Astrum Posted January 2, 2012 Share Posted January 2, 2012 I cannot access careerbuilder.com in any browser from my PC. Ping says Reply from 38.104.182.222: "Destination net unreachable" While in Avast network utilities I can resolve ip for careerbuilder.com (208.88.82.50) and see the trace route. I also tried Tor Browser with the same effect. Any idea how to fix that? Thanks. Weird thing though I can access careerbuilder.com with my iPod via Opera mobile (that I don't understand either, as my ip with Opera mobile looks like I'm somewhere in Scandinavia while I'm in Russia and I did not setup any proxy for Opera), but browsing careerbuilder.com thru iPod is not handy at all. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 2, 2012 MVC Share Posted January 2, 2012 Ok you need to understand what 38.104.182.222: "Destination net unreachable" That is telling you that device does not know how to get there. what does your traceroute show? Tracing route to 208.88.82.50 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms pfsense.local.lan [192.168.1.253] 2 12 ms 13 ms 14 ms c-24-xx-xx-x.hsd1.il.comcast.net [24.xxx] 3 12 ms 9 ms 9 ms te-1-2-ur07.mtprospect.il.chicago.comcast.net [68.85.131.149] 4 10 ms 8 ms 9 ms te-1-9-0-3-ar01.elmhurst.il.chicago.comcast.net [68.86.187.213] 5 14 ms 11 ms 9 ms pos-0-1-0-0-ar01.area4.il.chicago.comcast.net [68.87.230.237] 6 14 ms 11 ms 11 ms pos-3-9-0-0-cr01.350ecermak.il.ibone.comcast.net [68.86.90.45] 7 12 ms 10 ms 14 ms pos-1-3-0-0-pe01.350ecermak.il.ibone.comcast.net [68.86.86.158] 8 12 ms 10 ms 11 ms te0-3-0-1.ccr22.ord03.atlas.cogentco.com [154.54.10.253] 9 13 ms 11 ms 14 ms te0-4-0-1.ccr22.ord01.atlas.cogentco.com [154.54.6.209] 10 30 ms 35 ms 33 ms te0-1-0-5.ccr22.atl01.atlas.cogentco.com [154.54.28.74] 11 263 ms 211 ms 203 ms te7-8.ccr01.atl04.atlas.cogentco.com [154.54.6.122] 12 38.104.182.222 reports: Destination net unreachable. I would guess that that IP is down.. But its only one of their IPs, I can get there just fine Flush your dns cache and try again -- you should get a different IP this time ; <<>> DiG 9.8.1-P1 <<>> careerbuilder.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7498 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;careerbuilder.com. IN A ;; ANSWER SECTION: careerbuilder.com. 528 IN A 208.82.7.50 careerbuilder.com. 528 IN A 208.88.80.50 careerbuilder.com. 528 IN A 208.88.82.50 ;; AUTHORITY SECTION: careerbuilder.com. 86027 IN NS misty.cbjobs.net. careerbuilder.com. 86027 IN NS brock.cbjobs.net. ;; Query time: 30 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Mon Jan 02 09:29:06 2012 ;; MSG SIZE rcvd: 133 edit: Just checked and having problems with icmp to all of those IPs, plus I show www.careerbuilder.com resolves to something else ;; QUESTION SECTION: ;www.careerbuilder.com. IN A ;; ANSWER SECTION: www.careerbuilder.com. 129 IN A 208.88.80.22 And that shows problem as well -- its quite possible just blocking ICMP traffic, which could give you the errors being seen while 80 works just fine.. They have a pretty weird dns setup??? ; <<>> DiG 9.7.3 <<>> @brock.cbjobs.net www.careerbuilder.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.careerbuilder.com. IN A ;; AUTHORITY SECTION: www.careerbuilder.com. 900 IN NS wasabigtm.careerbuilder.com. www.careerbuilder.com. 900 IN NS qtsgtm.careerbuilder.com. ;; ADDITIONAL SECTION: qtsgtm.careerbuilder.com. 900 IN A 208.82.7.229 wasabigtm.careerbuilder.com. 900 IN A 208.82.6.229 ;; Query time: 60 msec ;; SERVER: 208.82.6.230#53(208.82.6.230) ;; WHEN: Sun Jan 1 08:26:51 2012 ;; MSG SIZE rcvd: 116 So query them direct and get the .22 address ;; QUESTION SECTION: ;www.careerbuilder.com. IN A ;; ANSWER SECTION: www.careerbuilder.com. 600 IN A 208.88.80.22 which dies as well Tracing route to 208.88.80.22 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms pfsense.local.lan [192.168.1.253] 12 64.124.202.82.t00599.above.net [64.124.202.82] reports: Destination net unreachable. Clearly ICMP is being blocked -- but I can access the site just fine. Yeah it sucks with parts of the internet do not follow the RFCs and block icmp that should not be blocked.. Makes troubleshooting that more difficult Link to comment Share on other sites More sharing options...
