Cloudflare is introducing Malware and Adult DNS filters.

[Arika]

33 minutes ago, LAwLz said:

Also, I strongly recommend that you do not read too much of that twitter thread and the replies. It's full off lunatics that believe Cloudflare is doing this to promote nazis and censor LGBTQ people

so, standard twitter?

[Kisai]

11 hours ago, LAwLz said:

Several reasons for it, but here are two.

1) DNS was never meant to provide protection from malware. It's kind of like making a keyboard where you can't type certain words because "they might be dangerous". The default, if you ask me, should be for a DNS to just do its job, which is translating domain names to IP addresses. It shouldn't get in the way and decide which sites I can and can't visit.

2) There is always a risk of false positives. If you switch to the malware free DNS resolver you might run into issues where you can't visit certain sites because your DNS provider THINKS that they are malicious, but they aren't. If that happens to someone slightly less tech literate they will have problems. Just look at the shitstorm the adult filter has caused by blocking some LGBTQ sites (because they talk about things such as sex).

Also, I strongly recommend that you do not read too much of that twitter thread and the replies. It's full off lunatics that believe Cloudflare is doing this to promote nazis and censor LGBTQ people. Because obviously that's the logical explanation and not that those sites are full of keywords related to sex which also happens to be on a lot of porn websites. Nahh, that's totally unreasonable...

 

1) using DNS to filter has never worked, since you can always put filtered things back by editing the hosts file.

2) If this was in fact a "good" list, it should be a whitelist system, not a blacklist system, because the blacklisted malware domains change hourly. Just straight up "here's a list of all the sites that are legit this hour", and leave it at that. If something is blocked, click the "review this address" button and some poor minimum wage guy in India will check it out and hopefully it's not a mirror of goatse.

[Kamina]

This is pretty cool. 

Funny how it blocked the alphabet group.

[captain_to_fire]

So I decided to put 1.1.1.3 (malware & porn blocking resolver) to the test. I disabled my antivirus' real time protection (including web protection) as well as the Google Safe Browsing in Firefox. It does block porn sites but I'm not sure with malware blocking just yet. It wasn't able to block AMTSO's samples . I'm not sure if Cloudflare didn't flagged AMTSO's samples yet. Because personally I haven't tested Cloudflare's new DNS resolver to actual malware hosting sites.

 

I think for PCs and laptops, its best to leave the antivirus and safe browsing feature turned on.

Spoiler

Now that Cloudflare is also selling VPNs, who knows that maybe in a few years Cloudflare might as well sell a router or an antivirus for consumers and businesses.

[leadeater]

12 hours ago, Kisai said:

If this was in fact a "good" list, it should be a whitelist system, not a blacklist system, because the blacklisted malware domains change hourly. Just straight up "here's a list of all the sites that are legit this hour", and leave it at that. If something is blocked, click the "review this address" button and some poor minimum wage guy in India will check it out and hopefully it's not a mirror of goatse.

Whitelists are highly impractical though, they are a nightmare to administer unless the intended purpose is highly restricted internet access. Blacklists aren't perfect but are far less flawed than whitelists are for general purpose.

 

8 minutes ago, captain_to_fire said:

It wasn't able to block AMTSO's samples . I'm not sure if Cloudflare didn't flagged AMTSO's samples yet. Because personally I haven't tested Cloudflare's new DNS resolver to actual malware hosting sites.

I wonder if that is exempt so you can actually get the samples etc.

[leadeater]

On 4/3/2020 at 7:21 PM, LAwLz said:

There is always a risk of false positives. If you switch to the malware free DNS resolver you might run into issues where you can't visit certain sites because your DNS provider THINKS that they are malicious, but they aren't. If that happens to someone slightly less tech literate they will have problems. Just look at the shitstorm the adult filter has caused by blocking some LGBTQ sites (because they talk about things such as sex).

Also, I strongly recommend that you do not read too much of that twitter thread and the replies. It's full off lunatics that believe Cloudflare is doing this to promote nazis and censor LGBTQ people. Because obviously that's the logical explanation and not that those sites are full of keywords related to sex which also happens to be on a lot of porn websites. Nahh, that's totally unreasonable...

Well for the intended purpose it might not be false, depending on the target demographic for the filtering blocking sites that talk about that or is word content heavy of such things it may not at all be a false positive, for the designed purpose. I'm willing to bet Net Nanny etc would block the very same sites, thing is is 1.1.1.3 designed to be like that or not, I haven't actually looked.

