I thought this was going to be about some sneaky exploit where they'd manage to get a gov.uk to forward links to porn or something. But no, it's really a whole subdomain just taken over by some sketchy porn site.
I'm wondering if the porn site operators even know it's happening? Seems the most likely thing is the DfT had a site at that URL, hosted on AWS. And then they shut it down without removing the DNS record and Amazon assigned that IP to somebody else.
The thing where IP 10.20.30.40‡ is in the DNS for thing.mycorp.example and later nobody cares about thing.mycorp.example and they give up control without removing the DNS entry - is why you can't get Let's Encrypt certificates by just running a HTTPS web server and you need either plain HTTP, a custom TLS server (it can also do HTTPS but it needs to know about ACME as well) or else DNS.
Lots of bulk hosts will let you pick (or randomly be assigned) a shared IPv4 address like 10.20.30.40 and then - either by luck or often alphabetical order - your aaardvark.mydomain.example gets to be the "default" host which shouldn't exist for HTTPS but does in many popular half-arsed HTTPS web servers including Apache. So now web clients connect to 10.20.30.40, they send SNI to the bulk host's server - "I'm here to talk to thing.mycorp.example" and it ignores what they said and gives them aaardvark.mydomain.example because that's the "default" now. And if Let's Encrypt accepted that, you could buy some bulk host accounts, impersonate all these abandoned sites and get certificates for them. So, they had to knock that on the head.
The custom TLS server trick works by (ab)using ALPN, lazily made servers like Apache don't ignore ALPN at least unlike SNI, and so the client learns this server wasn't the one with the ALPN it needed to talk to after all and the certificate isn't issued.
‡ 10.20.30.40 isn't a real public address it's just for example purposes here
(as per the other comment, my guess is incorrect. I didn't actually look at the DNS. No porn site operator is going to accidentally pick the s3 bucket name 'charts.dft.gov.uk')
I thought this was going to be about a new government website that all UK porn viewers are required to register with. I feel like I've seen a number of threads about that being imminent.
The site in question is charts.dft.gov.uk (VERY NSFW). It resolves to the CNAME charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com, which is quite clearly hosting a porn site of some kind.
I suppose there's a few possible explanations here: (1) the original site was hosted on S3, and at some point the bucket was dropped and someone else picked it up, (2) it was originally hosted on S3 and the bucket got hacked, (3) someone with access to the DNS has decided to go rogue and point it at a somewhat-legit-looking but fake domain. If there are historical DNS records floating around it might help to narrow down what happened here.
I don't think it was #3: Amazon owns and resolves it for amazonaws.com. If you could hack that, you could do much more serious damage. I'm assuming it's #1. Bucket names are global.
I followed few links there and it’s not even a porn site, it just a shallow catalogue of {img-ahref -> img-ahref} which tricks you into “/dating.html” which redirects to some “dating” site. Probably just a SEO bs.
Sub-domain takeover attack. The sub-domain was CNAME'ed to a S3 bucket and the S3 bucket had likely been deleted. The porn purveyor, re-created a new S3 bucket with pr0n.
Yes. These are pretty much standard fodder for bugs reported on somewhere like hackerone. I guess someone who knew what he was doing just decided to take advantage of it lol
> This site is hosted on a Raspberry Pi 4B in the author's living room (behind the couch).
Holding up quite well despite HN frontpage. I love what a bit of caching can do.
EDIT: appears I jinxed it. I get the allure of hosting something in your home, but these days when you can get a decent VPS for $10/yr it doesn’t really make sense.
> I get the allure of hosting something in your home, but these days when you can get a decent VPS for $10/yr it doesn’t really make sense
When you're hosting static content (like presumably this content is; it's down so I can't say for sure), you should distribute it on a CDN for $0/year. A single VPS can be overwhelmed by traffic just as your Raspberry Pi can.
> Visit [redacted], and you’ll be redirected to a subdomain for EU exit hauliers - except the site isn’t there. Instead it’s a WordPress login page. There’s no username field and we feel confident that a brute force attack would be super effective!
> Elsewhere we have the Department for Transport careers page, which sort of does what it says. Clicking on the ‘see all vacancies’ button will redirect you to the civil service jobs site. This isn’t weird in itself, what is weird is that it uses t.co - Twitter’s redirection and domain obscuring tool to do it. Don’t ask us why, we have no idea why they would do this.
This sounds like someone inexperienced with the system is somehow managing it. How can you use a t.co link for... this? I'm surprised this edit got past anyone.
EDIT: Redacted the link just to be on the safe side. It's in the article if anyone's curious.
The CNAME of charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com still works, but the reverse DNS of that IP is simply s3-website-eu-west-1.amazonaws.com: I am not sure how does one gain control of an s3-website subdomain when "abandoned" (bucket name only?), but someone did.
So the scenario someone described below is pretty likely: DoT drops it, and drops AWS use of the name, but leaves the DNS record in. I wouldn't attribute this to anyone in the DoT.
