[HN Gopher] Captcha.nsa.gov ___________________________________________________________________ Captcha.nsa.gov Author : scblzn Score : 344 points Date : 2020-02-03 17:05 UTC (5 hours ago) (HTM) web link (captcha.nsa.gov) (TXT) w3m dump (captcha.nsa.gov) | fnord77 wrote: | NSA's cert, too. All your are TLS belong to us. | [deleted] | DangerousPie wrote: | Interesting alt names on the SSL certificate: | | DNS Name=www.nsa.gov | | DNS Name=nsa.gov | | DNS Name=apps-test.nsa.gov | | DNS Name=stage.nsa.gov | | DNS Name=apps.nsa.gov | | DNS Name=www2.nsa.gov | | DNS Name=captcha.nsa.gov | | DNS Name=m.nsa.gov | numpad0 wrote: | Even NSA has mobile pages these days!? | kube-system wrote: | It looks like it's actually required by law. | | https://www.congress.gov/bill/115th-congress/house-bill/2331 | | >If, on or after the date that is 180 days after the date of | the enactment of this section, an agency creates a website | that is intended for use by the public or conducts a redesign | of an existing legacy website that is intended for use by the | public, the agency shall ensure to the greatest extent | practicable that the website is mobile friendly. | [deleted] | jcoffland wrote: | One of those leads to this: https://apps.nsa.gov/eqip- | applicant/showLogin.login | kyrra wrote: | Looks to be cname forwarding. | | > $ dig captcha.nsa.gov | | > ;; ANSWER SECTION: | | > captcha.nsa.gov. 13246 IN CNAME www.nsa.gov.edgekey.net. | | > www.nsa.gov.edgekey.net. 21528 IN CNAME | e6655.dscna.akamaiedge.net. | | > e6655.dscna.akamaiedge.net. 19 IN A 23.213.xxx.xxx | | The IP addreses at the last one all seem to be Akamai IPs. So So | that is fronting Google here it seems? | snazz wrote: | Can anyone just do that to any domain? My website is hosted at | GitHub Pages and requires a CNAME file in the repo root as well | as the DNS entry at Cloudflare. | notatoad wrote: | you can do it to any domain that isn't checking the hostname | header. Most sites check that the hostname header matches the | sites actual domain (like is specified in the CNAME file on | github pages) | | that's definitely not what's happening here though, most | obviously because it has an SSL certificate. If it were just | being CNAMEd over to google, the SSL would be invalid. NSA | has to be catching the request to terminate the SSL, and then | proxying it back to google. | milankragujevic wrote: | Yes, they are not using a CNAME (whereby the original server | serves the page, just on a different domain), they appear to | be using a reverse proxy. | | You can find more info about how that works here: | https://en.wikipedia.org/wiki/Reverse_proxy | snazz wrote: | That makes a lot more sense. | tpmx wrote: | That's copyright and trademark infringement. | milankragujevic wrote: | That is not a technical limitation but a legal one. | tpmx wrote: | Yes. The NSA is is breaking the law here. | rabuse wrote: | They most certainly have an agreement with Google here. | ryanlol wrote: | Why? | tpmx wrote: | Because some people on HN voted so, I suppose? So much | aggressive and frankly stupid presumption here. But, the | vote wins! | | I just don't understand people here. | | Obviously it's perfectly natural for a trillion dollar | company to allow a government agency to use their brand | on their government domain - without any notice it all. | Especially a government agency that is tasked with | surveillance. Yeah, there's really no problem with that. | | It's that, or someone messed up setting up a captcha | service for some public NSA service. What would be more | likely? | jaywalk wrote: | You have no way of knowing that. They could have an | agreement with Google to allow this. | milankragujevic wrote: | Agreed. The copyright holder / trademark owner must be | the party that wants to limit distribution, not the | government or some unrelated third party. | | i.e. if I see you producing fake Coca Cola drinks, I | can't sue you for infringing on The Coca Cola Company's | trademark. They would have to sue you. Same applies for | the government. | | And of course, if NSA does have an