node red, and black is wonky

Discussion:

Daniel Johnson

2008-03-31 23:49:05 UTC

I don't know what is up with node red, and black, but every time I use
it I have a lot of frustration. I usually set /etc/resolv.conf on my
laptop to use bind running on my laptop to avoid DNS problems, and I
will randomly get terms of service agreement pages instead of just
once when signing on. This causes a lot of problems with ajax sites
as it seems to be replacing the XML feed that the javascript is
expecting with the service agreement page. It leads to continuous
popups that make it hard to even close the tab.

example message
"This web page is being redirected to a new location. Would you like
to resend the form data you have typed to the new location?"

Of course that also kinda looks like a man in the middle attack. I
could potentially help someone debug...
--
teknotus
Take Notice
(503) 409-1735

--
The Personal Telco Project - http://www.personaltelco.net/
Donate to PTP: http://www.personaltelco.net/donate
Un/Subscribe: http://lists.personaltelco.net/mailman/listinfo/general/
Archives: http://news.gmane.org/gmane.network.wireless.portland.general/
Etiquette: http://www.personaltelco.net/index.cgi/MailingListEtiquette

Tyler Booth

2008-04-01 17:25:11 UTC

Permalink

Sounds like your bind is caching the IP of the captive portal in place
of the ajax site you're expecting to see.

Try flushing your bind cache? The captive portal shouldn't care what
DNS server you're using.

Tyler Booth // President
ph. 503.548.2000 | fx. 503.548.2002
921 SW Washington St, Suite 224
Portland OR 97205

Post by Daniel Johnson
I don't know what is up with node red, and black, but every time I use
it I have a lot of frustration. I usually set /etc/resolv.conf on my
laptop to use bind running on my laptop to avoid DNS problems, and I
will randomly get terms of service agreement pages instead of just
once when signing on. This causes a lot of problems with ajax sites
as it seems to be replacing the XML feed that the javascript is
expecting with the service agreement page. It leads to continuous
popups that make it hard to even close the tab.
example message
"This web page is being redirected to a new location. Would you like
to resend the form data you have typed to the new location?"
Of course that also kinda looks like a man in the middle attack. I
could potentially help someone debug...
--
teknotus
Take Notice
(503) 409-1735
--
The Personal Telco Project - http://www.personaltelco.net/
Donate to PTP: http://www.personaltelco.net/donate
Un/Subscribe: http://lists.personaltelco.net/mailman/listinfo/
general/
Archives: http://news.gmane.org/gmane.network.wireless.portland.general/
Etiquette: http://www.personaltelco.net/index.cgi/MailingListEtiquette

Alan

2008-04-01 17:29:55 UTC

Permalink

Post by Tyler Booth
Sounds like your bind is caching the IP of the captive portal in place
of the ajax site you're expecting to see.
Try flushing your bind cache? The captive portal shouldn't care what
DNS server you're using.

Check to see if you have "caching-nameserver" installed. If you do,
uninstall it. That seems to cause all sorts of weird problems. (At least
for me.)

Post by Tyler Booth
Tyler Booth // President
ph. 503.548.2000 | fx. 503.548.2002
921 SW Washington St, Suite 224
Portland OR 97205

Post by Daniel Johnson
I don't know what is up with node red, and black, but every time I use
it I have a lot of frustration. I usually set /etc/resolv.conf on my
laptop to use bind running on my laptop to avoid DNS problems, and I
will randomly get terms of service agreement pages instead of just
once when signing on. This causes a lot of problems with ajax sites
as it seems to be replacing the XML feed that the javascript is
expecting with the service agreement page. It leads to continuous
popups that make it hard to even close the tab.
example message
"This web page is being redirected to a new location. Would you like
to resend the form data you have typed to the new location?"
Of course that also kinda looks like a man in the middle attack. I
could potentially help someone debug...
--
teknotus
Take Notice
(503) 409-1735
--
The Personal Telco Project - http://www.personaltelco.net/
Donate to PTP: http://www.personaltelco.net/donate
Un/Subscribe: http://lists.personaltelco.net/mailman/listinfo/
general/
http://news.gmane.org/gmane.network.wireless.portland.general/
Etiquette: http://www.personaltelco.net/index.cgi/MailingListEtiquette

