Google Docs without clicking. -And you thought keyboard junkies were a thing of the past-.
Here are this scribbler´s ho.io short URLs -formerly blocked-, for your enjoyment and use:
New GDocs text document : ho.io/newdoc
New GDocs Spreadsheet: ho.io/newsheet
New GDocs Presentation: ho.io/newpres
New GDocs Form: ho.io/newform
Show GDocs Folders ho.io/folders
The target URLs of these redirectors are the internal URLs used by the Google Docs Ajax application to create every type of document in your Google Docs account -of course, you need to be already logged in with your Google Account for these to work-.
Mark from ho.io inmediately replied after we told him of this blocking incident and told TechEye: “I’ve now contacted OpenDNS and requested they remove ho.io from their phishing list”, and over the following weekend, while access was still blocked, he proceeded to test this scribbler´s set of ho.io redirectors -obviously he didn´t use OpenDNS so he was able to access them- and agreed there was nothing fishy or phishy about them: “Hey, that’s a pretty neat use of the redirector actually, and certainly quicker than using the mouse to create new documents etc.” was Mark’s reply. Ho.io was still blocked three days later and only by the fourh day -Tuesday morning- we found out that access was restored by OpenDNS.
Another domain name dubbed Mywot.com got into the same kind of predicament with having its whole domain blocked by OpenDNS recently. The question remains: is tagging whole domains as a source of phishing even a good idea to begin with?. OpenDNS seems to think so, but hey, at least they’ve got a whitelist that OpenDNS admins can manually add your honest, law-abiding domain name to, to prevent this sort of thing from happening again.
But one has to wonder: what about lost revenue (or visits) while your site stays blocked by OpenDNS?. There are literally hundreds of URL shortening services. A nice list of the TOP 50 such services can be found here.
We’ve asked OpenDNS head honcho David Ulevitch about this particular case, and if it wouldn´t make sense just to whitelist the top 50 known URL shorteners … he hasn’t replied yet but we’re sure he’ll be in touch soon.
And there is another annoyance with OpenDNS’ phishing warning page: there is a link that reads “click here” for reporting errors about blocked sites, yet clicking there with Mozilla based browser apparently does nothing, while in fact a form appears down the page, but outside the viewable area of the web page, so you have to notice that the scroll bar proportions have changed and scroll down to find the “hidden” entry form.
Too many annoyances for something that shouldn’t happen in the first place. We’re sure OpenDNS will take note and fix its otherwise great service.