Page 2 of 7 FirstFirst 1234 ... LastLast
Results 11 to 20 of 65
  1. #11
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    blocking this site
    Code:
    online-metrix.net
    does not require SSL inspection, no.

    blocking the script; I am still trying to sniff that out.

  2. #12
    Untangler
    Join Date
    Jan 2020
    Location
    San Jose, CA
    Posts
    94

    Default

    Quote Originally Posted by Jim.Alles View Post
    blocking this site
    Code:
    online-metrix.net
    does not require SSL inspection, no.
    You mean by blocking their IP address(es) with a filter rule or firewall rule? Or is there any method that can do this by hostname w/o SSL inspection?

    Sorry, if this is a stupid question, I'm pretty new to Untangle.

  3. #13
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    105

    Default

    Quote Originally Posted by Sam Graf View Post
    Blocking or flagging check.js via Untangle (Web Filter) seems like your best mitigation strategy involving Untangle.
    Thanks @Sam Graf, I did see that and was wondering if would be specific to the eBay implementation or if it might break other websites if it was a common script possibly used for other site functions. Also, if it was just good for eBay (or other sites serviced by ThreatMatrix), then I guess this sort of thing is almost impossible to detect client-side?

  4. #14
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,495

    Default

    FWIW, personally I simply run the NoScript Firefox extension and choose 'TRUSTED' or 'Temp. TRUSTED' on a site by site bases...not allowing .js breaks the majority of sites. NoScript initially blocks each site's attempt to run .js until I decide...
    https://tinyurl.com/l9p8btv
    Last edited by f1assistance; 05-26-2020 at 03:11 AM.
    Armshouse and Jim.Alles like this.
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  5. #15
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    Quote Originally Posted by tangofan View Post
    You mean by blocking their IP address(es) with a filter rule or firewall rule? Or is there any method that can do this by hostname w/o SSL inspection?

    Sorry, if this is a stupid question, I'm pretty new to Untangle.
    It's really the right question: Can Untangle block this script by URL alone?

    I used Web Filter for the block just because that's where I'd put the block. I did a simple "src.ebay-us.com/fp/check.js" in the Block Sites tab. Feel free to check it out. You'll have to check using your browser's developer tools, but a relatively easy thing to look for is what sorts of errors eBay.com generates. I tested with SSL Inspector both enabled and disabled, but I am always a little leery of confidently announcing results of that sort of test.

    Quote Originally Posted by Armshouse View Post
    Thanks @Sam Graf, I did see that and was wondering if would be specific to the eBay implementation or if it might break other websites if it was a common script possibly used for other site functions. Also, if it was just good for eBay (or other sites serviced by ThreatMatrix), then I guess this sort of thing is almost impossible to detect client-side?
    By blocking the specific JavaScript file at eBay, we can limit whatever damage is done to eBay. For all we know, check.js isn't a unique filename. I long ago stopped using eBay or I could explore further what actually happens at eBay.com when that file is blocked.

    To my knowledge, Intrusion Prevention (where we are) doesn't have a rule that covers this case. Port scans aren't suspicious in themselves, but Intrusion Prevention does see scans it thinks are suspicious. The catch is, these are scans that traverse or hit Untangle, often inbound.

    In this case, eBay delivers a payload to a client machine that interacts with that localhost only and then sends results out. Nothing but the outbound results are seen by Untangle. Untangle cannot see activity on a device. And even if the script reached out to other devices on a given subnet, Untangle still wouldn't see that traffic, since devices on a subnet communicate with each other directly.

    So there are two possible approaches using Untangle: Detect the outbound traffic or prevent the payload from being delivered. And to my knowledge, none of Untangle's tools know what to look for, specifically and narrowly, in outbound traffic in this case.

  6. #16
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    referring to Sam's post, there really isn't any place for this activity by Ebay (or many other sites) in intrusion protection, threat protection, virus protection or DNS filtering. It is not malware.

    It is legitimate activity on the Internet, according to big tech.

    And, this is nothing new.

    The earliest record at crt.sh for this domain dates back all the way to 2013, so itís possible that Ebay has been scanning customersí computers for almost seven years without too many people noticing. online-metrix.net uses wildcard certificates, so unfortunately itís not so easy to enumerate their clients, but there is room for further investigation.
    Itís not just Ebay scanning your ports, there is allegedly a network of 30,000 websites out there all working for the common aim of harvesting open ports, collecting IP addresses, and User Agents in an attempt to track users all across the web. And this isnít some rogue team within Ebay setting out to skirt the law, you can bet that LexisNexis lawyers have thoroughly covered their bases when extending this service to their customers (at least in the U.S.).
    Those quotes are from a really good blog post here:
    https://blog.nem.ec/2020/05/24/ebay-port-scanning/

    AND, it does not appear to be illegal, in "Accessing a Computer and Obtaining Information": 18 U.S.C. ß 1030(a)(2)
    According to @TimMedin, if you do Twitter. https://twitter.com/TimMedin/status/1265086170620465152
    Sam Graf and f1assistance like this.

