R
R
Roman2016-02-11 18:03:29
Domain Name System
Roman, 2016-02-11 18:03:29

The provider will resolve google.com to its own IP, while HTTPS continues to work. It's safe?

The local provider will resolve google.com, youtube.com and, possibly, some other addresses IP address from its own range, namely 85.114.182.207, 85.114.182.211 and others from this range (provider: aist.net.ru, Tolyatti ). For reference, the DNS servers are 81.28.160.1 and 82.28.160.111, but they are most likely only accessible from the internal network.

For youtube.com, the provider's DNS gave out the address 81.28.161.2, and the reverse nslookup 81.28.161.2 gave this:

$ nslookup 81.28.161.2
Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
2.161.28.81.in-addr.arpa	name = blocked-sites.aist.net.ru.
...

Which, as it were, hints that the provider is shamanizing with DNS in order to block what is included in the list of prohibited sites and its behavior can be explained. By the way, rutracker.org resolves there too, but, unlike youtube and google, we get to a page with information about the ban, and traffic to youtube and google transparently passes through the provider.

I was most confused in this situation by the fact that youtube and google have been working over HTTPS for a long time and only over HTTPS. And even more surprising is that by clicking on the site icon in Firefox, we see a green inscription "Secure connection, verified by Google Inc." (update: the icon is still not green, i.e. the same as here on the Toaster, but not the same as, for example, on the github) .

Actually, the question is: is it safe? And how is this even possible? Once the certificate is verified by Google Inc. (when entering which we knock on the server of the provider, not Google), does this mean that the certificate is not signed by Google and the traffic is subject to listening?

(Having discovered this, I, of course, will change the DNS to Yandex 77.88.8.8, but I still want to know about the security of the above. Thank you.)

Answer the question

In order to leave comments, you need to log in

4 answer(s)
H
hobbyte, 2016-02-11
@romanshuvalov

For Google: Provo may have an agreement on GGC.

D
Dimonchik, 2016-02-11
@dimonchik2013

https://www.pgpru.com/forum/prakticheskajabezopasn...
you can not bathe,
but if paranoia - VPN

S
Sergey, 2016-02-11
@edinorog

and all such wildly sat down on treason. bad for yourself. the provider received at its disposal a certificate from Google and YouTube. and what kind of provider, if not a secret?
and how (in your opinion) will help you change the dns server in the case of certificates?

V
Vladimir Dubrovin, 2016-02-11
@z3apa3a

The provider can intercept traffic without redirecting it to its hosts, i.e. it is no more dangerous than any other way to intercept traffic. The only difference is that you know for sure that traffic is being intercepted and listened to. If HTTPS is not violated and you do not have trusted certificates of this provider installed, then this should not lead to the possibility of decrypting https traffic by the provider.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question