agreement with Google | to reverse proxy https://google.com/, them doing exactly | that would be perfectly legal. I presume they have SOME | sort of agreement, and aren't just doing this behind | Google's back, as the website is on HN's first page in | the first 5 places for an hour already, and Google hasn't | banned access. | | Try getting even 50 Google queries with a reverse proxy, | and you will see what I mean -- they will show you a | progressively more difficult ReCAPTCHA until a certain | treshold, after which the CAPTCHA is unsolvable and is | there only to waste your time. This hasn't happened to HN | readers [yet]. | tpmx wrote: | Meanwhile I presume they misconfigured a service meant | for doing captcha checks using Google. What's more | likely? Why are you so aggressively.. eh.. okay, not | going to write that. | 867-5309 wrote: | it's all a ploy to finger HN users. imagine how many uniques | they'll harvest! | annoyingnoob wrote: | Yeah, no way I'm clicking that link. I'll let others do that | and read the reports here. | [deleted] | pamicel wrote: | ?????? | alistairSH wrote: | I don't get it - I'm seeing a Brazilian version of Google? | patorjk wrote: | My first instinct is that this is some kind of puzzle. It'd be | pretty disappointing if this was just a misconfiguration or | oversight. | fredley wrote: | That's actually a really viable theory, especially given the | "can't search for traceroute" thing - that spits out what seems | to be a time-based error string. | ryanlol wrote: | It's not, that's just standard akamai WAF behaviour. | | E: sorry, HN is throttling me and I can't reply below. This | is just a silly web application firewall that blocks a list | of "suspicious strings". There's not much else to be said | about it. | fredley wrote: | Can you explain in more detail? captcha.nsa.goving for more | information didn't return anything. | dang wrote: | (I've turned off the throttling since your recent comments | look to have been fine. Please don't do flamebait/flamewar | in the future!) | aray wrote: | I'm curious if this is a (temporary, unsecure) way to use google | if you're in a place that google is currently blocked. | | Small chance, but in case anyone on HN is in a place google is | blocked, would be an interesting test to run. | 2T1Qka0rEiPr wrote: | If you're in a country which bans Google, I'd suspect a high | chance having nsa.gov wouldn't be too favourable on your DNS | lookup records! | dpwm wrote: | Genuinely curious: are there places that block google but don't | block the NSA? | [deleted] | iod wrote: | https://captcha.nsa.gov/intl/en/about.html | | There is some truth to this. | andai wrote: | What did this say? | iod wrote: | https://google.com/intl/en/about.html | phlhar wrote: | Oh wow, they just disabled it while I was reading some comments. | It's no longer working, I'm now getting redirected to nsa.gov | | Edit: This seems to have been online since 2018, see | https://web.archive.org/web/20181206224407/http://captcha.ns.... | basilamer wrote: | As someone very confused as to what people are commenting | about, thank you. I'm clearly just seeing the post-patch | version | casefields wrote: | Before they fixed it, it redirected to Googles homepage in | Portuguese. | dahfizz wrote: | It wasn't a redirect. They served a Google homepage, but it | was still an nsa.gov url | mirimir wrote: | Here: https://web.archive.org/web/20200203154312/https://ca | ptcha.n... | aloknnikhil wrote: | Among other things, it's weird that it shows up with a different | GeoIP triangulation for different users. Someone commented here | about seeing this in Portuguese. I'm seeing this in Japanese. | Does anyone what's going on? | | EDIT: And now it's showing up in English. | OrgNet wrote: | It gives me Brasil's Google | ghostoftiber wrote: | yeah I am on brazil also. | jcoffland wrote: | I believe this has to do with which Akamai server ends up | handling the page request. | milankragujevic wrote: | And it's gone (redirects to nsa.gov)... | ryanlol wrote: | Nothing especially interesting happening here, someone