14 replies to this topic

[Tushman]

I needed to make some 'minor tweaks' in Palemoon today and stumbled upon a setting that caught my curiosity.

network.dns.disablePrefetch

It was set to true (enabled) and wondered if it was something I really needed or not.  After doing a little bit of research, I began to have some serious doubts about it.  Make no mistake, it does offer a slight advantage in terms of faster load times, but I'm not entirely convinced that the benefits outweigh the risks/disadvantages.  So I disabled it, both in PM an Fx.  In fact, according to the articles I've read, all the major browsers out there today have it enabled by default.  Yes, that does includes Firefox, Opera, Chrome, IE v8 & v9.  Decided for yourself whether you really want it or not.  I've got a pretty fast connection here (10 Mbps) and disabling it did not hinder/slow down my browser at all.

Here's a page titled "What is DNS prefetching and why it should be enabled".

I disagree with the author's assertion that it should be, as it leads people to believe they're missing out on some great experience if it's not.  After doing my own reading & research, I think it can be used or preferred by some users, but strongly disagree that it "should be" used.

I attended a seminar last year on DNS attacks & cache poisoning.  (The seminar was geared for IT folks and network administrators) so the presented information would not have been "interesting" for most end users.  However, I walked away with the understanding that of all the "theoretical" threats out there, it is perhaps one of the most likely (and severe threats) that can happen today.

Wiki page on Link prefetching

Additionally, there are a number of criticisms regarding the privacy and resource usage implications of link prefetching:

• Users and website operators who pay for the amount of bandwidth they use find themselves paying for traffic for pages the user might not actually visit, and advertisers might pay for viewed ads on sites that are never visited.
• Web statistics such as browser usage, search engine referers, and page hits may become less reliable due to registering page hits that were never seen by the user.
• Users may be exposed to more security risks - by downloading more pages, or from un-requested sites (additionally compounded as drive-by downloads become more advanced and diverse).

Another link for Reference:
http://www.cert-ist.com/eng/ressources/Pub...etching/_print/

This technique may appear user-friendly since it brings an almost immediate response to users’ requests, but it has many disadvantages:

• prefetching a web page in the background could eventually cause a user system to be infected by a malware (drive-by download attack), if this prefetched page contained a malicious code. In this given situation, the web browser of the victim would be compromised in a completely invisible way, since the user has not clicked on a particular link when the infection occurs. **

** preceding bullet points omitted for brevity sake.  You can read the full text by click on the link above.


Also see:
DNS Prefetching & Its Privacy Implications:  When Good Things Go Bad

authors: Srinivas Krishnan & Fabian Monrose
PDF download here.

Edited by Tushman, 13 January 2012 - 03:48 PM.

[Temmu]

let the dns server do its job.
the windows command, ipconfig /flushdns is used to =fix= browsing issues - i.e. remove the contents of the cache.
i would imaging a piece of software that caches dns hits (other than the dns server) would be a bad thing.
(remember, dns exists to follow a website from ip address to ip address, so we don't have to do that manually.)

[Tushman]

let the dns server do its job.

I never said anything about modifying the DNS server.  The setting that I referred to in my original post was for Palemoon/Firefox browser - so that's on the client side.

i would imaging a piece of software that caches dns hits (other than the dns server) would be a bad thing.

caches DNS hits?  Did you read the articles?  It doesn't cache DNS 'hits'.  It caches all the links that you're currently on or navigating to.

Edited by Tushman, 13 January 2012 - 08:05 PM.

[lewmur]

I needed to make some 'minor tweaks' in Palemoon today and stumbled upon a setting that caught my curiosity.

network.dns.disablePrefetch

It was set to true (enabled) and wondered if it was something I really needed or not.  After doing a little bit of research, I began to have some serious doubts about it.  Make no mistake, it does offer a slight advantage in terms of faster load times, but I'm not entirely convinced that the benefits outweigh the risks/disadvantages.  So I disabled it, both in PM an Fx.  In fact, according to the articles I've read, all the major browsers out there today have it enabled by default.  Yes, that does includes Firefox, Opera, Chrome, IE v8 & v9.  Decided for yourself whether you really want it or not.  I've got a pretty fast connection here (10 Mbps) and disabling it did not hinder/slow down my browser at all.