Daniel Johnson

2008-04-01 18:43:44 UTC

Permalink

No my laptop wasn't using the local DNS until I told it to in an
attempt to get around the wonkyness. I used to have a lot of problems
with the actiontec DSL wireless routers that Qwest gave away for a
long time. When connecting to one from Linux it would give crazy DNS
results unless you turned off the IPv6 stack for some reason. So I
had bind running as a backup, but bind wouldn't resolve anything
unless I manually edited /etc/resolv.conf to use it instead of the
nameservers set by DHCP. So it was wonky before I tried changing to
my own private DNS server as a possible way to fix it. Bind shouldn't
have cached any DNS records that the captive portal was serving up
unless it has a firewall rule that sucked up DNS requests to the root
nameservers.

It seemed much more like it was randomly turning on a transparent
proxy than playing with DNS records.
--
teknotus
Take Notice
(503) 409-1735

Russell Senior

2008-04-04 19:23:24 UTC

Permalink

Daniel> I don't know what is up with node red, and black, but every
Daniel> time I use it I have a lot of frustration. I usually set
Daniel> /etc/resolv.conf on my laptop to use bind running on my laptop
Daniel> to avoid DNS problems, and I will randomly get terms of
Daniel> service agreement pages instead of just once when signing on.
Daniel> This causes a lot of problems with ajax sites as it seems to
Daniel> be replacing the XML feed that the javascript is expecting
Daniel> with the service agreement page. It leads to continuous
Daniel> popups that make it hard to even close the tab.

Daniel> example message "This web page is being redirected to a new
Daniel> location. Would you like to resend the form data you have
Daniel> typed to the new location?"

Daniel> Of course that also kinda looks like a man in the middle
Daniel> attack. I could potentially help someone debug...

I got another similar report from another one of our wifidog nodes. I
went to Red & Black yesterday to see if I could observe the problem.
I was there for an hour and it worked perfectly for me. I did have an
irc session open, so there was traffic moving over my session.
Perhaps that isn't the case for you. While I was there I managed to
set up a port forward so we can remote admin our access point.

Can you give me more details about your OS, radio hardware and
behavior that might help to narrow down the problem?
--
Russell Senior, Secretary
russell-LS+HbC+***@public.gmane.org

Daniel Johnson

2008-04-04 19:59:07 UTC

Permalink

On Fri, Apr 4, 2008 at 12:23 PM, Russell Senior

Post by Russell Senior
Daniel> I don't know what is up with node red, and black, but every
Daniel> time I use it I have a lot of frustration. I usually set
Daniel> /etc/resolv.conf on my laptop to use bind running on my laptop
Daniel> to avoid DNS problems, and I will randomly get terms of
Daniel> service agreement pages instead of just once when signing on.
Daniel> This causes a lot of problems with ajax sites as it seems to
Daniel> be replacing the XML feed that the javascript is expecting
Daniel> with the service agreement page. It leads to continuous
Daniel> popups that make it hard to even close the tab.
Daniel> example message "This web page is being redirected to a new
Daniel> location. Would you like to resend the form data you have
Daniel> typed to the new location?"
Daniel> Of course that also kinda looks like a man in the middle
Daniel> attack. I could potentially help someone debug...
I got another similar report from another one of our wifidog nodes. I
went to Red & Black yesterday to see if I could observe the problem.
I was there for an hour and it worked perfectly for me. I did have an
irc session open, so there was traffic moving over my session.
Perhaps that isn't the case for you. While I was there I managed to
set up a port forward so we can remote admin our access point.
Can you give me more details about your OS, radio hardware and
behavior that might help to narrow down the problem?

I think it is this
http://www.netgate.com/product_info.php?cPath=26_34&products_id=126
I got a recommendation from this mailing list in November.

It says this on the email netgate sent me
1 x 5004 MP Atheros 4G / CM9: 802.11a/b/g miniPCI Card (5004 MP
ATHEROS 4G) = $40.00

lspci -l says
02:02.0 Ethernet controller: Atheros Communications, Inc.
AR5212/AR5213 Multiprotocol MAC/baseband processor (rev 01)
Subsystem: Wistron NeWeb Corp. CM9 Wireless a/b/g MiniPCI Adapter
Flags: bus master, medium devsel, latency 168, IRQ 11
Memory at d0200000 (32-bit, non-prefetchable) [size=64K]
Capabilities: [44] Power Management version 2

I'm running ubuntu 7.10 with network manager managing wifi. It works
almost everywhere very reliably. At the iinet colocation facility it
doesn't work at all when people with windows, and MacOS have no
problem. At Red, and Black it works, but with weird wonkyness.

