67 comments

[ 3.0 ms ] story [ 134 ms ] thread
I would to know how much traffic this website receives
I also want to know how many secrets just flow in
(comment deleted)
For a while my Amazon Alexa gadget was hitting three domains several times an hour, example.com/net/org. I looked with tcpdump and verified it was following every lookup with an HTTP get.

I only left the Alexa on for a week while I was recovering from eye surgery, but it made those the top three most frequently queried domains for that whole month on my pi-hole charts.

Presumably it was some connectivity test, but all three of those domains were hosted at the same IP at the time. Which would defeat the point of using three domains, if the goal was to reduce the possibility of one outage causing a false negative on the test.

I forgot I had it installed on my phone, but clicking the link opened, to my surprise, the Simply Piano app. Why you'd associate your app with that domain for legitimate purposes is a bit of a mystery to me.
(comment deleted)
This shouldn't be possible on Android. Google requires apps capturing http/s deeplinks verify ownership of the URI.[1] They can accept any other schema declared in their manifest otherwise. Example code would seem most plausible, but I can't see how it would work.

[1] https://developer.android.com/training/app-links/verify-site...

Twitter deeplinks open the third-party Twitter client I have installed (Fenix) on Android for me.
Good on whomever for making it a public service rather than a crap site filled with ads.
The advantage of example.com is that its still served over HTTP, which is very helpful if you are trying to force a redirect for wifi login or 'out of quota' on a phone plan.
Let me introduce you to neverssl.com!
The difference being, example.com is run by IANA [0] and guaranteed by them, whereas neverssl is just a kind-hearted soul, and may one day resolve to something else.

[0] https://www.iana.org/domains/reserved

That page says that example.com is registered by IANA. It makes no promises about it being plaintext HTTP only or even that HTTP service is available.
Yeah, but neverssl.com could expire and start serving porn (or whatever), but we can be pretty sure example.com won't.
Only somewhat.

> 2. Application software SHOULD NOT recognize example names as special and SHOULD use example names as they would other domain names.

> 3. Name resolution APIs and libraries SHOULD NOT recognize example names as special and SHOULD NOT treat them differently. Name resolution APIs SHOULD send queries for example names to their configured caching DNS server(s).

> 6. DNS server operators SHOULD be aware that example names are reserved for use in documentation.

You are guaranteed to be able to try and resolve the domain, which should generally be enough for the crappy man-in-the-middle systems to work.

However, example.com should never suddenly start serving you a cryptominer, etc. Which is the larger concern.

> You are guaranteed to be able to try and resolve the domain, which should generally be enough for the crappy man-in-the-middle systems to work.

I have never seen any captive portal work at DNS level though (and that by itself sounds problematic). They works at HTTP level. So if one day example.com start using HSTS then it will also be a problem, in addition to nowadays browser defaulting to HTTPS so you have to type http://example.com yourself.

neverssl.com guarantees all of that, at least as long as it's there.

> neverssl.com guarantees all of that, at least as long as it's there.

It didn't work for me when I tried to use it in the airport (DCA). I tried to get to the captive portal through Firefox and Vivaldi. It took a couple restart of my browser to managed to get to the captive portal. It is not guaranteed that it will work as in my case.

Some of the captive portals I've run into do work at the DNS level, possibly tied to some other firewalling to prevent traffic leakage, I can't remember.

Those were pretty problematic, for all the reasons you're thinking... Better to use a hostname you're not hoping to actually use.

The other difference being that neverssl.com does a bit more as it immediately redirects you to a unique subdomain, ensuring that any caching that your browser is trying is subverted.

Sure, it might go away one day. Until it does, it’s the best solution to this problem.

I’ve had WiFi captive portals that somehow don’t redirect neverssl.com but do for other http/80 domains. Truly bewildering - I don’t understand how it could happen by mistake, nor why anyone would do that on purpose.
There are a number of those. I use

http://detectportal.firefox.com/

http://captive.apple.com was my go to just because I'd see it flash in the url bar before redirecting when connecting to airplane wifi. I like the subdomain, it's an apt description of the state your in before passing through the login/payment flow for these kinds of networks.
Chrome's equivalent is http://www.gstatic.com/generate_204 for those curious, and plenty of other browsers have their own.