 

Point is people can't actually call it a false positive without comparing the result against intent, which I haven't done.

 

Edit:

Update, had a look and yea can see how the problem happened having had to deal with the same thing.

Quote

Choosing the Wrong Feed
So what went wrong? The data providers that we license content from have different categorizations; those categorizations do not line up perfectly between different providers. One of the providers has multiple "Adult Content" categories. One “Adult Content” category includes content that mirrors the Google SafeSearch/CIPA definition. Another “Adult Content” content category includes a broader set of topics, including LGBTQIA+ sites.

 

While we had specifically reviewed the Adult Content category to ensure that it was narrowly tailored to mirror the Google SafeSearch/CIPA definition, when we released the production version this morning we included the wrong “Adult Content” category from the provider in the build. As a result, the first users who tried 1.1.1.3 saw a broader set of sites being filtered than was intended, including LGBTQIA+ content. We immediately worked to fix the issue.

https://blog.cloudflare.com/the-mistake-that-caused-1-1-1-3-to-block-lgbtqia-sites-today/

[captain_to_fire]

24 minutes ago, leadeater said:

Whitelists are highly impractical though, they are a nightmare to administer unless the intended purpose is highly restricted internet access. Blacklists aren't perfect but are far less flawed than whitelists are for general purpose.

As the defacto tech guy of a small business, I agree that managing exceptions in a blacklist is easier than exceptions in whitelist, at least with Gravityzone.

24 minutes ago, leadeater said:

I wonder if that is exempt so you can actually get the samples etc.

I'm not risking downloading actual malware right now on my own PC, much less on our employees' workstations. Perhaps someone can test it on a VM.

Edited April 4, 2020 by captain_to_fire
*at

[leadeater]

On 4/3/2020 at 6:29 PM, Ryan_Vickers said:

That just shifts the question though.  How does that provider make the list?

Typically through public submissions and corrections and that data sharing between vendors.  E.g. https://fortiguard.com/webfilter

 

With our active FortiGuard subscription we can submit corrections as well as configure local override on the firewall while it's reviewed by FortiNet. FortiNet will share the results of the submission with other vendors and list providers if a correction is required.

[leadeater]

6 minutes ago, captain_to_fire said:

I'm not risking downloading actual malware right now on my own PC, much less on our employees' workstations. Perhaps someone can test it on a VM.

No thanks I'll pass too, someone else can stand in front of that cannon.

[mr moose]

23 minutes ago, leadeater said:

No thanks I'll pass too, someone else can stand in front of that cannon.

It's alright, I'll do it, people keep telling me all you need is common sense and not to open emails.  What's the URL?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Dear internet, Don't try to educate me, I'm joking at your expense.

[colonel_mortis]

2 hours ago, captain_to_fire said:

So I decided to put 1.1.1.3 (malware & porn blocking resolver) to the test. I disabled my antivirus' real time protection (including web protection) as well as the Google Safe Browsing in Firefox. It does block porn sites but I'm not sure with malware blocking just yet. It wasn't able to block AMTSO's samples . I'm not sure if Cloudflare didn't flagged AMTSO's samples yet. Because personally I haven't tested Cloudflare's new DNS resolver to actual malware hosting sites.

As it's blocking at a DNS level, it can only block entire sites (at a per-domain level), so I think it would just cover phishing sites, sites that just exist to serve malware, and malware C&C servers.

[captain_to_fire]

10 minutes ago, colonel_mortis said:

As it's blocking at a DNS level, it can only block entire sites (at a per-domain level), so I think it would just cover phishing sites, sites that just exist to serve malware, and malware C&C servers.

So I'm guessing this would complement existing endpoint security solutions since malware and porn blocking happen in the DNS resolver which means less human factor interference. It might be useful for IoT and iOS devices where you can't install security agents.

 

It would be interesting to see Cloudflare's percentage detection from the likes of AV-Comparatives, etc.

 

[colonel_mortis]

1 minute ago, captain_to_fire said:

So I'm guessing this would complement existing endpoint security solutions since malware and porn blocking happen in the DNS resolver which means less human factor interference. It might be useful for IoT and iOS devices where you can't install security agents.

 

It would be interesting to see Cloudflare's percentage detection from the likes of AV-Comparatives, etc.