The next time I am at Red, and Black I can give you more details about
behavior.
--
teknotus
Take Notice
(503) 409-1735

Russell Senior

2008-04-04 20:35:59 UTC

Permalink

Daniel> I'm running ubuntu 7.10 with network manager managing wifi.
Daniel> It works almost everywhere very reliably. At the iinet
Daniel> colocation facility it doesn't work at all when people with
Daniel> windows, and MacOS have no problem. At Red, and Black it
Daniel> works, but with weird wonkyness.

Daniel> The next time I am at Red, and Black I can give you more
Daniel> details about behavior.

What you are describing *sounds* like the captive portal (in this
case, wifidog) is timing out your session after some-amount-of-time
and redirecting you to the splash page again. Does that sound right
to you?
--
Russell Senior, Secretary
russell-LS+HbC+***@public.gmane.org

Daniel Johnson

2008-04-04 20:40:46 UTC

Permalink

Post by Russell Senior
What you are describing *sounds* like the captive portal (in this
case, wifidog) is timing out your session after some-amount-of-time
and redirecting you to the splash page again. Does that sound right
to you?

That might be all it is doing. I don't know. I also saw that gmail
switch to http from https which concerned me quite a bit.
--
teknotus
Take Notice
(503) 409-1735

Gary

2008-04-04 21:35:31 UTC

Permalink

Post by Daniel Johnson
That might be all it is doing. I don't know. I also saw that gmail
switch to http from https which concerned me quite a bit.

That's nothing to be alarmed about as it's designed to be session based
once you authenticate via HTTPS. You probably didn't notice that it
happens all the time until you were having other issues. I haven't read
of anyone bothering to hijack anyone's gmail session but if you're
concerned you can always prepend your sign-in URL with https.
http://linuxactivist.blogspot.com/2005/11/gmail-hack-encrypt-gmail-login-and.html

-Gary

Daniel Johnson

2008-04-05 00:27:13 UTC

Permalink

Post by Gary

Post by Daniel Johnson
That might be all it is doing. I don't know. I also saw that gmail
switch to http from https which concerned me quite a bit.

I'm on gmail right now, and it's https 100% of the time not just at
login. You don't want people reading your email in transit. It isn't
just the login you want to protect.
--
teknotus
Take Notice
(503) 409-1735

coderman

2008-04-06 03:00:36 UTC

Permalink

Post by Daniel Johnson
...
I'm on gmail right now, and it's https 100% of the time not just at
login. You don't want people reading your email in transit. It isn't
just the login you want to protect.

you have to request the gmail via https, not just log in via https, in
order for gmail to default to ssl. i usually bookmark:
"https://mail.google.com/mail/?auth=blah" to tell gmail that my
preference is SSL/TLS.

note that gmail does not bind auth cookies to "secure only", so
anything that links to a plaintext google domain will leak your
authentication cookie, allowing session hijack. (see "sidejacking" for
the gritty details)

if you want to enforce gmail ssl/tls behavior, you need to use a
browser filter (adblock works) or proxy that drops all http:// to
google on the floor, while letting https:// through (this has side
effects). you can also use a transparent SSL MITM proxy to alter
cookie parameters allowing secure use of both http and https, but this
is quite advanced and a pain in the ass, even if the most robust
solution.

best regards,

coderman

2008-04-06 03:13:20 UTC

Permalink

Post by coderman
...
note that gmail does not bind auth cookies to "secure only",

here are the technical details for curious. use Live HTTP Headers or
a sniffer (with SSL/TLS MITM) to observe.

For a secure site, the session cookie will be set like:

"Set-Cookie: ESSID=...; path=/; domain=www.$foo.com; secure; HttpOnly"

the "secure;" part is the critical component which tells the browser
not to send this cookie associated with the domain unless SSL/TLS is
in use.

for gmail, you see:

"Set-Cookie: SID=...;Domain=.google.com;Path=/"

which makes the vulnerability to sidejacking apparent.

best regards,