HOSTS File Risks

There are several sites on the Internet which offer Windows HOSTS files for download, together with installation instructions. The HOSTS file is part of the DNS configuration; the ones offered for download divert any requests to a long list of ad and spyware servers into a black hole, meaning that your browser can never contact those machines.

This is all fine in theory, but how long would it take someone to notice if one of those popular files (and some of them are very large) had the following lines buried somewhere in the middle, either deliberately or because the site had been hacked?

87.65.43.21 www.paypal.com
87.65.43.21 www.bankofamerica.com
87.65.43.21 www.ebay.com
...

Phish City. I suggest that, however much you may not like advertising, encouraging people to download and install HOSTS files from the net is rather irresponsible.

15 thoughts on “HOSTS File Risks

  1. As with any software download you have to trust whomever provides it. I can’t know whether firefox doesn’t divert some domains to somewhere else, I’ve got to trust it. Same with hosts files. On the other hand are hosts files easier to check manually than full blown programms.

  2. It wouldn’t take long at all since those large hosts files list the IP of all sites as 127.0.0.1, anything other than that would stand out quite clearly. Anyone using one of these files without actually LOOKING at it desrves what they get.

  3. “Anyone using one of these files without actually LOOKING at it desrves what they get.” Well that would go for all things people install without informing themselves first. In this regard I agree with Gerv but would formulate it a bit differently: Don’t install or run anything if you’re computer-illiterate. First get a clue or ask someone with a clue. Getting a clue or finding someone with a clue is still a big enough problem unfortunately. If you’re computer-illiterate then it’s difficult to decide who actually has a clue.

  4. I don’t really see why you are raising this issue with host files, since as mentioned, they are easier to verify, from a security standpoint, than most files that are commonly downloaded off the net. Anyone with a text editor can double check them.

    While the “if you don’t know what you’re doing, then don’t do it” precaution is true for all downloads, at least hosts files are easy to check.

  5. I think this raises a different issue, that of ensuring that certain websites get resolved by the actual dns server and not some cache on the local machine. Maybe by default all https sites should work this way.

    If they think something will give them less popups/ads/spyware, people are likely to download it, especially novices.

    And any dns caching could suffer from similar problems.
    What if your ISP’s dns servers got hacked and essentially those phishing lines took effect? So how do you trust a dns result?

  6. OK, so in some ways it’s like other downloads, but perhaps people might think “It’s just a text file – what harm can it do?”. There will certainly be do “this is an executable, and could harm your computer” warning.

    Anyone using one of these files without actually LOOKING at it deserves what they get.

    Well, maybe – but how many people who download them actually do, do you think? Because of the “no ads!” promise, I bet they get downloaded and installed by loads of people who wouldn’t know a localhost if one approached them at a party.

    What if your ISP’s dns servers got hacked and essentially those phishing lines took effect? So how do you trust a dns result?

    You don’t. That’s why my view is that if you haven’t got an SSL connection, you can’t know for certain who you are talking to.

  7. “That’s why my view is that if you haven’t got an SSL connection, you can’t know for certain who you are talking to.”

    That should be: “[…]if you haven’t got an SSL connection with a *valid* certificate from a certificate authority you can trust, you can’t know for certain who you are talking to.”

    Personally I don’t trust verisign for example. They have shady business practices. It is my belief (which I probably should back up somehow) that they would sell anyone with a credit card a certificate without much double checking.

  8. Personally I don’t trust verisign for example.

    So I presume you’ve removed their root certs from your copy of Firefox, and refuse to use any web site protected by a Verisign certificate?

  9. “So I presume you’ve removed their root certs from your copy of Firefox, and refuse to use any web site protected by a Verisign certificate?”

    I’ve deleted the verisign certs from mozilla but I don’t refuse to use websites using them. I go there once, check the certs in a profile which still has the verisign certs and accept those specific certs in my day to day profile. Naturally only for sites where I transfer sensible data, not too many. For other sites I just click through the warnings (which has its own dangers).

  10. Only geeks use hosts file anyway. So most should be able to notice if a hosts file is trying something funny (doesnt point to 127.0.0.1 )

  11. tr: but if Verisign issues certs to anyone with a credit card with no checks, how do you know you aren’t being phished, or your DNS hasn’t been poisoned?

  12. I don’t. But by manually checking it and importing just a specific certificate into mozilla a phisher has to be able to take advantage of some sort of race condition. For example when I have a new online banking account the phisher would have to be able to somehow trick me into accepting his or her certificate. After I have imported it it’s too late.