just | pointed captcha.nsa.gov at google.com in their akamai config. | | Perhaps they're just using google.com like example.com, or | they're trying to serve recaptcha under nsa.gov. | snazz wrote: | That doesn't explain the fact that you can't search for | traceroute. | ryanlol wrote: | It does though, Akamai WAF. | snazz wrote: | Okay. That seems pretty logical. | sgc wrote: | They could be doing something else on their internal network | and this is just fallback for when their apps are outside the | network. | Aissen wrote: | I've seen this on Twitter all day. My guess is that they wanted | recaptcha, but serving the resources themselves. The easiest | route was probably to reverse proxy google.com, which is what | recaptcha is hosted on: | | https://developers.google.com/recaptcha/docs/v3#frontend_int... | ehsankia wrote: | Could this backfire in any way and create some sort of exploit | on nsa.gov? What if someone happened to somehow have access to | google.com? | cjjuice wrote: | A potential vector would be to potentially load images/content | through google image/AMP and make it appear as legitimate NSA | content | colejhudson wrote: | Just went down, now redirects to www.nsa.gov. | maxbaines wrote: | Why Brazil? | FDSGSG wrote: | Because Googles geoip DB thinks Akamai IPs like "23.59.250.119 | " are in Brazil. | maxbaines wrote: | Ah that makes perfect sense, Brazil confused me for a minute | there. | SubiculumCode wrote: | Why is everyone talking about a captcha? All I get is a google | search page (no recaptchas). | FDSGSG wrote: | Because google recaptcha is served from that domain | (www.google.com). | scarejunba wrote: | Examine the URL, especially the subdomain | orisho wrote: | I'm guessing that the NSA website uses recaptcha, which is served | by Google. Perhaps in order to comply with strict origin policy, | they want everything on nsa.gov to be served from their domain. | They seem to have a reverse proxy that proxies requests to | google.com. | | That's one plausible explanation, but in any case, even if my | explanation is wrong, I doubt the explanation is interesting. | dessant wrote: | If that's the case, they are being sloppy, considering that | everything under www.google.com is proxied through their | servers, not just specific reCAPTCHA assets. | | Gmail by NSA: https://captcha.nsa.gov/intl/us/gmail/about/ | | They're inheriting a considerable part of Google's attack | surface. For example, Google's open redirects could be used to | bypass origin checks as part of an attack on nsa.gov, or to | phish NSA employees. | Apofis wrote: | Somebody possibly got a written up for this. | winternett wrote: | NBD... Just a quick test in PROD.... tth_tth | itcmcgrath wrote: | My favorite so far: https://captcha.nsa.gov/logos/2019/loteri | a/rc2/loteria19.htm... | bjornsing wrote: | For me (in Sweden) that URL seems to just redirect to | https://www.nsa.gov/?hl=en ... | TimWolla wrote: | They appear to have change something in the past few | minutes. When I first opened this HN thread it showed me | Google's homepage. Now I'm also seeing that redirect. | dessant wrote: | NSA has just shut down the proxy. The link was a Google | Doodles game. | lkbm wrote: | You can just replace captcha.nsa.gov with www.google.com | to see what it used to serve up: https://www.google.com/l | ogos/2019/loteria/rc2/loteria19.html... | greatjack613 wrote: | Can anyone from mainland china try this? | | I am curious to see if it is blocked. | j_koreth wrote: | According to this website [0] it appears to do so which is | interesting. | | https://www.comparitech.com/privacy-security-tools/blockedin... | Gaelan wrote: | GreatFire says it's unblocked. | https://en.greatfire.org/captcha.nsa.gov | sdinsn wrote: | Why is it in Portuguese? | calibas wrote: | What's odd is that it came up in English at first, but now it's | Portuguese for me. Another comment here mentioned it's the | Brazilian version of Google's search page. | FateOfNations wrote: | depends on where the traffic exits the Akamai network... they | are likely using it to proxy