[HN Gopher] Captcha.nsa.gov
___________________________________________________________________
Captcha.nsa.gov
Author : scblzn
Score : 344 points
Date : 2020-02-03 17:05 UTC (5 hours ago)
(HTM) web link (captcha.nsa.gov)
(TXT) w3m dump (captcha.nsa.gov)
| fnord77 wrote:
| NSA's cert, too. All your are TLS belong to us.
| [deleted]
| DangerousPie wrote:
| Interesting alt names on the SSL certificate:
|
| DNS Name=www.nsa.gov
|
| DNS Name=nsa.gov
|
| DNS Name=apps-test.nsa.gov
|
| DNS Name=stage.nsa.gov
|
| DNS Name=apps.nsa.gov
|
| DNS Name=www2.nsa.gov
|
| DNS Name=captcha.nsa.gov
|
| DNS Name=m.nsa.gov
| numpad0 wrote:
| Even NSA has mobile pages these days!?
| kube-system wrote:
| It looks like it's actually required by law.
|
| https://www.congress.gov/bill/115th-congress/house-bill/2331
|
| >If, on or after the date that is 180 days after the date of
| the enactment of this section, an agency creates a website
| that is intended for use by the public or conducts a redesign
| of an existing legacy website that is intended for use by the
| public, the agency shall ensure to the greatest extent
| practicable that the website is mobile friendly.
| [deleted]
| jcoffland wrote:
| One of those leads to this: https://apps.nsa.gov/eqip-
| applicant/showLogin.login
| kyrra wrote:
| Looks to be cname forwarding.
|
| > $ dig captcha.nsa.gov
|
| > ;; ANSWER SECTION:
|
| > captcha.nsa.gov. 13246 IN CNAME www.nsa.gov.edgekey.net.
|
| > www.nsa.gov.edgekey.net. 21528 IN CNAME
| e6655.dscna.akamaiedge.net.
|
| > e6655.dscna.akamaiedge.net. 19 IN A 23.213.xxx.xxx
|
| The IP addreses at the last one all seem to be Akamai IPs. So So
| that is fronting Google here it seems?
| snazz wrote:
| Can anyone just do that to any domain? My website is hosted at
| GitHub Pages and requires a CNAME file in the repo root as well
| as the DNS entry at Cloudflare.
| notatoad wrote:
| you can do it to any domain that isn't checking the hostname
| header. Most sites check that the hostname header matches the
| sites actual domain (like is specified in the CNAME file on
| github pages)
|
| that's definitely not what's happening here though, most
| obviously because it has an SSL certificate. If it were just
| being CNAMEd over to google, the SSL would be invalid. NSA
| has to be catching the request to terminate the SSL, and then
| proxying it back to google.
| milankragujevic wrote:
| Yes, they are not using a CNAME (whereby the original server
| serves the page, just on a different domain), they appear to
| be using a reverse proxy.
|
| You can find more info about how that works here:
| https://en.wikipedia.org/wiki/Reverse_proxy
| snazz wrote:
| That makes a lot more sense.
| tpmx wrote:
| That's copyright and trademark infringement.
| milankragujevic wrote:
| That is not a technical limitation but a legal one.
| tpmx wrote:
| Yes. The NSA is is breaking the law here.
| rabuse wrote:
| They most certainly have an agreement with Google here.
| ryanlol wrote:
| Why?
| tpmx wrote:
| Because some people on HN voted so, I suppose? So much
| aggressive and frankly stupid presumption here. But, the
| vote wins!
|
| I just don't understand people here.
|
| Obviously it's perfectly natural for a trillion dollar
| company to allow a government agency to use their brand
| on their government domain - without any notice it all.
| Especially a government agency that is tasked with
| surveillance. Yeah, there's really no problem with that.
|
| It's that, or someone messed up setting up a captcha
| service for some public NSA service. What would be more
| likely?
| jaywalk wrote:
| You have no way of knowing that. They could have an
| agreement with Google to allow this.
| milankragujevic wrote:
| Agreed. The copyright holder / trademark owner must be
| the party that wants to limit distribution, not the
| government or some unrelated third party.