 

Yeah, it is absolutely not a replacement for any existing systems, just an extra layer of safety. The detection rate will be relatively low, but it would protect against the most prevalent malware (out of that which is blockable).

[Kisai]

1 hour ago, colonel_mortis said:

Yeah, it is absolutely not a replacement for any existing systems, just an extra layer of safety. The detection rate will be relatively low, but it would protect against the most prevalent malware (out of that which is blockable).

The only advantage I see here, assumes that the 1.1.1.x DNS actually updates in real time, eg faster than malware/phish sites are detected. 

 

If the goal is to keep kids and employees from visiting pornhub while at school or at work, use a whitelist of acceptable DNS sites, and a ip blacklist on the gateway so that they can't bypass it. Your kids or employees, should be only visiting a few vetted sites. If that means someone needs to beg for access, that means that site has to be vetted for appropriateness.

 

Like most workplaces would love to block youtube outright, but a lot of training materials also end up on youtube because it consumes too much bandwidth on the intranet, but it also BECAUSE it consumes too much bandwidth on the WAN itself. So a necessary evil is allowing users to access youtube in a broad sense.

 

What about facebook? No need to use it at work, lock it down. Twitter? Lock it down. What about Fox News or CNN? Those show videos, better lock them down.

 

You can see where I'm going here. Using filtering to "save money" is bound for failure. Using filtering to try and keep your sheep in the pen, won't work. It should not be about who you're trying to protect, but who you're trying to keep out. 

 

The simple fact is that corporate machines are a security risk, so having access to "everything", even if the CEO is a crybaby about it, is a BAD thing, and unfortunately get a big enough crybaby, and that CEO or other upper-management person is going to self-pwn the company.

 

These data leaks from companies are rarely the result of a malicious hacker trying to get in, it's more likely social engineering. There are staff at the office who turn their chair around when I type in passwords and I'm like "who trained them to do that?"

 

Anyway, what I'm getting at is that there's a lot of "helpfulness" in the browser and OS that will readily leak far more information than any phishing site will.

 

For example, browser's address-auto fill. Browsers payment auto-fill. The browser goes "Oh I see you're trying to buy something, let me fill in the card number and address", mean while that site is copying that data every time a character is changed in the form. Another example is Windows Search. Have you noticed that sometime in the last 3 Windows major updates, search now adds "search from web" results? So what is it sending to the internet?

 

It's crap like that that makes me see Cloudflare as protecting the foxes, not the chickens. If CLOUDFLARE knows who the bad guys are, why isn't Cloudflare blackholing them already considering they protect the vast majority of them themselves?

 

[leadeater]

1 hour ago, Kisai said:

If the goal is to keep kids and employees from visiting pornhub while at school or at work, use a whitelist of acceptable DNS sites, and a ip blacklist on the gateway so that they can't bypass it. Your kids or employees, should be only visiting a few vetted sites

Have you ever maintained a whitelist either for a business, education or even at home? I can pretty much tell you haven't if you think it's actually practical to go down the whitelist path.

 

But I guess implementing a whitelist will guarantee you a job and work to do all day I guess.

 

Edit:

The only whitelist solution I've used, would recommend, is AB Tutor lab control software and the teacher setting allow sites for that class for those PCs only. Never network wide, never persistent.

 

I've been forced to implement whitelist before, said my piece before and not long after got to have the I told you so talk after being requested to remove it.

[leadeater]

1 hour ago, Kisai said:

These data leaks from companies are rarely the result of a malicious hacker trying to get in, it's more likely social engineering. There are staff at the office who turn their chair around when I type in passwords and I'm like "who trained them to do that?"

The most common starting point for social engineering is email either by way of an attachment or URL link, both these will be blocked by DNS filtering so it's effective here. The only downside to Cloudflare doing the blocking is the lack of security alert from the DNS query and/or IP connection, with the latter not being blocked at all by DNS filtering.

 

Much wider scale DNS filtering is likely to result in bad actors no longer using DNS and using IPs but that's actually good for us because that makes it far easier and quicker to close down known vectors. New ones will always come up but old ones won't come back alive again after a DNS change.

 

1 hour ago, Kisai said:

Like most workplaces would love to block youtube outright, but a lot of training materials also end up on youtube because it consumes too much bandwidth on the intranet, but it also BECAUSE it consumes too much bandwidth on the WAN itself. So a necessary evil is allowing users to access youtube in a broad sense.