Recaptcha, so they likely said | "we don't care where it exits" and Akamai picks whatever is | most convenient for them... in that case, Brazil. | jaywalk wrote: | It depends on the IP of the Akamai server that's hitting it. | If you search "what is my ip" you'll see it. | chillydawg wrote: | So someone with control of a .google.com address can get a | certificate for the equivalent .nsa.gov subdomain ? | preillyme wrote: | Looks like the good folks over at the NSA are reading Hacker | News. And fix issues quickly. I'm proud of them. | codeful wrote: | No ads. Nice! :D | [deleted] | Groxx wrote: | I assume that the archive.org mirror is showing what was visible? | https://web.archive.org/web/20200203154312/http://captcha.ns... | | I see a google search page (google.com equivalent). Which fits | with the reverse proxy that does ~any google url. | ZoF wrote: | This isn't particularly new, sure it's interesting though, as | others have mentioned it's akamai with google as the endpoint, | I'd be surprised if Google wasn't aware and allowing this. The | localization defaulting to Brasil is interesting to me, you can | force english just like google though[0] | | Here's a crawl from 2018[1] | | [0]-http://captcha.nsa.gov/?hl=en [1]-https://web.archive.org/web | /20181206224407/http://captcha.ns... | alpb wrote: | It's likely this is set up to collect data by impersonating | Google Search in an iframe etc. | | Consider reporting this to Safe Browsing complaint form as | phishing attempt: | https://www.google.com/safebrowsing/report_phish/ | cmcd wrote: | You think the NSA is phishing from a nsa domain? | coekie wrote: | You can see what IP it uses to send requests to google using | https://captcha.nsa.gov/search?q=what+is+my+ip | AnssiH wrote: | The link didn't work for me (i.e. just got regular results) | until I added &hl=en to get the English version: | https://captcha.nsa.gov/search?q=what+is+my+ip&hl=en | Apofis wrote: | Another write up at the NSA. | parliament32 wrote: | It's just a CNAME to an akamai IP: $ host | captcha.nsa.gov captcha.nsa.gov is an alias for | www.nsa.gov.edgekey.net. www.nsa.gov.edgekey.net is an | alias for e6655.dscna.akamaiedge.net. | e6655.dscna.akamaiedge.net has address 104.75.125.118 | e6655.dscna.akamaiedge.net has IPv6 address | 2600:1406:5800:7b5::19ff e6655.dscna.akamaiedge.net has | IPv6 address 2600:1406:5800:792::19ff | | edgekey.net is an akamai thingy, all of nsa.gov seems to go | through it $ host www.nsa.gov | www.nsa.gov is an alias for nsa.gov.edgekey.net. | nsa.gov.edgekey.net is an alias for e16248.dscb.akamaiedge.net. | [deleted] | fredley wrote: | Can someone explain what's going on? Is this a domain hack to get | Google's captcha working under an nsa.gov hostname, presumably so | that it's usable on whitelist firewalls? I'm surprised Google | serves a homepage to the domain, and that it doesn't only respond | to requests to google.com (etc.) | njetten wrote: | Seems to be on purpose, unless someone really misconfigured | their Akamai setup. Your purpose sounds viable | cm2187 wrote: | If the NSA rids the web of google captchas, it will have fully | deserved its budget and all past mistakes will be forgiven! | dessant wrote: | Until then, you can use my browser extension to solve them: | https://github.com/dessant/buster | morrbo wrote: | Huge fan of your work. Use it daily with no problems. Just | wanted to say, from the bottom of my heart, thanks. | dessant wrote: | You're sweet, thanks a lot! | bndw wrote: | Is this more than a reverse proxy to google.com? Seems like the | real question is _why_. | ryanlol wrote: | >I'm surprised Google serves a homepage to the domain | | Google doesn't, the reverse proxy just rewrites the Host | header. | captainmuon wrote: | My guess: a custom version of Google that allows NSA analysts | to do "Google dorking" - searching for vulnerable hosts with | Google - without triggering a captcha. Somebody on twitter | mentioned they could not get a captcha with strings that | usually reliably cause one. | | Maybe this is just a fake front page that calls to the