  7. #17
    Untangler
    Join Date
    Jan 2020
    Location
    San Jose, CA
    Posts
    94

    Default

    Quote Originally Posted by Sam Graf View Post
    I used Web Filter for the block just because that's where I'd put the block. I did a simple "src.ebay-us.com/fp/check.js" in the Block Sites tab. Feel free to check it out. You'll have to check using your browser's developer tools, but a relatively easy thing to look for is what sorts of errors eBay.com generates. I tested with SSL Inspector both enabled and disabled, but I am always a little leery of confidently announcing results of that sort of test.
    Sam, thanks so much for your response and for mentioning the "Block Sites" tab. When I tried this yesterday with the "Rules" tab (no SSL Inspector here) for a random domain, it didn't work for https URLs, but only for http URLs.

    I'm actually amazed how it can work on the Blocked Sites tab, because in my limited understanding the request URL itself is actually encrypted, so I'm not sure how Web Filter would be able to apply that filter on an https request w/o SSL Inspector. I appears to me that it must have something to do with the SSL certificate...

    So there are two possible approaches using Untangle: Detect the outbound traffic or prevent the payload from being delivered. And to my knowledge, none of Untangle's tools know what to look for, specifically and narrowly, in outbound traffic in this case.
    So wouldn't a Block Filter of
    Code:
    *online-metrix.net*
    in Web Filter do the job? Or does Web Filter only block the response, not the request (which would be needed here)?

    Perhaps a DNS sinkhole (something like pi-hole?) might be useful, when completely blocking a site like online-metrix.net is a feasible solution. Though I understand that you'd have to set it up just right, so pi-hole doesn't interfere with Untangle's DNS resolution and thus with its various analysis and filter functions.

    Once again I'm very grateful for any and all explanations. I'm learning so much in this thread and in this forum in general.

  8. #18
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    105

    Default

    The reason I asked if Untangle might be able to flag this kind of thing is because it would be nice to know if it was happening. As the blog Jim pointed to says: "It’s possible that Ebay has been scanning customers’ computers for almost seven years without too many people noticing..." That says to me that if eBay has, bad actors probably have been too.

    I'm not so hung up on the should/shouldn't eBay be doing it because as others have said - it's not illegal.

  9. #19
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    Quote Originally Posted by tangofan View Post
    I'm actually amazed how it can work on the Blocked Sites tab, because in my limited understanding the request URL itself is actually encrypted, so I'm not sure how Web Filter would be able to apply that filter on an https request w/o SSL Inspector. I appears to me that it must have something to do with the SSL certificate...
    That's possible. Or, Web Filter is building the URL on SNI.

    But to me this all gets a little murky pretty quickly in terms of our expectations of the various tools at hand, both within Untangle and beyond.

    First, as Jim points out, eBay isn't doing anything illegal. That is plainly part of the conversation. However, for me, that's a non-issue in terms of network security. In the context of network security, is everything that is perfectly legal also perfectly desirable? Is there anything unlawful about attempting to mitigate perfectly legal actions on one's own network? Is it, for example, illegal or even unethical to block tracking mechanisms if one simply prefers not to be tracked? I'm just going to stay out of the question of legality.

    And parenthetically, just to be clear, I think the "I have nothing to hide" line of thought isn't terribly robust. It pretty quickly sounds like the thing it actually is if we put it correctly: "I have nothing to protect."

    Second, there are two possible issues here: the question of port scanning and the question of marketing/tracking. To me, blocking online-metrix.net is a privacy issue, a marketing/tracking issue. Blocking a JavaScript library delivered through eBay that enables, among other things, localhost port scanning is a network security issue. I think that's important because that will help inform our decisions about mitigation tools, or how high on the mitigation priority list the item is.

    So my approach is to target as narrowly as possible the behavior I object to. If my chief concern is the whole gamut of online-metrix.net services, I'm going to think about Ad Blocker on Untangle and browser privacy plugins. If I decide eBay doing port scans is unacceptable, I'm going to target eBay. But that's just me.

    That said, I'm not going to target online-metrix.net and not Google, because to me online-metrix.net represents a piece of the problem only. Again, that's because of how I see the issues involved here. I know a lot of people like to give Google a free pass because of the positive contributions Google makes to our online experiences. But if online-metrix.net is a problem, in my mind, so is Google, more so if not equally so.

    All that to say, the engineers here will look at this one way. To me, it's all a little murky in terms of an appropriate reponse.
    Last edited by Sam Graf; 05-26-2020 at 10:19 AM.
    Jim.Alles and f1assistance like this.

  10. #20
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    Quote Originally Posted by Armshouse View Post
    The reason I asked if Untangle might be able to flag this kind of thing is because it would be nice to know if it was happening.
    I agree. The task is addressing the problem without breaking things.

Page 2 of 7 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2