Blocking websites for bandwidth reasons I haven't seen since probably 2008-2009. Sites like that get block for being time wasters now, not much else. Per user per application/content type traffic shaping has existed for over 10 years now, don't use a hammer to screw in a nail.

 

Edit:

Mind you all these business and education sector considerations are pointless, they already implement their own DNS filtering and I highly doubt Clouflare is targeting this to them at all, and only the smallest of the small businesses would also fit. It is called For Families for a reason.

[RejZoR]

If you want superb filtering you guys need to check NextDNS. It has huge selection of lists like Disconnect, EasyPrivacy, lightswitch05 and many others. It also has user controlled blacklist and whitelist and also bunch of safety features like malware and phishing blocking. One of them is Google's SafeBrowsing, but with a twist. Here, NextDNS does the query so Google doesn't ever get anything from you, not even IP from the communication itself.

[Kisai]

8 hours ago, leadeater said:

Have you ever maintained a whitelist either for a business, education or even at home? I can pretty much tell you haven't if you think it's actually practical to go down the whitelist path.

 

But I guess implementing a whitelist will guarantee you a job and work to do all day I guess.

 

Edit:

The only whitelist solution I've used, would recommend, is AB Tutor lab control software and the teacher setting allow sites for that class for those PCs only. Never network wide, never persistent.

 

I've been forced to implement whitelist before, said my piece before and not long after got to have the I told you so talk after being requested to remove it.

One job I worked at, blocked all *.com sites, but left all *.org sites. That was AT&T Wireless BTW, and oh boy, better not get caught using the internet for anything other than browsing the company/competitors websites or you get a talking-down to.

 

I'm just saying, that if the goal is to prevent family/staff/students from visiting anything other than approved sites, you use a whitelist. If you're teaching students, on school-owned devices, you don't want them goofing off on facebook while the class is in session. The same goes for employees on company time. Clearly the company doesn't see the need to hire responsible people, so they treat them like teenagers.

 

Where I see this Cloudflare DNS being applied more broadly is small business/library guest access, where you don't want your network being used for crime. Other than that, I don't see why anyone would want to even use filtering unless they're setting up machines for complete luddites.

[LAwLz]

10 hours ago, Kisai said:

If the goal is to keep kids and employees from visiting pornhub while at school or at work, use a whitelist of acceptable DNS sites, and a ip blacklist on the gateway so that they can't bypass it. Your kids or employees, should be only visiting a few vetted sites. If that means someone needs to beg for access, that means that site has to be vetted for appropriateness.

Yeah, no... That's a stupid idea.

 

 

10 hours ago, Kisai said:

If the goal is to keep kids and employees from visiting pornhub while at school or at work, use a whitelist of acceptable DNS sites, and a ip blacklist on the gateway so that they can't bypass it. Your kids or employees, should be only visiting a few vetted sites. If that means someone needs to beg for access, that means that site has to be vetted for appropriateness.

IP blacklists is a bad idea for blocking websites. Most large websites run on some kind of CDN so you'll have to block multiple IPs for each site. It's extremely impractical. Not to mention how many sites you would actually need to whitelist. It's not as simple as going "oh I want people to be able to visit Youtube, so I'll whitelist Youtube.com". You would have to whitelist far more sites to just get Youtube working. It's more like 9-10 domains that needs to be whitelisted to get Youtube working. Want your employees to only be able to visit 20 sites? Well congratulations, you now need to add something like 200 domains to your whitelist. Good luck trying to keep that list maintained as well.

 

If you want to block certain websites you do it with domain names, not IPs, and in 99.99% of cases you want to do it with a blacklist, not whitelist.

 

 

10 hours ago, Kisai said:

You can see where I'm going here. Using filtering to "save money" is bound for failure. Using filtering to try and keep your sheep in the pen, won't work. It should not be about who you're trying to protect, but who you're trying to keep out. 

Well it will only fail if you do it the way you suggest, because that's the stupid way to deal with it.

 

 

27 minutes ago, Kisai said:

I'm just saying, that if the goal is to prevent family/staff/students from visiting anything other than approved sites, you use a whitelist.

I really can't think of a situation where you want to do that. It's just so incredibly impractical. I get the feel that you haven't worked with enterprise networks before and don't understand what a monumental undertaking your solution is. There is a reason why next to nobody does it the way you suggest it to be done.