|
| i.e. if I see you producing fake Coca Cola drinks, I
| can't sue you for infringing on The Coca Cola Company's
| trademark. They would have to sue you. Same applies for
| the government.
|
| And of course, if NSA does have an agreement with Google
| to reverse proxy https://google.com/, them doing exactly
| that would be perfectly legal. I presume they have SOME
| sort of agreement, and aren't just doing this behind
| Google's back, as the website is on HN's first page in
| the first 5 places for an hour already, and Google hasn't
| banned access.
|
| Try getting even 50 Google queries with a reverse proxy,
| and you will see what I mean -- they will show you a
| progressively more difficult ReCAPTCHA until a certain
| treshold, after which the CAPTCHA is unsolvable and is
| there only to waste your time. This hasn't happened to HN
| readers [yet].
| tpmx wrote:
| Meanwhile I presume they misconfigured a service meant
| for doing captcha checks using Google. What's more
| likely? Why are you so aggressively.. eh.. okay, not
| going to write that.
| 867-5309 wrote:
| it's all a ploy to finger HN users. imagine how many uniques
| they'll harvest!
| annoyingnoob wrote:
| Yeah, no way I'm clicking that link. I'll let others do that
| and read the reports here.
| [deleted]
| pamicel wrote:
| ??????
| alistairSH wrote:
| I don't get it - I'm seeing a Brazilian version of Google?
| patorjk wrote:
| My first instinct is that this is some kind of puzzle. It'd be
| pretty disappointing if this was just a misconfiguration or
| oversight.
| fredley wrote:
| That's actually a really viable theory, especially given the
| "can't search for traceroute" thing - that spits out what seems
| to be a time-based error string.
| ryanlol wrote:
| It's not, that's just standard akamai WAF behaviour.
|
| E: sorry, HN is throttling me and I can't reply below. This
| is just a silly web application firewall that blocks a list
| of "suspicious strings". There's not much else to be said
| about it.
| fredley wrote:
| Can you explain in more detail? captcha.nsa.goving for more
| information didn't return anything.
| dang wrote:
| (I've turned off the throttling since your recent comments
| look to have been fine. Please don't do flamebait/flamewar
| in the future!)
| aray wrote:
| I'm curious if this is a (temporary, unsecure) way to use google
| if you're in a place that google is currently blocked.
|
| Small chance, but in case anyone on HN is in a place google is
| blocked, would be an interesting test to run.
| 2T1Qka0rEiPr wrote:
| If you're in a country which bans Google, I'd suspect a high
| chance having nsa.gov wouldn't be too favourable on your DNS
| lookup records!
| dpwm wrote:
| Genuinely curious: are there places that block google but don't
| block the NSA?
| [deleted]
| iod wrote:
| https://captcha.nsa.gov/intl/en/about.html
|
| There is some truth to this.
| andai wrote:
| What did this say?
| iod wrote:
| https://google.com/intl/en/about.html
| phlhar wrote:
| Oh wow, they just disabled it while I was reading some comments.
| It's no longer working, I'm now getting redirected to nsa.gov
|
| Edit: This seems to have been online since 2018, see
| https://web.archive.org/web/20181206224407/http://captcha.ns....
| basilamer wrote:
| As someone very confused as to what people are commenting
| about, thank you. I'm clearly just seeing the post-patch
| version
| casefields wrote:
| Before they fixed it, it redirected to Googles homepage in
| Portuguese.
| dahfizz wrote:
| It wasn't a redirect. They served a Google homepage, but it
| was still an nsa.gov url
| mirimir wrote:
| Here: https://web.archive.org/web/20200203154312/https://ca
| ptcha.n...
| aloknnikhil wrote:
| Among other things, it's weird that it shows up with a different
| GeoIP triangulation for different users. Someone commented here
| about seeing this in Portuguese. I'm seeing this in Japanese.
| Does anyone what's going on?
|
| EDIT: And now it's showing up in English.
| OrgNet wrote:
| It gives me Brasil's Google
| ghostoftiber wrote:
| yeah I am on brazil also.
| jcoffland wrote:
| I believe this has to do with which Akamai server ends up
| handling the page request.
| milankragujevic wrote:
| And it's gone (redirects to nsa.gov)...