Astrum Posted January 2, 2012 Author Share Posted January 2, 2012 Thanks BudMan for the elaborated answer! Looks like I cannot do much about it. I wonder why that Opera mobile is so special? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 2, 2012 MVC Share Posted January 2, 2012 You should be able to access it -- I can, contact your ISP if you can not.. Its very hard to troubleshoot since somewhere in the path they have decided to not follow the RFCs and respond to icmp, etc.. It makes no sense that your IPOD would access it and your other computers wouldn't unless its on a different network -- sure you not connected to wireless across the street? ;) As to geo Ip location -- they are not always accurate ;) Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted January 2, 2012 MVC Share Posted January 2, 2012 You should be able to access it -- I can, contact your ISP if you can not.. Its very hard to troubleshoot since somewhere in the path they have decided to not follow the RFCs and respond to icmp, etc.. It makes no sense that your IPOD would access it and your other computers wouldn't unless its on a different network -- sure you not connected to wireless across the street? ;) As to geo Ip location -- they are not always accurate ;) Opera Mobile acts like a Proxy connection, sending all of your data to Opera to get compressed and then is sent back to your mobile device. I remember hearing Steve (The sky is falling) Gibson talk about that on security now one time. Link to comment Share on other sites More sharing options...
Astrum Posted January 2, 2012 Author Share Posted January 2, 2012 It makes no sense that your IPOD would access it and your other computers wouldn't unless its on a different network -- sure you not connected to wireless across the street? ;) Safary on Ipod has the same issue, but Opera uses aparently a built-in transparent proxy (as I never set it up), and it works fine. Thanks anyway. My ISP would not know how to spell careerbuilder.com :). Doesn't Opera Mobile act like a Proxy connection, sending all of your data to Opera to get compressed and then is sent back to your mobile device? That's something I'm also trying to understand. I haven't seen any explanation on that yet. What's your source? Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted January 2, 2012 MVC Share Posted January 2, 2012 Safary on Ipod has the same issue, but Opera uses aparently a built-in transparent proxy (as I never set it up), and it works fine. Thanks anyway. My ISP would not know how to spell careerbuilder.com :). That's something I'm also trying to understand. I haven't seen any explanation on that yet. What's your source? Here is Security Now Episode 126 with Steve the sky is falling Gibson (As Budman likes to call him ) talking about Opera Mini and the Proxy Leo: Good, good. Anand K. in Detroit, Michigan discovered something worrisome about Opera's Mini Browser. Mini Me. I use it. He says: I use a Blackberry Curve and dislike the default browser that comes with it, so I downloaded Opera Mini. I have, too. Got it right here on my Curve. Steve: Keep listening, Leo. Leo: Tried to run it. It won't connect to the Internet. So I had to do some debugging what was going on before I could get it to work. In this process I realized that Opera Mini actually talks to a transcoder server, which I assume is like a proxy to get its data. All requests go to this transcoder server. After searching for documentation on this behavior, I found that it's documented on the Opera Help site. Steve: And we've got the URL also in the show notes. Leo: OperaMini.com. In a nutshell, the mandatory use of this transcoder server makes it impossible to provide end-to-end SSL security for client connections. Oh. Steve: Uh-huh. Leo: So all of my cookies, userIDs, passwords, and other sensitive information I had so far assumed was secure going over SSL was actually going through this proxy server and getting decrypted there. Even though it's documented, I'm not convinced a browser should do this. I'm not, either. Hmm. Opera's site explains why they need to do this at the URL I referenced above. But I'm not convinced. They should have left the SSL connection alone, direct, with end-to-end security, and used this optimization for plaintext connections. Secondly, there's no indication given by the software for the