Here's a page titled "What is DNS prefetching and why it should be enabled".

I disagree with the author's assertion that it should be, as it leads people to believe they're missing out on some great experience if it's not.  After doing my own reading & research, I think it can be used or preferred by some users, but strongly disagree that it "should be" used.

I attended a seminar last year on DNS attacks & cache poisoning.  (The seminar was geared for IT folks and network administrators) so the presented information would not have been "interesting" for most end users.  However, I walked away with the understanding that of all the "theoretical" threats out there, it is perhaps one of the most likely (and severe threats) that can happen today.

Wiki page on Link prefetching


Another link for Reference:
http://www.cert-ist.com/eng/ressources/Pub...etching/_print/


** preceding bullet points omitted for brevity sake.  You can read the full text by click on the link above.


Also see:
DNS Prefetching & Its Privacy Implications:  When Good Things Go Bad

authors: Srinivas Krishnan & Fabian Monrose
PDF download here.

Seems simple to me.  If the links remain constant, then the app doesn't need to contact the DNS server to get the IP address.  It has them cached.  Thus the app will save a few milliseconds.  However, if there is a possibility that the IP addresses the links point to have changed, then using the old (cached) IP address would cause an error.  So, caching the addresses is faster but fetching them from the DNS server each time is safer.

IMO, caching IP addresses in a browser wouldn't be worth the risk, but if you were playing an online game, where every millisecond counts, it would.

Edited by lewmur, 14 January 2012 - 10:02 AM.

[ross549]

OK,

I read the article you linked to on DNS prefetching. You then started to talk about prefetching (non-DNS type)

DNS prefetching does one thing for you: It establishes the IP address for a certain number of links on the page you are currently viewing. It does *not* download the page for you.

Prefetching is another animal altogether. The browser determines through some algorithm what link you are likely to click next, and preemptively downloads that page for you.

Prefetching DNS will eliminate that one small wait time for you, because the browser will resolve the IP address before you need it. There is minmal to zero security risk here- if the DNS is poisoned, it will be the same regardless if DNS prefetching is enabled or not. You get hit with the malware perhaps as much as 600 milliseconds earlier, depending on your connection speed.

Page prefetching I also see as a non-issue, because the page is grabbed, but it is not *rendered* until called upon by the user. In order for the malware to do its work, it must be "executed" by the system (aren't all scripts really just programs anyway?) when it is rendered in the browser. I can download a virus onto my computer, but until it is executed by the system it is simply dormant. The same applies to malicious code on a browser page.

Here's a couple words I noticed in your quoted articles:

Users may be exposed to more security risks

prefetching a web page in the background could eventually cause a user system

My point is this- may and could are kind of scary words. Are there any open bugs in the browsers that would indicate that prefetching (DNS or otherwise) has security flaws?

I am not going to shut something off on my browser simply because it could potentially be a security risk. If I used that mentality, I would disconnect my computer from the network, glue the USB ports shut, and remove the CD-ROM drive. Until it is an actual problem, I'll leave it on.

Adam

[ross549]

I read the paper you linked to as well....

Our main objective in this work is to highlight the fact that if left unchecked, rapid enhancements in when and how DNS prefetching is performed could lead to new security and privacy threats

Obviously, the inferences made only shed light on the searches being performed by the population of clients (as a whole) that use the resolver the adversary is probing. Therefore, if the server is used by a very diverse populations of clients, then one can not tie these searches to a particular organizational unit (e.g., client of UNC’s CS
department). Hence, a reasonable approach for savvy clients that are concerned about the attacks outlined herein might be to use a public DNS service to achieve some level of anonymity

The attack discussed previously assumes access to cache traces or DNS logs, which arguably, may not be a very practical assumption.

In other words.... this is a purely theoretical problem, and not one that will exist in the real world. If you were the sole user of a DNS server, and someone else had managed to hack into such a server, the it is possible that the attacker might be able to figure out what you might have been searching for.

