Can someone explain what's going on? Is this a domain hack to get Google's captcha working under an nsa.gov hostname, presumably so that it's usable on whitelist firewalls? I'm surprised Google serves a homepage to the domain, and that it doesn't only respond to requests to google.com (etc.)
My guess: a custom version of Google that allows NSA analysts to do "Google dorking" - searching for vulnerable hosts with Google - without triggering a captcha. Somebody on twitter mentioned they could not get a captcha with strings that usually reliably cause one.
Maybe this is just a fake front page that calls to the Google search API and pretends to be Google proper. Either it is for agents in the field to inconspicuously use google or they misconfigured it to be public?
You can do that? I would expect Google to flag connections to the search page that don't terminate on a residential/commercial IP as suspicious and show you the near "unsolvable" captcha.
At least that is my experience with proxying google services (e.g. silly setup for accessing them from China). Datacenter IPs or SSL "MitM" connections reliably trigger it.
Depends very much on which datacenter you're using. I'd imagine google doesn't get much (any) bot traffic from Akamai, so I'm not surprised that their ranges aren't flagged yet.
But all it takes is a few dozen queries in fast succession and google will start showing a captcha. At least, that is how it seemed to be a few years ago.
Anecdotal, and I'm guessing it's because I was logged in (to my long standing personal Google account) - but I didn't have any issues when I was VPN'd through a Vultr vps of mine when I was in my dorm.
Again I'm guessing it's because I was logged in, from google chrome.
So you can't search for `traceroute` or `tracert` directly but you can search for misspelling like `tracerout` and the results page just ends up showing the search results for `traceroute` so it's not exactly a very sophisticated filter.
Well the purpose of the filter is almost certainly to prevent running the command on the server in case of an attack, not to prevent it from being searched on Google. You'd have to spell it correctly to get the server to execute it.
>If, on or after the date that is 180 days after the date of the enactment of this section, an agency creates a website that is intended for use by the public or conducts a redesign of an existing legacy website that is intended for use by the public, the agency shall ensure to the greatest extent practicable that the website is mobile friendly.
Can anyone just do that to any domain? My website is hosted at GitHub Pages and requires a CNAME file in the repo root as well as the DNS entry at Cloudflare.
Agreed. The copyright holder / trademark owner must be the party that wants to limit distribution, not the government or some unrelated third party.
i.e. if I see you producing fake Coca Cola drinks, I can't sue you for infringing on The Coca Cola Company's trademark. They would have to sue you. Same applies for the government.
And of course, if NSA does have an agreement with Google to reverse proxy https://google.com/, them doing exactly that would be perfectly legal. I presume they have SOME sort of agreement, and aren't just doing this behind Google's back, as the website is on HN's first page in the first 5 places for an hour already, and Google hasn't banned access.
Try getting even 50 Google queries with a reverse proxy, and you will see what I mean -- they will show you a progressively more difficult ReCAPTCHA until a certain treshold, after which the CAPTCHA is unsolvable and is there only to waste your time. This hasn't happened to HN readers [yet].
Meanwhile I presume they misconfigured a service meant for doing captcha checks using Google. What's more likely? Why are you so aggressively.. eh.. okay, not going to write that.
Because some people on HN voted so, I suppose? So much aggressive and frankly stupid presumption here. But, the vote wins!
I just don't understand people here.
Obviously it's perfectly natural for a trillion dollar company to allow a government agency to use their brand on their government domain - without any notice it all. Especially a government agency that is tasked with surveillance. Yeah, there's really no problem with that.
It's that, or someone messed up setting up a captcha service for some public NSA service. What would be more likely?
I don’t think it’s unreasonable to point out that lots of the speculation here about NSA hosting phishing pages or secret captcha-free google for analysts under nsa.gov falls firmly into the chemtrail category of crazy conspiracy theories.
Just like with “chemtrails” there exists a very reasonable explanation for what happened here, but people are choosing to ignore that in order to push weird conspiracy theories.
you can do it to any domain that isn't checking the hostname header. Most sites check that the hostname header matches the sites actual domain (like is specified in the CNAME file on github pages)
that's definitely not what's happening here though, most obviously because it has an SSL certificate. If it were just being CNAMEd over to google, the SSL would be invalid. NSA has to be catching the request to terminate the SSL, and then proxying it back to google.
That's actually a really viable theory, especially given the "can't search for traceroute" thing - that spits out what seems to be a time-based error string.
It’s not, that’s just standard akamai WAF behaviour.
E: sorry, HN is throttling me and I can’t reply below. This is just a silly web application firewall that blocks a list of “suspicious strings”. There’s not much else to be said about it.
I've seen this on Twitter all day. My guess is that they wanted recaptcha, but serving the resources themselves. The easiest route was probably to reverse proxy google.com, which is what recaptcha is hosted on:
How has no one used this for ads yet? You could make any third party site appear as a first party site. As blockers usually aren’t set up to block first party ads.
I'm guessing that the NSA website uses recaptcha, which is served by Google. Perhaps in order to comply with strict origin policy, they want everything on nsa.gov to be served from their domain. They seem to have a reverse proxy that proxies requests to google.com.
That's one plausible explanation, but in any case, even if my explanation is wrong, I doubt the explanation is interesting.
If that's the case, they are being sloppy, considering that everything under www.google.com is proxied through their servers, not just specific reCAPTCHA assets.
They're inheriting a considerable part of Google's attack surface. For example, Google's open redirects could be used to bypass origin checks as part of an attack on nsa.gov, or to phish NSA employees.