| ryanlol wrote:
| Nothing especially interesting happening here, someone just
| pointed captcha.nsa.gov at google.com in their akamai config.
|
| Perhaps they're just using google.com like example.com, or
| they're trying to serve recaptcha under nsa.gov.
| snazz wrote:
| That doesn't explain the fact that you can't search for
| traceroute.
| ryanlol wrote:
| It does though, Akamai WAF.
| snazz wrote:
| Okay. That seems pretty logical.
| sgc wrote:
| They could be doing something else on their internal network
| and this is just fallback for when their apps are outside the
| network.
| Aissen wrote:
| I've seen this on Twitter all day. My guess is that they wanted
| recaptcha, but serving the resources themselves. The easiest
| route was probably to reverse proxy google.com, which is what
| recaptcha is hosted on:
|
| https://developers.google.com/recaptcha/docs/v3#frontend_int...
| ehsankia wrote:
| Could this backfire in any way and create some sort of exploit
| on nsa.gov? What if someone happened to somehow have access to
| google.com?
| cjjuice wrote:
| A potential vector would be to potentially load images/content
| through google image/AMP and make it appear as legitimate NSA
| content
| colejhudson wrote:
| Just went down, now redirects to www.nsa.gov.
| maxbaines wrote:
| Why Brazil?
| FDSGSG wrote:
| Because Googles geoip DB thinks Akamai IPs like "23.59.250.119
| " are in Brazil.
| maxbaines wrote:
| Ah that makes perfect sense, Brazil confused me for a minute
| there.
| SubiculumCode wrote:
| Why is everyone talking about a captcha? All I get is a google
| search page (no recaptchas).
| FDSGSG wrote:
| Because google recaptcha is served from that domain
| (www.google.com).
| scarejunba wrote:
| Examine the URL, especially the subdomain
| orisho wrote:
| I'm guessing that the NSA website uses recaptcha, which is served
| by Google. Perhaps in order to comply with strict origin policy,
| they want everything on nsa.gov to be served from their domain.
| They seem to have a reverse proxy that proxies requests to
| google.com.
|
| That's one plausible explanation, but in any case, even if my
| explanation is wrong, I doubt the explanation is interesting.
| dessant wrote:
| If that's the case, they are being sloppy, considering that
| everything under www.google.com is proxied through their
| servers, not just specific reCAPTCHA assets.
|
| Gmail by NSA: https://captcha.nsa.gov/intl/us/gmail/about/
|
| They're inheriting a considerable part of Google's attack
| surface. For example, Google's open redirects could be used to
| bypass origin checks as part of an attack on nsa.gov, or to
| phish NSA employees.
| Apofis wrote:
| Somebody possibly got a written up for this.
| winternett wrote:
| NBD... Just a quick test in PROD.... tth_tth
| itcmcgrath wrote:
| My favorite so far: https://captcha.nsa.gov/logos/2019/loteri
| a/rc2/loteria19.htm...
| bjornsing wrote:
| For me (in Sweden) that URL seems to just redirect to
| https://www.nsa.gov/?hl=en ...
| TimWolla wrote:
| They appear to have change something in the past few
| minutes. When I first opened this HN thread it showed me
| Google's homepage. Now I'm also seeing that redirect.
| dessant wrote:
| NSA has just shut down the proxy. The link was a Google
| Doodles game.
| lkbm wrote:
| You can just replace captcha.nsa.gov with www.google.com
| to see what it used to serve up: https://www.google.com/l
| ogos/2019/loteria/rc2/loteria19.html...
| greatjack613 wrote:
| Can anyone from mainland china try this?
|
| I am curious to see if it is blocked.
| j_koreth wrote:
| According to this website [0] it appears to do so which is
| interesting.
|
| https://www.comparitech.com/privacy-security-tools/blockedin...
| Gaelan wrote:
| GreatFire says it's unblocked.
| https://en.greatfire.org/captcha.nsa.gov
| sdinsn wrote:
| Why is it in Portuguese?
| calibas wrote:
| What's odd is that it came up in English at first, but now it's
| Portuguese for me. Another comment here mentioned it's the
| Brazilian version of Google's search page.