Google | search API and pretends to be Google proper. Either it is for | agents in the field to inconspicuously use google or they | misconfigured it to be public? | FDSGSG wrote: | Your guess is wrong. This isn't a custom version of google. | It's just a regular akamai reverse proxy setup. | | > Either it is for agents in the field to inconspicuously use | google | | By visiting a nsa.gov subdomain served by _akamai_? Yeah | right. I feel like heading to www.google.com would be far | less conspicuous. | captainmuon wrote: | You can do that? I would expect Google to flag connections | to the search page that don't terminate on a | residential/commercial IP as suspicious and show you the | near "unsolvable" captcha. | | At least that is my experience with proxying google | services (e.g. silly setup for accessing them from China). | Datacenter IPs or SSL "MitM" connections reliably trigger | it. | FDSGSG wrote: | Depends very much on which datacenter you're using. I'd | imagine google doesn't get much (any) bot traffic from | Akamai, so I'm not surprised that their ranges aren't | flagged yet. | jjeaff wrote: | But all it takes is a few dozen queries in fast | succession and google will start showing a captcha. At | least, that is how it seemed to be a few years ago. | tempestn wrote: | I wonder how many people are currently submitting queries | via that page... | ryanlol wrote: | Akamai rotates their source IPs a lot so you wouldn't get | a captcha very fast. | VectorLock wrote: | I'd love to know what the distribution of tries on the | "unsolvable" captcha is when served to real people | operating in good faith. | penagwin wrote: | Anecdotal, and I'm guessing it's because I was logged in | (to my long standing personal Google account) - but I | didn't have any issues when I was VPN'd through a Vultr | vps of mine when I was in my dorm. | | Again I'm guessing it's because I was logged in, from | google chrome. | romaaeterna wrote: | This looks really really dumb. I wonder if you can get personal | sites to display through nsa.gov somehow through this. | qubex wrote: | I am somewhat baffled. What was that? | [deleted] | [deleted] | 1970-01-01 wrote: | NSA thanks you for you participation in this experiment. Please | terminate all knowledge with the purple pill at this time. | ljd wrote: | I feel like the valid SSL cert is my biggest issue here. | thedance wrote: | Why wouldn't it be valid? Its for O=National Security Agency | and it has alternate names matching this URL authority. | chipperyman573 wrote: | SSL just verifies that the NSA owns nsa.gov | mnx wrote: | It seems like we broke it -- it now refuses to do any searches | for me (due to suspicious activity from 'my' ip) | kusha wrote: | From this twitter thread: | https://twitter.com/mikko/status/1224349151384821762 | | You can't search traceroute. Weird. | ryanlol wrote: | Not weird, just WAF. | XMPPwocky wrote: | You also can't search alert(1), so probably just a silly WAF. | rahuldottech wrote: | Or for `<script>` | batuhanicoz wrote: | People on that thread also noticed more keywords and think it | might be Akamai WAF. I don't know enough about it be sure. | | You can't have some strings in the URL for the main NSA.gov | domain as well. So https://nsa.gov/fakething?hey=traceroute | will give you the same error. | ehsankia wrote: | Yeah it's clear that a system is just blindly grepping the | request url for certain keywords and killing the query. | [deleted] | mythz wrote: | So you can't search for `traceroute` or `tracert` directly but | you can search for misspelling like `tracerout` and the results | page just ends up showing the search results for `traceroute` | so it's not exactly a very sophisticated filter. | jaywalk wrote: | Well the purpose of the filter is almost certainly to prevent | running the command on the server in case of an attack, not | to prevent it from being searched on Google. You'd have to | spell it correctly to get the server to execute it. ___________________________________________________________________ (page generated 2020-02-03 23:00 UTC)