It would still require intentional action to do so, though, so I wonder if anyone has any clue how do people find out about spurious, unused S3 subdomains that still have DNS pointing at them? Scan the entire internet for domains pointing to s3-website, and check AWS API to see if it's available? Or did someone run into this by accident and decided to poke fun at it while earning some cash along the way?
What sometimes happens is someone points a CNAME to a non-existent bucket. Either because they were planning ahead, or someone typo'd a bucket (and thus DNS) name.
There are bots that scan for this. Then someone creates the bucket on S3 and boom, subdomain hijack.
That's not a very fair assessment. The same way as it's difficult to find British dishes better than, say, minced beef and onion pie, it's challenging to find authentically British porn that's better than this govermnent office provides its people. We should commend the Tory government for its dedication.
Both my own site (on a Pi behind the couch) and the gov site were subjected to the hug of death. I've moved thecrow.uk onto a VPS for now and it's back up. Hurray!
Looks like someone forgot to delete a DNS entry after decommissioning a server. Bad on behalf of gov.uk, however you'd think AWS would at least auto-delete the CNAME (charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com) after the server was released, so that it points to nothing...
I don't know if this is laziness and ineptitude on the govt's part or not. You see the design team for UK gov websites have been getting a lot of attention and praise for their efforts, the most recent being here just ten days ago on the subject of check boxes: https://news.ycombinator.com/item?id=29238968 .
Anyway, it would seem their commenting system will not allow links to be posted to them or they choose to ignore links or didn't understand the comment posted when comments like "https://www.bing.com/search?q=plural+of+carcass" come through to them which is metadata for the type of filtering being employed on their comments section.
I think its worth looking at their design principles which can be seen here https://www.gov.uk/guidance/government-design-principles "#1 Start with user needs Service design starts with identifying user needs. If you don’t know what the user needs are, you won’t build the right thing. Do research, analyse data, talk to users. Don’t make assumptions. Have empathy for users, and remember that what they ask for isn’t always what they need."
It would seem Grant Shapps Secretary of State for Transport is perhaps actually meeting the public's needs or maybe its what he thinks of the public. Are we solitary handy manipulators of parts of the body?
[+] [-] bongoman37|4 years ago|reply
[1]: https://web.archive.org/web/20211125154944/http://charts.dft...
[+] [-] benbristow|4 years ago|reply
[+] [-] notatoad|4 years ago|reply
I thought this was going to be about some sneaky exploit where they'd manage to get a gov.uk to forward links to porn or something. But no, it's really a whole subdomain just taken over by some sketchy porn site.
I'm wondering if the porn site operators even know it's happening? Seems the most likely thing is the DfT had a site at that URL, hosted on AWS. And then they shut it down without removing the DNS record and Amazon assigned that IP to somebody else.
[+] [-] tialaramex|4 years ago|reply
Lots of bulk hosts will let you pick (or randomly be assigned) a shared IPv4 address like 10.20.30.40 and then - either by luck or often alphabetical order - your aaardvark.mydomain.example gets to be the "default" host which shouldn't exist for HTTPS but does in many popular half-arsed HTTPS web servers including Apache. So now web clients connect to 10.20.30.40, they send SNI to the bulk host's server - "I'm here to talk to thing.mycorp.example" and it ignores what they said and gives them aaardvark.mydomain.example because that's the "default" now. And if Let's Encrypt accepted that, you could buy some bulk host accounts, impersonate all these abandoned sites and get certificates for them. So, they had to knock that on the head.
The custom TLS server trick works by (ab)using ALPN, lazily made servers like Apache don't ignore ALPN at least unlike SNI, and so the client learns this server wasn't the one with the ALPN it needed to talk to after all and the certificate isn't issued.
‡ 10.20.30.40 isn't a real public address it's just for example purposes here
[+] [-] notatoad|4 years ago|reply
[+] [-] perl4ever|4 years ago|reply
[+] [-] nneonneo|4 years ago|reply
I suppose there's a few possible explanations here: (1) the original site was hosted on S3, and at some point the bucket was dropped and someone else picked it up, (2) it was originally hosted on S3 and the bucket got hacked, (3) someone with access to the DNS has decided to go rogue and point it at a somewhat-legit-looking but fake domain. If there are historical DNS records floating around it might help to narrow down what happened here.
[+] [-] tgv|4 years ago|reply
[+] [-] wruza|4 years ago|reply
[+] [-] Firefishy|4 years ago|reply
A scanner that would have caught the vulnerability: https://tech.ovoenergy.com/how-we-prevented-subdomain-takeov...
Or a grey hat scanner for finding sub-domains vulnerable to takeover: https://github.com/m4ll0k/takeover
[+] [-] ackbar03|4 years ago|reply
[+] [-] qeternity|4 years ago|reply
Holding up quite well despite HN frontpage. I love what a bit of caching can do.
