-2

I have seen many posts here about /etc/hosts, but I don't see them addressing this issue. The issue is:

If a person adds 127.0.0.1 mywebsite.com to their /etc/hosts file and 127.0.0.1 has dangerous social engineering and other malicious content. When the access mywebsite.com in Chrome, which has the Safe Browsing technology, will it blacklist the domain? If it will, then that would be a serious problem to the actual holder of the website. I don't want to try this. But, any suggestion about this? Also, if they created a self signed certificate and trusted it for HTTPS on sites with HSTS. I am not sure if you can create a custom DNS server, because Google SafeBrowsing might not want to flag websites inside the /etc/hosts file, creating a custom DNS server might stop it from excluding the domain. That would be a problem too right?

And if they can create a custom DNS server, they could make host the malicious website on a web hosting provider to make it public and pointed the poor domain to that IP address, so, even if Google Safe Browsing avoided 127.0.0.1, that would be a problem too.

This is a really serious problem if any of the above works!

schroeder
  • 123,438
  • 55
  • 284
  • 319
Example person
  • 163
  • 9
  • 1
    This question would be answered by first understanding how Google Safe Browsing populates its list... This is easily looked up: https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en You can't submit a site it can't reach and it investigates the URL and it doesn't blindly trust reports. If that worked, I could report StackExchange and have it blocked for everyone. – schroeder Mar 21 '20 at 17:25

2 Answers2

5

When the access mywebsite.com in Chrome, which has the Safe Browsing technology, will it blacklist the domain?

No. Google Safebrowsing and similar technologies don't rely on a single user reporting a problem. They know that the no user or a users setup (which might be infected with malware) can be fully trusted. Note that if you change the IP address for a domain using the hosts file or your own DNS the change only affects you and not a Google bot visiting the site or some other users.

Note that if the mechanism for blacklisting a site would be vulnerable for such easy manipulation it very likely would already have been used in denial of service attacks, i.e. getting a competitors site blacklisted so that users can not longer visit it.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

I realize that this has an answer that has already been voted up and accepted but it's still making me crazy. All the discussion about Google Safebrowsing is a Red Herring.

The whole 127.0.0.1 and /etc/hosts thing makes Google Safebrowsing irrelevant.

First /etc/hosts is not a DNS in the classic sense, it's just a simple mapping function. Nothing leaves the machine as a DNS query. There is no DNS query involved, which leads to the second point.

127.0.0.1 is an unroutabled local self IP. No one else can get to it except that local machine. It's completely isolated and no amount of DNS games will route 127.0.0.1 through the Internet. Google Safebrowsing can't blacklist 127.0.0.1 for a number of reasons but most importantly because it's already universally blacklisted everywhere because it won't route.

It doesn't matter what someone puts on 127.0.0.1, no one else can get to it, including Google. It doesn't have a DNS so no DNS level blocking is possible. The IP is already universally blocked because it won't route.

user10216038
  • 7,552
  • 2
  • 16
  • 19