user to know clearly that this is what's happening behind the scenes. Is this reasonable in your book? Thoughts on if/how they could have done it differently. Wow. Steve: Well, this is a perfect example of something we have touched on many times in the last two and a half years, and that is the idea of a proxy server that is terminating the SSL connections itself. That is, essentially decrypting connections that you thought were encrypted in order to have access to the nonencrypted data that is inside the SSL tunnel. Now, the reason they're doing this is that this server that the Opera Mini browser connects to is really doing a lot of good work for the user. It is rewriting pages, web pages on the fly, rewriting JavaScript on the fly, essentially turning web pages that were never designed to be seen on a very small screen on a very lightweight and lower powered browser, making them work. And so if they didn't do that, that is, if they did pass SSL through end to end, first of all, your browser, that is, that you're holding in your hand, running on presumably a lower power chip, it would need to be able to do SSL, which is a little compute intensive, although I would argue these days that could be handled easily enough. And they would then no longer be able to perform this filtering which apparently the Opera Mini Browser depends upon. On their security page where they address this, they're not quite as upfront as I wish they were. I mean, Anand K., who's a Security Now! listener, he's obviously astute enough to sort of read between the lines. Leo: I know. I didn't. I didn't know, and I've been using this. Steve: Yeah, you have to read between the lines to get what it is they're doing. Leo: I'm mad. Steve: And, yes, I know, I mean, this is not good for it to be less clear for people. Apparently they're providing some sort of tunnel encryption of their own, not SSL. But that, you know, so your data is protected itself going to them. But then it's completely open. I mean, it's as though you're trusting the Opera Mini server, proxy server. Everything you do, your passwords, your secure login, I mean, literally your username and login that you thought was over SSL... Leo: Unbelievable. Steve: ...is unencrypted. And finally, at the end of this FAQ page, someone asks the hypothetical question, well, what if I don't like that? And their answer is, well, then, you can't use Opera Mini. Go use, you know, the regular Opera non-mini browser, sorry. And so, I mean, I don't really have an opinion one way or the other, although I don't think I'm going to use it. Leo: I just deleted it. I'm kind of stunned. Steve: So that's annoying. And I really thank Anand for the... Leo: Yeah. I would not have known. I'm looking at their website right now. It doesn't say that it's doing that. Steve: No. I mean, again, in their FAQ it says, is there any end-to-end security between my handset and, for example, PayPal.com or my bank? Okay, first word, no. Leo: First word, bye. Steve: If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile. Opera Mini users a transcoder server, as they call it, to translate HTML, CSS, JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation the Opera Mini server needs to have access to the unencrypted version of the web page. Therefore, no end-to-end encryption between the client and the remote web server is possible. Leo: You know, I understand why they're doing that. But they really should say - that should be very clear on the front page. Wow. I haven't used it much, so I feel all right. But... Steve: For what it's worth, I mean, they say - another of their made-up questions. Can Opera software, Opera Software Company, see my passwords and credit card numbers in cleartext? What is the encryption good for, then? The answer, the encryption is introduced to protect the communication from any third party between the client, the browser on your handset, and the Opera Mini transcoder server, meaning - so they're talking about the encryption between your handset and Opera's server. If you do not trust Opera software, make sure - and I'll say, and everyone who works for Opera software - make sure you do not use our application to enter any kind of sensitive information. It's like, okay. As you said, Leo, bye bye. Link to comment Share on other sites More sharing options...
Recommended Posts