156 comments

[ 4.5 ms ] story [ 220 ms ] thread
Can someone explain what's going on? Is this a domain hack to get Google's captcha working under an nsa.gov hostname, presumably so that it's usable on whitelist firewalls? I'm surprised Google serves a homepage to the domain, and that it doesn't only respond to requests to google.com (etc.)
Seems to be on purpose, unless someone really misconfigured their Akamai setup. Your purpose sounds viable
Is this more than a reverse proxy to google.com? Seems like the real question is _why_.
>I'm surprised Google serves a homepage to the domain

Google doesn’t, the reverse proxy just rewrites the Host header.

My guess: a custom version of Google that allows NSA analysts to do "Google dorking" - searching for vulnerable hosts with Google - without triggering a captcha. Somebody on twitter mentioned they could not get a captcha with strings that usually reliably cause one.

Maybe this is just a fake front page that calls to the Google search API and pretends to be Google proper. Either it is for agents in the field to inconspicuously use google or they misconfigured it to be public?

Your guess is wrong. This isn't a custom version of google. It's just a regular akamai reverse proxy setup.

> Either it is for agents in the field to inconspicuously use google

By visiting a nsa.gov subdomain served by akamai? Yeah right. I feel like heading to www.google.com would be far less conspicuous.

You can do that? I would expect Google to flag connections to the search page that don't terminate on a residential/commercial IP as suspicious and show you the near "unsolvable" captcha.

At least that is my experience with proxying google services (e.g. silly setup for accessing them from China). Datacenter IPs or SSL "MitM" connections reliably trigger it.

Depends very much on which datacenter you're using. I'd imagine google doesn't get much (any) bot traffic from Akamai, so I'm not surprised that their ranges aren't flagged yet.
But all it takes is a few dozen queries in fast succession and google will start showing a captcha. At least, that is how it seemed to be a few years ago.
I wonder how many people are currently submitting queries via that page...
Akamai rotates their source IPs a lot so you wouldn’t get a captcha very fast.
I'd love to know what the distribution of tries on the "unsolvable" captcha is when served to real people operating in good faith.
Anecdotal, and I'm guessing it's because I was logged in (to my long standing personal Google account) - but I didn't have any issues when I was VPN'd through a Vultr vps of mine when I was in my dorm.

Again I'm guessing it's because I was logged in, from google chrome.

If the NSA rids the web of google captchas, it will have fully deserved its budget and all past mistakes will be forgiven!
I am somewhat baffled. What was that?
(comment deleted)
(comment deleted)
I feel like the valid SSL cert is my biggest issue here.
Why wouldn't it be valid? Its for O=National Security Agency and it has alternate names matching this URL authority.
From this twitter thread: https://twitter.com/mikko/status/1224349151384821762

You can't search traceroute. Weird.

You also can't search alert(1), so probably just a silly WAF.
People on that thread also noticed more keywords and think it might be Akamai WAF. I don't know enough about it be sure.

You can't have some strings in the URL for the main NSA.gov domain as well. So https://nsa.gov/fakething?hey=traceroute will give you the same error.

Yeah it's clear that a system is just blindly grepping the request url for certain keywords and killing the query.
(comment deleted)
So you can't search for `traceroute` or `tracert` directly but you can search for misspelling like `tracerout` and the results page just ends up showing the search results for `traceroute` so it's not exactly a very sophisticated filter.
Well the purpose of the filter is almost certainly to prevent running the command on the server in case of an attack, not to prevent it from being searched on Google. You'd have to spell it correctly to get the server to execute it.
(comment deleted)
Interesting alt names on the SSL certificate:

DNS Name=www.nsa.gov

DNS Name=nsa.gov

DNS Name=apps-test.nsa.gov

DNS Name=stage.nsa.gov

DNS Name=apps.nsa.gov

DNS Name=www2.nsa.gov

DNS Name=captcha.nsa.gov

DNS Name=m.nsa.gov

Even NSA has mobile pages these days!?
(comment deleted)
It looks like it's actually required by law.

https://www.congress.gov/bill/115th-congress/house-bill/2331

>If, on or after the date that is 180 days after the date of the enactment of this section, an agency creates a website that is intended for use by the public or conducts a redesign of an existing legacy website that is intended for use by the public, the agency shall ensure to the greatest extent practicable that the website is mobile friendly.