| FateOfNations wrote:
| depends on where the traffic exits the Akamai network... they
| are likely using it to proxy Recaptcha, so they likely said
| "we don't care where it exits" and Akamai picks whatever is
| most convenient for them... in that case, Brazil.
| jaywalk wrote:
| It depends on the IP of the Akamai server that's hitting it.
| If you search "what is my ip" you'll see it.
| chillydawg wrote:
| So someone with control of a .google.com address can get a
| certificate for the equivalent .nsa.gov subdomain ?
| preillyme wrote:
| Looks like the good folks over at the NSA are reading Hacker
| News. And fix issues quickly. I'm proud of them.
| codeful wrote:
| No ads. Nice! :D
| [deleted]
| Groxx wrote:
| I assume that the archive.org mirror is showing what was visible?
| https://web.archive.org/web/20200203154312/http://captcha.ns...
|
| I see a google search page (google.com equivalent). Which fits
| with the reverse proxy that does ~any google url.
| ZoF wrote:
| This isn't particularly new, sure it's interesting though, as
| others have mentioned it's akamai with google as the endpoint,
| I'd be surprised if Google wasn't aware and allowing this. The
| localization defaulting to Brasil is interesting to me, you can
| force english just like google though[0]
|
| Here's a crawl from 2018[1]
|
| [0]-http://captcha.nsa.gov/?hl=en [1]-https://web.archive.org/web
| /20181206224407/http://captcha.ns...
| alpb wrote:
| It's likely this is set up to collect data by impersonating
| Google Search in an iframe etc.
|
| Consider reporting this to Safe Browsing complaint form as
| phishing attempt:
| https://www.google.com/safebrowsing/report_phish/
| cmcd wrote:
| You think the NSA is phishing from a nsa domain?
| coekie wrote:
| You can see what IP it uses to send requests to google using
| https://captcha.nsa.gov/search?q=what+is+my+ip
| AnssiH wrote:
| The link didn't work for me (i.e. just got regular results)
| until I added &hl=en to get the English version:
| https://captcha.nsa.gov/search?q=what+is+my+ip&hl=en
| Apofis wrote:
| Another write up at the NSA.
| parliament32 wrote:
| It's just a CNAME to an akamai IP: $ host
| captcha.nsa.gov captcha.nsa.gov is an alias for
| www.nsa.gov.edgekey.net. www.nsa.gov.edgekey.net is an
| alias for e6655.dscna.akamaiedge.net.
| e6655.dscna.akamaiedge.net has address 104.75.125.118
| e6655.dscna.akamaiedge.net has IPv6 address
| 2600:1406:5800:7b5::19ff e6655.dscna.akamaiedge.net has
| IPv6 address 2600:1406:5800:792::19ff
|
| edgekey.net is an akamai thingy, all of nsa.gov seems to go
| through it $ host www.nsa.gov
| www.nsa.gov is an alias for nsa.gov.edgekey.net.
| nsa.gov.edgekey.net is an alias for e16248.dscb.akamaiedge.net.
| [deleted]
| fredley wrote:
| Can someone explain what's going on? Is this a domain hack to get
| Google's captcha working under an nsa.gov hostname, presumably so
| that it's usable on whitelist firewalls? I'm surprised Google
| serves a homepage to the domain, and that it doesn't only respond
| to requests to google.com (etc.)
| njetten wrote:
| Seems to be on purpose, unless someone really misconfigured
| their Akamai setup. Your purpose sounds viable
| cm2187 wrote:
| If the NSA rids the web of google captchas, it will have fully
| deserved its budget and all past mistakes will be forgiven!
| dessant wrote:
| Until then, you can use my browser extension to solve them:
| https://github.com/dessant/buster
| morrbo wrote:
| Huge fan of your work. Use it daily with no problems. Just
| wanted to say, from the bottom of my heart, thanks.
| dessant wrote:
| You're sweet, thanks a lot!
| bndw wrote:
| Is this more than a reverse proxy to google.com? Seems like the
| real question is _why_.
| ryanlol wrote:
| >I'm surprised Google serves a homepage to the domain
|
| Google doesn't, the reverse proxy just rewrites the Host
| header.