 

 

30 minutes ago, Kisai said:

Where I see this Cloudflare DNS being applied more broadly is small business/library guest access, where you don't want your network being used for crime. Other than that, I don't see why anyone would want to even use filtering unless they're setting up machines for complete luddites.

What are you on about?

You don't see why people would want known malware sites to be blocked? Why would you want them to be accessible is a better question. Also, I think you're misusing the word "luddite".

[2FA]

Good to see they added these to join Quad9 and OpenDNS. I personally like Quad9 since it is a nonprofit.

[Kisai]

47 minutes ago, LAwLz said:

 

What are you on about?

You don't see why people would want known malware sites to be blocked? Why would you want them to be accessible is a better question. Also, I think you're misusing the word "luddite".

Have you seen all the malware hosted on sites protected by cloudflare? Cloudflare protects criminal activity and then ignores requests to do anything about it. This is actively applying the logic that cloudflare knows exactly where the malware and phishing sites are because it's the one hiding them.

 

Its' like Cloudflare going , Nice network you have there, it would be a shame if anything were to happen to it.

[leadeater]

5 hours ago, Kisai said:

I'm just saying, that if the goal is to prevent family/staff/students from visiting anything other than approved sites, you use a whitelist. If you're teaching students, on school-owned devices, you don't want them goofing off on facebook while the class is in session. The same goes for employees on company time. Clearly the company doesn't see the need to hire responsible people, so they treat them like teenagers.

Well considering I have worked in the education IT sector for about 15 years now whitelists do not work in schools. You seem to have a fantasy idea around whitelists, simply no they do not work.

 

How do you actually plan on managing a whitelist? How does one ask for a site to be added if they themselves cannot check it's legitimacy if it's blocked. How are students supposed to do research when every site off a Google search is going to be blocked other than wikipedia.

 

Whitelists kill productivity, whitelist caused staff to complain, whitelists cause staff to leave. I have never seen whitelist achieve anything other than negative impacts with zero benefits, unless you actually need very restricted access which doesn't work in schools. Except as I said when you give teachers direct control over a lab with something like AB Tutor and that only applies to that lab for that single class/period of time.

 

Otherwise all you will do is waste your entire day fielding staff complaints and checking websites and never getting any actual important things done.

[GDRRiley]

11 hours ago, Kisai said:

Have you seen all the malware hosted on sites protected by cloudflare? Cloudflare protects criminal activity and then ignores requests to do anything about it.

I really doubt that it is widespread. while they do have a policy of trying to not censor things, given how often malware and control servers are taken down by ddos campaigns I doubt it is widespread.

[Kisai]

10 hours ago, GDRRiley said:

I really doubt that it is widespread. while they do have a policy of trying to not censor things, given how often malware and control servers are taken down by ddos campaigns I doubt it is widespread.

Yet notorious "don't even bother to DMCA us" sites like YP and 8M still exist.

[LAwLz]

On 4/5/2020 at 12:46 AM, Kisai said:

Have you seen all the malware hosted on sites protected by cloudflare? Cloudflare protects criminal activity and then ignores requests to do anything about it. This is actively applying the logic that cloudflare knows exactly where the malware and phishing sites are because it's the one hiding them.

 

Its' like Cloudflare going , Nice network you have there, it would be a shame if anything were to happen to it.

I don't understand what you mean. Are you trying to insinuate that Cloudflare is blackmailing domains?

"Join our CDN or else we block your site with our DNS"?

 

1) Source on them ignoring requests to do anything about criminal activity? I know a lot of people like to bitch about Cloudflare having customers they do not like (like "bawww alt-right sites use Cloudflare so I can't DDoS them! Cloudflare is so bad!". But I have never heard of them refusing to remove a customer who is knowingly breaking the law.

A lot of sites that host illegal activity are using Cloudflare though, but that's not really Cloudflare's problem in the same way a bank robber driving away in a Golf isn't Volkswagen's problem.

 

2) I can tell that your inexperience and lack of knowledge shines through here. Cloudflare does not know exactly which sites are malware or phishing. Cloudflare has millions upon millions of websites connected to it. There is no way anyone at Cloudflare actually knows which sites are or aren't using their services. They might know couple of high profile sites using it, but there is no way they have the level of knowledge you're implying they do.