Neat tools as until I learned of the existence of these ssl-less sites to prompt captive portals I use to try to connect to various sites until it showed up.

Why is it that popular browsers do not allow users to manually disable the behaviour that necessitates this apparently common workaround.^1 Is this another example of "tech" company paternalism.

1. Examples

https://security.stackexchange.com/questions/149852/how-legi...

https://zapier.com/blog/open-wifi-login-page/

http://www.my80211.com/home/2012/7/23/web-auth-redirect-does...

> Why is it that popular browsers do not allow users to manually disable the behaviour that necessitates this workaround.

Probably the number of people that care about overriding this behavior could be counted on one hand.

> Is this another example of "tech" company paternalism.

No.

I wonder how they managed to get a horizontal scrollbar.

Edit: its a chrome extenstion I use.

I don't get a horizontal scrollbar unless I resize the viewport to <159px wide.
IANA also reserves TLDs like '.test' and '.example' as well as some IDN equivalents.

https://www.rfc-editor.org/rfc/rfc2606.html

https://www.iana.org/domains/reserved

There are also documentation and example IP prefixes! 192.0.2.0/24 and 2001:db8::/32.
And .local, right?
Actually, no. According to RFC 2606 - Reserved Top Level DNS Names, the following four domain names are reserved:

  .test
  .example
  .invalid
  .localhost

    $ dig example.com. mx +short
    0 .
It has an interesting MX record. I wonder what this does? Specifically, what should a mail agent do when the MX record points to "." ?
This is a great reminder that when working with test data for stuff like email delivery, always use example.com (or a few other similar TLDs) and not stuff like "test.com" or "acme.com" or "dummyuser.com". I see this all the time by devs and they don't understand the risk and why example.com was put into the standards.
I have a .com domain with 'test' in the name. I was mildly DNS spammed because Microsoft admins would create that thing with test in the name. I'd get 10-20 DNS packets a day. I moved it to an external DNS provider just to give my logs a break.
20 packets a day? Phew! So you barely survived the DDoS!
Maybe they’re running their DNS server on a solar-powered Arduino.
Well, you also have to run the Kubernetes cluster, ELK stack, Postgres, Redis, Kafka, Prometheus, Grafana and Jaeger to monitor the application and scale elastically between 0 and 20 packets.
At least you’re not a sysadmin for Contoso, those folks must have their hands full.
I always use `myco.example` for testing requests and emails, as well as documentation. https://en.wikipedia.org/wiki/.example

It'll never resolve to anything, and makes it really obvious the code is for testing or sample code.

No guarantee an .example TLD won't be created
The first line of the linked Wikipedia page states that it will never be created.
Never heard of the .example TLD, so thanks for that. However, an issue I see with it is that it doesn’t look like a domain name. Things that end in ‘.com’ are synonymous with domain names, regardless of how accurate that assumption really is. I think people are just starting to get familiar with these new alternative TLD names, but I can easily see business people not understanding ‘myco.example’, while they would understand ’example.com’.
Exactly this. People heavily underestimate how many domain names are registered.

There is a huge chance that you hit a mailbox when you make up an email address.

Yep, even if you use a "random" email address like j4i58tujq45uh@foobar.com, they may very well have a "catch all" email account that will receive that mail.
I have an integration test domain. It's just another domain, so far as my systems are concerned, but it's another domain I own and sign up as a customer for all my services. Rather: I sign it up as a customer on my staging instance, which is a real, public facing instance, that gets no advertising.

It's a real domain with functioning... whatever I need to test. Email, DNS, Identity servers, etc.

(comment deleted)
The web logs on example.com must be a treasure trove of interesting traffic, and also a security risk in some ways, depending on who has been testing with it.