They appear to have change something in the past few minutes. When I first opened this HN thread it showed me Google's homepage. Now I'm also seeing that redirect.
What's odd is that it came up in English at first, but now it's Portuguese for me. Another comment here mentioned it's the Brazilian version of Google's search page.
depends on where the traffic exits the Akamai network... they are likely using it to proxy Recaptcha, so they likely said "we don't care where it exits" and Akamai picks whatever is most convenient for them... in that case, Brazil.
This isn't particularly new, sure it's interesting though, as others have mentioned it's akamai with google as the endpoint, I'd be surprised if Google wasn't aware and allowing this. The localization defaulting to Brasil is interesting to me, you can force english just like google though[0]
Among other things, it's weird that it shows up with a different GeoIP triangulation for different users. Someone commented here about seeing this in Portuguese. I'm seeing this in Japanese. Does anyone what's going on?
156 comments
[ 4.5 ms ] story [ 220 ms ] threadGoogle doesn’t, the reverse proxy just rewrites the Host header.
Maybe this is just a fake front page that calls to the Google search API and pretends to be Google proper. Either it is for agents in the field to inconspicuously use google or they misconfigured it to be public?
> Either it is for agents in the field to inconspicuously use google
By visiting a nsa.gov subdomain served by akamai? Yeah right. I feel like heading to www.google.com would be far less conspicuous.
At least that is my experience with proxying google services (e.g. silly setup for accessing them from China). Datacenter IPs or SSL "MitM" connections reliably trigger it.
Again I'm guessing it's because I was logged in, from google chrome.
This is working far faster now than when first posted.
You can't search traceroute. Weird.
You can't have some strings in the URL for the main NSA.gov domain as well. So https://nsa.gov/fakething?hey=traceroute will give you the same error.
DNS Name=www.nsa.gov
DNS Name=nsa.gov
DNS Name=apps-test.nsa.gov
DNS Name=stage.nsa.gov
DNS Name=apps.nsa.gov
DNS Name=www2.nsa.gov
DNS Name=captcha.nsa.gov
DNS Name=m.nsa.gov
https://www.congress.gov/bill/115th-congress/house-bill/2331
>If, on or after the date that is 180 days after the date of the enactment of this section, an agency creates a website that is intended for use by the public or conducts a redesign of an existing legacy website that is intended for use by the public, the agency shall ensure to the greatest extent practicable that the website is mobile friendly.
> $ dig captcha.nsa.gov
> ;; ANSWER SECTION:
> captcha.nsa.gov. 13246 IN CNAME www.nsa.gov.edgekey.net.
> www.nsa.gov.edgekey.net. 21528 IN CNAME e6655.dscna.akamaiedge.net.
> e6655.dscna.akamaiedge.net. 19 IN A 23.213.xxx.xxx
The IP addreses at the last one all seem to be Akamai IPs. So So that is fronting Google here it seems?
You can find more info about how that works here: https://en.wikipedia.org/wiki/Reverse_proxy
i.e. if I see you producing fake Coca Cola drinks, I can't sue you for infringing on The Coca Cola Company's trademark. They would have to sue you. Same applies for the government.
And of course, if NSA does have an agreement with Google to reverse proxy https://google.com/, them doing exactly that would be perfectly legal. I presume they have SOME sort of agreement, and aren't just doing this behind Google's back, as the website is on HN's first page in the first 5 places for an hour already, and Google hasn't banned access.
Try getting even 50 Google queries with a reverse proxy, and you will see what I mean -- they will show you a progressively more difficult ReCAPTCHA until a certain treshold, after which the CAPTCHA is unsolvable and is there only to waste your time. This hasn't happened to HN readers [yet].
I just don't understand people here.
Obviously it's perfectly natural for a trillion dollar company to allow a government agency to use their brand on their government domain - without any notice it all. Especially a government agency that is tasked with surveillance. Yeah, there's really no problem with that.
It's that, or someone messed up setting up a captcha service for some public NSA service. What would be more likely?
Just like with “chemtrails” there exists a very reasonable explanation for what happened here, but people are choosing to ignore that in order to push weird conspiracy theories.
that's definitely not what's happening here though, most obviously because it has an SSL certificate. If it were just being CNAMEd over to google, the SSL would be invalid. NSA has to be catching the request to terminate the SSL, and then proxying it back to google.
E: sorry, HN is throttling me and I can’t reply below. This is just a silly web application firewall that blocks a list of “suspicious strings”. There’s not much else to be said about it.
Perhaps they’re just using google.com like example.com, or they’re trying to serve recaptcha under nsa.gov.
https://developers.google.com/recaptcha/docs/v3#frontend_int...
Kind of related post: https://news.ycombinator.com/item?id=21582698
That's one plausible explanation, but in any case, even if my explanation is wrong, I doubt the explanation is interesting.
Gmail by NSA: https://captcha.nsa.gov/intl/us/gmail/about/
They're inheriting a considerable part of Google's attack surface. For example, Google's open redirects could be used to bypass origin checks as part of an attack on nsa.gov, or to phish NSA employees.
Here's a crawl from 2018[1]
[0]-http://captcha.nsa.gov/?hl=en [1]-https://web.archive.org/web/20181206224407/http://captcha.ns...
EDIT: And now it's showing up in English.
I am curious to see if it is blocked.
https://www.comparitech.com/privacy-security-tools/blockedin...