Adam

[LilBambi]

There are some issues that everyone should be aware of regarding DNS prefetching:

All major browsers are doing DNS pre-fetching now since it makes their browsers appear to be faster.

DNS Prefetching Implications

Risks related to DNS prefetching

From a security point of view, the negative aspect of DNS prefetching is the large number of DNS queries it induces, which may give helpful information to an attacker for the development of potential attacks.

For instance, it is possible to imagine a malicious website that tracks users through links to specific domains within HTML pages, and by observing the DNS resolution requests made by the browser for these domains.

However, it is possible to get the same kind of information, more simply, by using specially crafted image tags or by embedding iframes into web pages.

For users having high security needs, it is possible to disable the DNS prefetching feature.

But there are always vulnerabilities in browsers that people do not know about. Frequent clearing of your caches is a good idea to prevent sniffing temporary files like that.

Here's just a few links of interest regarding Prefetching in Chrome and Firefox:

Chrome
Turn Off DNS Prefetching in Google Chrome to Fix Resolving Host and Cannot Load Page Error
Paranoid Firefox

[ross549]

I understand that DNS prefetching increases the load on DNS servers. That is something that should be looked in to.

However, I do not see how a DNS request could reveal any useful information. I am trying to imagine it. I just can't see how it could lead to a release of private information or a compromise in the browser.

The Cert-IST article refers to potential issues which could lead to information used in a possible attack. Again, it is purely theoretical.

Adam

[Tushman]

Page prefetching I also see as a non-issue, because the page is grabbed, but it is not *rendered* until called upon by the user. In order for the malware to do its work, it must be "executed" by the system (aren't all scripts really just programs anyway?) when it is rendered in the browser. I can download a virus onto my computer, but until it is executed by the system it is simply dormant. The same applies to malicious code on a browser page.

I agree with most of what you said except for the above.  I disagree that all malware/viruses are dormant until called upon by the browser.  Just simply the fact that the browser hasn't called "program A" to run doesn't mean that a script running in the background couldn't.  Isn't this how most common drive by infections occur?  Just because it's not specifically "called upon" by the browser doesn't mean it's harmless.  And speaking of drive by infections, I've seen porn websites infected with various malware (I can't prove intentionally or unintentionally done). so even if porn site 'A' is safe (meaning not loaded with any malware) it's not uncommon for these sites to affiliate with other websites that are loaded with crap.  In this case DNS prefetching could cause problems because the cookies store in the browser cache could be used to load pop ups even AFTER you've left porn site 'A'.

Edited by Tushman, 16 January 2012 - 12:31 AM.

[LilBambi]

Yes, choices in visiting websites can follow us way beyond visiting the initial site. That should be taken into account.

Malware files, or pieces of malware file arrays can also be brought down from various locations.

Even if you allow pre-fetching in your browser, it would be wise to clear your caches frequently; at least once a day, more if you spend a lot of time online during the day.

I have seen computers where they do not clean their caches frequently having issues with slow computers, and issues with malware that those who clear their caches frequently don't have. Particularly if something is brought down, a registry entry (in Windows) to call a malicious file's execution is pushed to load on boot, and then wham next boot, bad stuff starts happening. This can range from trojan downloaders, backdoors, keyloggers, etc.

So although it can be theoretical for some, those in Windows may find it a bit more than theoretical that bad stuff happens and could be attributed in part to not clearing caches before rebooting or shutting down for the night. Some things will even run right from caches as you surf. Some of the malware cocktails are dastardly.

Caches for browsers, regardless of the type of cache, may or may not be a wise thing, particularly in Windows.

[ross549]

I agree with most of what you said except for the above.  I disagree that all malware/viruses are dormant until called upon by the browser.  Just simply the fact that the browser hasn't called "program A" to run doesn't mean that a script running in the background couldn't.  Isn't this how most common drive by infections occur?  Just because it's not specifically "called upon" by the browser doesn't mean it's harmless.  And speaking of drive by infections, I've seen porn websites infected with various malware (I can't prove intentionally or unintentionally done). so even if porn site 'A' is safe (meaning not loaded with any malware) it's not uncommon for these sites to affiliate with other websites that are loaded with crap.  In this case DNS prefetching could cause problems because the cookies store in the browser cache could be used to load pop ups even AFTER you've left porn site 'A'.