Looks to be cname forwarding.

> $ dig captcha.nsa.gov

> ;; ANSWER SECTION:

> captcha.nsa.gov. 13246 IN CNAME www.nsa.gov.edgekey.net.

> www.nsa.gov.edgekey.net. 21528 IN CNAME e6655.dscna.akamaiedge.net.

> e6655.dscna.akamaiedge.net. 19 IN A 23.213.xxx.xxx

The IP addreses at the last one all seem to be Akamai IPs. So So that is fronting Google here it seems?

Can anyone just do that to any domain? My website is hosted at GitHub Pages and requires a CNAME file in the repo root as well as the DNS entry at Cloudflare.
Yes, they are not using a CNAME (whereby the original server serves the page, just on a different domain), they appear to be using a reverse proxy.

You can find more info about how that works here: https://en.wikipedia.org/wiki/Reverse_proxy

That makes a lot more sense.
That's copyright and trademark infringement.
That is not a technical limitation but a legal one.
Yes. The NSA is is breaking the law here.
You have no way of knowing that. They could have an agreement with Google to allow this.
Agreed. The copyright holder / trademark owner must be the party that wants to limit distribution, not the government or some unrelated third party.

i.e. if I see you producing fake Coca Cola drinks, I can't sue you for infringing on The Coca Cola Company's trademark. They would have to sue you. Same applies for the government.

And of course, if NSA does have an agreement with Google to reverse proxy https://google.com/, them doing exactly that would be perfectly legal. I presume they have SOME sort of agreement, and aren't just doing this behind Google's back, as the website is on HN's first page in the first 5 places for an hour already, and Google hasn't banned access.

Try getting even 50 Google queries with a reverse proxy, and you will see what I mean -- they will show you a progressively more difficult ReCAPTCHA until a certain treshold, after which the CAPTCHA is unsolvable and is there only to waste your time. This hasn't happened to HN readers [yet].

Meanwhile I presume they misconfigured a service meant for doing captcha checks using Google. What's more likely? Why are you so aggressively.. eh.. okay, not going to write that.
They most certainly have an agreement with Google here.
Why?
Because some people on HN voted so, I suppose? So much aggressive and frankly stupid presumption here. But, the vote wins!

I just don't understand people here.

Obviously it's perfectly natural for a trillion dollar company to allow a government agency to use their brand on their government domain - without any notice it all. Especially a government agency that is tasked with surveillance. Yeah, there's really no problem with that.

It's that, or someone messed up setting up a captcha service for some public NSA service. What would be more likely?

Yeah, I get strong chemtrail vibes from many of the comments here.
Why did HN turn so stupid, all of a sudden? It used to be relatively smart.
Eternal September. Astroturfing. Both are against the roolz to discuss. Take your pick.
...
I don’t think it’s unreasonable to point out that lots of the speculation here about NSA hosting phishing pages or secret captcha-free google for analysts under nsa.gov falls firmly into the chemtrail category of crazy conspiracy theories.

Just like with “chemtrails” there exists a very reasonable explanation for what happened here, but people are choosing to ignore that in order to push weird conspiracy theories.

you can do it to any domain that isn't checking the hostname header. Most sites check that the hostname header matches the sites actual domain (like is specified in the CNAME file on github pages)

that's definitely not what's happening here though, most obviously because it has an SSL certificate. If it were just being CNAMEd over to google, the SSL would be invalid. NSA has to be catching the request to terminate the SSL, and then proxying it back to google.