| captainmuon wrote:
| My guess: a custom version of Google that allows NSA analysts
| to do "Google dorking" - searching for vulnerable hosts with
| Google - without triggering a captcha. Somebody on twitter
| mentioned they could not get a captcha with strings that
| usually reliably cause one.
|
| Maybe this is just a fake front page that calls to the Google
| search API and pretends to be Google proper. Either it is for
| agents in the field to inconspicuously use google or they
| misconfigured it to be public?
| FDSGSG wrote:
| Your guess is wrong. This isn't a custom version of google.
| It's just a regular akamai reverse proxy setup.
|
| > Either it is for agents in the field to inconspicuously use
| google
|
| By visiting a nsa.gov subdomain served by _akamai_? Yeah
| right. I feel like heading to www.google.com would be far
| less conspicuous.
| captainmuon wrote:
| You can do that? I would expect Google to flag connections
| to the search page that don't terminate on a
| residential/commercial IP as suspicious and show you the
| near "unsolvable" captcha.
|
| At least that is my experience with proxying google
| services (e.g. silly setup for accessing them from China).
| Datacenter IPs or SSL "MitM" connections reliably trigger
| it.
| FDSGSG wrote:
| Depends very much on which datacenter you're using. I'd
| imagine google doesn't get much (any) bot traffic from
| Akamai, so I'm not surprised that their ranges aren't
| flagged yet.
| jjeaff wrote:
| But all it takes is a few dozen queries in fast
| succession and google will start showing a captcha. At
| least, that is how it seemed to be a few years ago.
| tempestn wrote:
| I wonder how many people are currently submitting queries
| via that page...
| ryanlol wrote:
| Akamai rotates their source IPs a lot so you wouldn't get
| a captcha very fast.
| VectorLock wrote:
| I'd love to know what the distribution of tries on the
| "unsolvable" captcha is when served to real people
| operating in good faith.
| penagwin wrote:
| Anecdotal, and I'm guessing it's because I was logged in
| (to my long standing personal Google account) - but I
| didn't have any issues when I was VPN'd through a Vultr
| vps of mine when I was in my dorm.
|
| Again I'm guessing it's because I was logged in, from
| google chrome.
| romaaeterna wrote:
| This looks really really dumb. I wonder if you can get personal
| sites to display through nsa.gov somehow through this.
| qubex wrote:
| I am somewhat baffled. What was that?
| [deleted]
| [deleted]
| 1970-01-01 wrote:
| NSA thanks you for you participation in this experiment. Please
| terminate all knowledge with the purple pill at this time.
| ljd wrote:
| I feel like the valid SSL cert is my biggest issue here.
| thedance wrote:
| Why wouldn't it be valid? Its for O=National Security Agency
| and it has alternate names matching this URL authority.
| chipperyman573 wrote:
| SSL just verifies that the NSA owns nsa.gov
| mnx wrote:
| It seems like we broke it -- it now refuses to do any searches
| for me (due to suspicious activity from 'my' ip)
| kusha wrote:
| From this twitter thread:
| https://twitter.com/mikko/status/1224349151384821762
|
| You can't search traceroute. Weird.
| ryanlol wrote:
| Not weird, just WAF.
| XMPPwocky wrote:
| You also can't search alert(1), so probably just a silly WAF.
| rahuldottech wrote:
| Or for `<script>`
| batuhanicoz wrote:
| People on that thread also noticed more keywords and think it
| might be Akamai WAF. I don't know enough about it be sure.
|
| You can't have some strings in the URL for the main NSA.gov
| domain as well. So https://nsa.gov/fakething?hey=traceroute
| will give you the same error.
| ehsankia wrote:
| Yeah it's clear that a system is just blindly grepping the
| request url for certain keywords and killing the query.
| [deleted]
| mythz wrote:
| So you can't search for `traceroute` or `tracert` directly but
| you can search for misspelling like `tracerout` and the results
| page just ends up showing the search results for `traceroute`
| so it's not exactly a very sophisticated filter.
| jaywalk wrote:
| Well the purpose of the filter is almost certainly to prevent
| running the command on the server in case of an attack, not
| to prevent it from being searched on Google. You'd have to
| spell it correctly to get the server to execute it.
___________________________________________________________________
(page generated 2020-02-03 23:00 UTC)