EDIT: appears I jinxed it. I get the allure of hosting something in your home, but these days when you can get a decent VPS for $10/yr it doesn’t really make sense.
[+] [-] baobabKoodaa|4 years ago|reply
When you're hosting static content (like presumably this content is; it's down so I can't say for sure), you should distribute it on a CDN for $0/year. A single VPS can be overwhelmed by traffic just as your Raspberry Pi can.
[+] [-] Waterluvian|4 years ago|reply
Otherwise, for a well-known average traffic load suitable to a Pi, a Pi is a great idea.
[+] [-] lol768|4 years ago|reply
[+] [-] Sephiroth87|4 years ago|reply
[+] [-] mandis|4 years ago|reply
EDIT: evidently, not far
[+] [-] a012|4 years ago|reply
[+] [-] tazjin|4 years ago|reply
[+] [-] WithinReason|4 years ago|reply
[+] [-] tentacleuno|4 years ago|reply
> Elsewhere we have the Department for Transport careers page, which sort of does what it says. Clicking on the ‘see all vacancies’ button will redirect you to the civil service jobs site. This isn’t weird in itself, what is weird is that it uses t.co - Twitter’s redirection and domain obscuring tool to do it. Don’t ask us why, we have no idea why they would do this.
This sounds like someone inexperienced with the system is somehow managing it. How can you use a t.co link for... this? I'm surprised this edit got past anyone.
EDIT: Redacted the link just to be on the safe side. It's in the article if anyone's curious.
[+] [-] pxeger1|4 years ago|reply
[+] [-] necovek|4 years ago|reply
The CNAME of charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com still works, but the reverse DNS of that IP is simply s3-website-eu-west-1.amazonaws.com: I am not sure how does one gain control of an s3-website subdomain when "abandoned" (bucket name only?), but someone did.
So the scenario someone described below is pretty likely: DoT drops it, and drops AWS use of the name, but leaves the DNS record in. I wouldn't attribute this to anyone in the DoT.
It would still require intentional action to do so, though, so I wonder if anyone has any clue how do people find out about spurious, unused S3 subdomains that still have DNS pointing at them? Scan the entire internet for domains pointing to s3-website, and check AWS API to see if it's available? Or did someone run into this by accident and decided to poke fun at it while earning some cash along the way?
[+] [-] mh-|4 years ago|reply
There are bots that scan for this. Then someone creates the bucket on S3 and boom, subdomain hijack.
[+] [-] arpa|4 years ago|reply
[+] [-] rbanffy|4 years ago|reply
That's not a very fair assessment. The same way as it's difficult to find British dishes better than, say, minced beef and onion pie, it's challenging to find authentically British porn that's better than this govermnent office provides its people. We should commend the Tory government for its dedication.
[+] [-] ClumsyPilot|4 years ago|reply
That's a concept I have not pondered before.
[+] [-] belval|4 years ago|reply
[+] [-] lima|4 years ago|reply
[+] [-] dddavid|4 years ago|reply
[+] [-] iso1631|4 years ago|reply
[+] [-] BoxOfRain|4 years ago|reply
[+] [-] osrec|4 years ago|reply
[+] [-] Terry_Roll|4 years ago|reply
Now anyone with a rudimentary handle of the English language would probably have noticed the misspelling of carcasses on the blogpost https://designnotes.blog.gov.uk/2021/11/15/letting-users-tic... and Yorwba highlighted this on 17 November 2021 as seen in the comments. The team duly acknowledge this as seen with the updated image here https://designnotes.blog.gov.uk/wp-content/uploads/sites/53/... and the original misspelling can still be seen here https://designnotes.blog.gov.uk/wp-content/uploads/sites/53/...
Anyway, it would seem their commenting system will not allow links to be posted to them or they choose to ignore links or didn't understand the comment posted when comments like "https://www.bing.com/search?q=plural+of+carcass" come through to them which is metadata for the type of filtering being employed on their comments section.
I think its worth looking at their design principles which can be seen here https://www.gov.uk/guidance/government-design-principles "#1 Start with user needs Service design starts with identifying user needs. If you don’t know what the user needs are, you won’t build the right thing. Do research, analyse data, talk to users. Don’t make assumptions. Have empathy for users, and remember that what they ask for isn’t always what they need."
It would seem Grant Shapps Secretary of State for Transport is perhaps actually meeting the public's needs or maybe its what he thinks of the public. Are we solitary handy manipulators of parts of the body?
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] globalise83|4 years ago|reply
[+] [-] mlaretallack|4 years ago|reply
'This site is hosted on a Raspberry Pi 4B in the author's living room (behind the couch)'
[+] [-] matbatt38|4 years ago|reply
[+] [-] yannoninator|4 years ago|reply
[+] [-] necovek|4 years ago|reply
[+] [-] max1cc|4 years ago|reply