Pretty sure Akamai does not front Google, they are more than large (and competent) enough to do that themselves.
(comment deleted)
My first instinct is that this is some kind of puzzle. It'd be pretty disappointing if this was just a misconfiguration or oversight.
That's actually a really viable theory, especially given the "can't search for traceroute" thing - that spits out what seems to be a time-based error string.
It’s not, that’s just standard akamai WAF behaviour.

E: sorry, HN is throttling me and I can’t reply below. This is just a silly web application firewall that blocks a list of “suspicious strings”. There’s not much else to be said about it.

Can you explain in more detail? captcha.nsa.goving for more information didn't return anything.
(I've turned off the throttling since your recent comments look to have been fine. Please don't do flamebait/flamewar in the future!)
(comment deleted)
Nothing especially interesting happening here, someone just pointed captcha.nsa.gov at google.com in their akamai config.

Perhaps they’re just using google.com like example.com, or they’re trying to serve recaptcha under nsa.gov.

That doesn’t explain the fact that you can’t search for traceroute.
It does though, Akamai WAF.
Okay. That seems pretty logical.
They could be doing something else on their internal network and this is just fallback for when their apps are outside the network.
I've seen this on Twitter all day. My guess is that they wanted recaptcha, but serving the resources themselves. The easiest route was probably to reverse proxy google.com, which is what recaptcha is hosted on:

https://developers.google.com/recaptcha/docs/v3#frontend_int...

Could this backfire in any way and create some sort of exploit on nsa.gov? What if someone happened to somehow have access to google.com?
Why Brazil?
Because Googles geoip DB thinks Akamai IPs like "23.59.250.119 " are in Brazil.
Ah that makes perfect sense, Brazil confused me for a minute there.
Why is everyone talking about a captcha? All I get is a google search page (no recaptchas).
Because google recaptcha is served from that domain (www.google.com).
Examine the URL, especially the subdomain
I'm guessing that the NSA website uses recaptcha, which is served by Google. Perhaps in order to comply with strict origin policy, they want everything on nsa.gov to be served from their domain. They seem to have a reverse proxy that proxies requests to google.com.

That's one plausible explanation, but in any case, even if my explanation is wrong, I doubt the explanation is interesting.

If that's the case, they are being sloppy, considering that everything under www.google.com is proxied through their servers, not just specific reCAPTCHA assets.

Gmail by NSA: https://captcha.nsa.gov/intl/us/gmail/about/

They're inheriting a considerable part of Google's attack surface. For example, Google's open redirects could be used to bypass origin checks as part of an attack on nsa.gov, or to phish NSA employees.

For me (in Sweden) that URL seems to just redirect to https://www.nsa.gov/?hl=en ...
They appear to have change something in the past few minutes. When I first opened this HN thread it showed me Google's homepage. Now I'm also seeing that redirect.
NSA has just shut down the proxy. The link was a Google Doodles game.
Somebody possibly got a written up for this.
NBD... Just a quick test in PROD.... ಠ_ಠ
"No no, we just put it out to 'the public', that's BETA, not PROD..." -- some startup guy at the NSA...
Why is it in Portuguese?
What's odd is that it came up in English at first, but now it's Portuguese for me. Another comment here mentioned it's the Brazilian version of Google's search page.
depends on where the traffic exits the Akamai network... they are likely using it to proxy Recaptcha, so they likely said "we don't care where it exits" and Akamai picks whatever is most convenient for them... in that case, Brazil.
It depends on the IP of the Akamai server that's hitting it. If you search "what is my ip" you'll see it.
This looks really really dumb. I wonder if you can get personal sites to display through nsa.gov somehow through this.
it's all a ploy to finger HN users. imagine how many uniques they'll harvest!
Yeah, no way I'm clicking that link. I'll let others do that and read the reports here.
Among other things, it's weird that it shows up with a different GeoIP triangulation for different users. Someone commented here about seeing this in Portuguese. I'm seeing this in Japanese. Does anyone what's going on?

EDIT: And now it's showing up in English.

I believe this has to do with which Akamai server ends up handling the page request.