I understand what you are saying about a script calling another object in a prefetched page.However, a browser is not going to load every link. Just looking at the source code for this thread, there are 251 href links. There may be a few that are obfuscated by javascript. The browser is not going to follow each link- that is 251 additional pages to pull down!

http://lwn.net/Articles/139725/

http://lwn.net/Articles/139724/

However, the discussion here is not page prefetching. It is DNS prefetching, the pre-emptive resolution of a domain name to an IP address only!

We are mixing two very different topics here!

Is resolving a hostname to an IP address a security risk? I say it is not! I have not seen anything that details any risk associated with the resolution of names.

Link (page) prefetching is another whole animal. But that is in this thread.

Adam

[ross549]

PS- I would like to note that the search term "DNS prefetching risk" shows this thread as the number one hit on Google.

[Tushman]

I understand what you are saying about a script calling another object in a prefetched page.However, a browser is not going to load every link. Just looking at the source code for this thread, there are 251 href links. There may be a few that are obfuscated by javascript. The browser is not going to follow each link- that is 251 additional pages to pull down!

http://lwn.net/Articles/139725/

http://lwn.net/Articles/139724/

However, the discussion here is not page prefetching. It is DNS prefetching, the pre-emptive resolution of a domain name to an IP address only!

We are mixing two very different topics here!

Is resolving a hostname to an IP address a security risk? I say it is not! I have not seen anything that details any risk associated with the resolution of names.

Link (page) prefetching is another whole animal. But that is in this thread.

Adam

C'mon, are you telling me that you're gonna get huffy puffy about being "off topic"?  I will concede the point that DNS prefetching and page prefetching are two different things.   However, this isn't the first time that a tangent (related) topic has been discussed in one thread.   Also your analogy about gluing the USB ports on one's computer is exaggerated and not even in the ballpark of making a fair comparison.  In my eyes, disabling the DNS prefetching in Palemoon is a reasonable action to take to make my online experience a bit more secure.  I personally know of people who take even more drastic measures.  Heck, I have a friend who is so paranoid about viruses that she thinks she can get a virus just by logging onto the internet. No kidding.

Your response in this thread has definitely helped to understand the difference between DNS and page prefetching but I have not changed my mind about re-enabling back in Palemoon.  We do things all the time.... whenever MS releases a security alert or whatever, he run windows updates, or back in November when Corrine posted a heads up notice on the Duqu malware, we took the necessary precautions to protect our PC.  So how is this any different?

Edited by Tushman, 17 January 2012 - 01:01 AM.

[ross549]

(I did not intend to sound huffy about being off topic)

In fact, these are two different things entirely. The challenge here is trying to figure out what each paragraph means. We had a lot of flipping back and forth between the two and it can be hard to know which one we were talking about.

*ahem*

I am still digging around a bit, and the paper you posted initially is the only time I have read anything that would indicate a potential issue with DNS prefetching. In that case, the hacker would need to have system level access to a DNS server (at least to be able to read logs), *and* it be a server that you were the sole user of in order to gain any personally identifiable information. If you simply use your ISP's server, this theoretical threat goes away, as noted on the paper. The same goes for using a large public DNS service.

I know people who run their own DNS within their local network. It is certainly doable, especially considering BIND is a 8nix program and open source.

The simple fact is that the conditions required to make this even a possible danger are so incredibly remote that no hackers is going to go through the trouble. There are much better ways to get at a person's information that yield much more useful information. The fact is that this is not very useful to a lazy hacker (most of them are).

Keeping this all in mind, I don't think disabling prefetching is really worth the cost of speed. The first 10 to 600 msec of pulling down a new page is waiting for DNS to resolve while your computer sits and waits.

Adam

[Temmu]

i withdraw my earlier comment on prefetching:  it appears that in the context of this tread, the pre-fetch only lasts as long as the browsing session.  assuming that the cache is flushed when the browser closes, and assuming users close their browsers after a couple of hours ( lol   ) then no harm done.