URLs, IPs and interception

James Cox ukcrypto at chiark.greenend.org.uk
Sat, 1 Mar 2008 03:34:23 +0000 

On 1 Mar 2008, at 00:41, Chris Edwards wrote:

> On Fri, 29 Feb 2008, James Cox wrote:
>
> | they actually dropped them? my parents are still on an ntl/virgin  
> line and
> | report behavior which is classically symptomatic of a transparent  
> cache.
>
> Web requests used to hit the Internet with a src-addr not our own  
> IP, and
> with DNS hostname like yyyy-cache-x.server.ntli.net.  Nowdays, our web
> requests come from our own IP addr.  Plus, a port 80 tcptraceroute  
> looks
> normal.
>
> This since easter 2007 for cablemodems in Glasgow - I believe same
> happened for NTL / virgin cablemodems elsewhere at similar time.

well, my experience with NTL is that no region was ever the same,  
something driven by their acquisition-rather-than-deploy strategy. I  
wouldn't argue that they had actually duplicated the same experience  
everywhere.

> It's theoretically possible they somehow made the transparent caches  
> alot
> more transparent.  But all the tests I can think of suggest they  
> simply
> removed them, leaving a clear path on TCP port 80.  As Ian says,  
> caching
> is almost worthless nowadays.

well the best test you can do is ping every ip on a standard  
traceroute till the first one you can safely say is outside of ntl's  
remit. then, request port 80 and 8080 and 443 on each. if any of them  
come back, do a head on them to see what they turn up.

it's pretty easy now to make proxies properly masquerade as the user  
they are acting on behalf of...

>
>
> That said, I think alot of enterprises have kept their proxy caches,  
> for
> command+control reasons (e.g blocking malware) plus the HR dept like  
> the
> URL log - which can be enabled on a private network by RIPA + LBPR.
>

... actually the main reason is to block access to sites they don't  
want to allow people to visit. This is particularly relevant to any  
FSA controlled business, where everything from facebook to gmail is  
blocked, mostly to prevent the potential for flow of information to  
people who aren't allowed to know it, therefore protecting against  
insider trading, etc.