[HN Gopher] Intercepting t.co links using DNS rewrites
___________________________________________________________________
Intercepting t.co links using DNS rewrites
Author : todsacerdoti
Score : 55 points
Date : 2023-01-29 19:01 UTC (3 hours ago)
(HTM) web link (djharper.dev)
(TXT) w3m dump (djharper.dev)
| quesomaster9000 wrote:
| I wish there was an easier way to uniformly rewrite links across
| applications, one which annoys me is Reddit - they seem incapable
| of consistently linking to content on their own site, some could
| be fixed with a greasemonkey script but that doesn't work on
| mobile or across apps.
|
| But this is part of a wider pattern of the internet becoming deep
| fried, instead of a link we get a short code to a facebook page
| with a bot reposting tiktok videos of a phone screen-recording of
| an editorialized livestream of somebody watching a screen-
| recording of the video on youtube - and ofcourse it starts half
| way through then loops round again and plays twice with three
| sets of black bands, content creator @names, watermarks, wifi &
| signal indicators etc.
|
| If we could all do one thing to help stop the spread of this
| cancer, that would be great: de-duplication via content
| addressable links / tags.
|
| But it'll never happen.
| jeroenhd wrote:
| Just installed this in my own network. Already had my own CA so I
| just took all the supported domains and generate a certificate
| for it. The list kind of pollutes my Pihole domain overrides but
| that's alright by me.
|
| It works well! I'm running it with Nginx in a Proxmox LXC
| container where I've allocated a meager 64MB of RAM for it and it
| still has RAM to spare. I wish I could say the same of other
| "small" tools from across the web that I'm running.
|
| I like the minimalist web pages and the fact it auto-resolves
| multiple redirects on its own (bit.ly -> msft.it -> aka.ms ->
| ...) without making you wait for the page to load and the fact it
| removes tracking parameters for you. I know there are online
| tools and extensions that the same but those are a pain to
| install on mobile.
| djhworld wrote:
| This is awesome, thanks for taking the time to try it out! I
| honestly threw it together over a few hours this weekend so
| it's in a very rough state, and there's no unit tests for it,
| and none of the code is commented or structured that well so
| there's probably a lot of edge cases it does not account for.
|
| But still, glad it worked!
| chamik wrote:
| Awesome writeup! It's short, but I've learned a lot.
| logicallee wrote:
| For anyone who wants to check a specific link,
| https://wheregoes.com/ does a good job of tracing where a Twitter
| link (or any other redirected link) goes. I just tried it and it
| works on t.co links.
| woodruffw wrote:
| Nice writeup, and a nice demonstration of one of WebPKI's
| limitations!
|
| I understand why both HPKP and Expect-CT have been obsoleted, but
| it's a bummer that we still don't have a good enforcement
| mechanism for CA/cert pinning for a particular site. CT itself
| does a reasonable job of mitigating the "globally visible mis-
| issuring CA" problem, but does nothing to help users whose
| certificate stores contain all kinds of mystery enterprise or
| application-installed CAs.
| bourgeoismedia wrote:
| Is your argument that it shouldn't be possible for a user to
| intercept t.co in this way? Seems like a perfectly valid use
| case (sidecar process to unwrap 9 layers of redirects from an
| anonymous browsing context). If the sidecar is validating the
| original t.co certs and you trust it then what's the problem?
| djhworld wrote:
| One thing I'd neglected to mention in the post is the sidecar
| uses a public DNS resolver to get the actual t.co link, but
| it's making the assumption that Go's stdlib enforces this: ht
| tps://github.com/djhworld/theunwrapper/blob/main/unwrap/un...
| and doesn't fallback to the system one.
|
| So there is that issue....I guess one way to mitigate it
| would be to run the sidecar out of the network, or at least
| have a clean DNS config and not have my custom CA in the root
| store...i.e. you'd want to be double sure you're going to the
| real thing and only accepting trusted certs signed by a
| trusted root.
| woodruffw wrote:
| > Is your argument that it shouldn't be possible for a user
| to intercept t.co in this way?
|
| Not necessarily; the argument is that it's indistinguishable
| from a malicious MiTM. I think this is a great and legitimate
| use, but it's also probably something that website providers
| should be able to make themselves resilient against (or, at
| the least, be able to audit when it happens).
| jeoqn wrote:
| [flagged]
| djhworld wrote:
| Author here, thanks for reading.
| h43z wrote:
| What is this trying to protect from? You see the actual URL in
| the tweet. Are you worried about redirects, if so why?
| [deleted]
| jojobas wrote:
| Your clicks being logged by Twitter.
| netanbing wrote:
| Have you considered using services like https://wheregoes.com/ to
| fetch the final destination and navigate?
| djhworld wrote:
| Author here, yeah I mention this at the start, there's quite a
| few of these link uncloakers.
|
| The annoying part is having to copy the link, navigate to the
| website, paste in the link etc.
|
| I was looking for something more "seamless" and works cross
| device (e.g. on phone, in the Twitter app etc) not just
| browsers. With this you just click the t.co link and the result
| is there instantly.
|
| It's a dumb solution but was fun to write.
| netanbing wrote:
| Got it. The process of pipelining and piecing it all together
| is interesting. Thank you for the post.
| [deleted]
___________________________________________________________________
(page generated 2023-01-29 23:00 UTC)