Open HTTP redirectors

There has been much discussion about open e-mail relays, but very little about open HTTP redirectors. An open redirector is hosted by foo.com, but will unintentionally send you to bar.com. This can have interesting effects on PageRank or can trick users into clicking on something that isn’t what it seems.

After many months of abuse by spammers, the rd.yahoo.com redirect server is now closed.

Yahoo! has used a redirect server for a long time for tracking clicks from one Yahoo! website to another.

http://rd.yahoo.com/example/?http://travel.yahoo.com/

Last year, spammers started using rd.yahoo.com in email messages to trick unsuspecting users into thinking that they were clicking on a Yahoo! website. They started sending out emails with links that looked like this:

http://rd.yahoo.com/example/?http://204.92.99.152/

Users saw the yahoo.com domain name and figured it must be some official Yahoo! site, not realizing that the server would redirect to another IP address. So we started blocking those types of URLs (easy to do since we’d never use a dotted-quad for anything legit). So the spammers switched to something a little more clever:

http://finance.yahoo.com:80@204.92.99.152/

The trick here was a misuse of the clear-text “username:password@server” authentication feature. It made it look like you were accessing a yahoo.com URL, but in fact were going somewhere else. These were particularly insidious, since they didn’t even go through our redirect servers, so there was nothing we could do to block them. Microsoft got rid of the problem for us with an update to Internet Explorer 5 and 6 that simply disabled the feature altogether. Mozilla followed suit by displaying a warning dialog box when this type of URL is used:

You are about to log into the site “204.92.99.152” with the username “finance.yahoo.com,” but the website does not require authentication. This may be an attempt to trick you.

Is “204.92.99.152” the site you want to visit?

So the spammers went back to abusing Yahoo!, but this time with actual hostnames:

http://rd.yahoo.com/example/?http://www.online-casino.com/

This not only tricks email users, but when used on the web can (in theory) also influence PageRank-type algorithms.

We had no choice but to either maintain a whitelist (lots of server-side state to manage) or implement a digital signature algorithm. We went with the digital signature approach. So now you can safely click through to partner sites:

http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.hp.com/

But if you try to recycle the same signature with a different URL, you’ll get a 403 Forbidden:

http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.online-casino.com/

Finally, rd.yahoo.com does what it’s supposed to do and nothing else. Frustrated spammers out there have probably already started to abuse someone else.

http://www.google.com/url?q=http://204.92.99.152/

http://www.google.com/url?q=http://www.online-casino.com/

:-)

SB 1160: driver’s licenses for undocumented residents

california-seal.jpg Gov. Schwarzenegger is taking a phone poll to assess support for SB 1160, the new Calif. legislation that would grant driver’s licenses to undocumented residents.

Please call 1-916-445-2841

Press #5 for “Hot Issues.”

Press #2 for Drivers License (for Undocumented) bill

Press #1 to support the Drivers License bill (SB 1160)

**Remember a lot of people are calling this number. If you get a busy signal please call back or try and call over the weekend. It is essential that your voice be heard. [via United Farm Workers]

Hybrid SUVs

ford_escape_hybrid_2005.jpg We’re thinking about buying a hybrid SUV.

Sometime this year we’re planning to replace our 1992 Ford Taurus with another vehicle. I’d like something that’s safe (ABS, front and side airbags) and a little bigger than our other car (a 1998 Toyota Camry). A compact SUV seems like the right thing for us, but the mileage is typically only about 22-24 mpg. Luckily, three car manufacturers have announced hybrid SUVs.

Our options seem to be to get the Ford Escape Hybrid which comes out this summer, or wait for the Toyota Highlander Hybrid or the Lexus RX 400h, both due out later this year or early next year.

We test drove a regular gas (non-Hybrid) 2005 Escape yesterday, and much to my chagrin we both really liked it. Even though Ford hasn’t been the most reliable car manufacturer historically, the Escape has good enough reliability so Consumer Reports actually recommends it (subscription required). Based on my past experience with the Taurus, I’m very hesitant to buy a Ford. But we both liked the Escape more than the Toyota RAV4 and the Honda CR-V.

My gut says to wait for the hybrid Higlander, since Toyota has been making hybrid cars for a few years now, Toyota is #1 overall for reliability, and the fact that we’ve been so satisfied with our Camry. But if the 9-month waitlist for the Prius is any indication, we might not be able to get our hands on a Highlander for quite some time. Do I really want to keep pumping money into the Taurus for another year?

I’m an uncle!

Yesterday I became an uncle!

Ruth Lydia Radwin was born yesterday at David & Kara’s home in Berkeley, CA. She was born with a full head of dark brown hair, weighs 10 lbs 10 oz, and is 22.75 inches long. Both Kara and Ruth are recovering well and are in excellent health.

Mazel Tov to David and Kara!

The long journey home

After two weeks in Bangalore, I’m heading back to the US. It’s been great fun meeting the team here; these guys have got a lot of energy and talent. I hope to be able to come back again, perhaps as soon as the end of this year.

Aside from the days where I was battling the Indian equivalent of Montezuma’s Revenge, I ate the best Indian food I’ve ever had. When I get back to the US I’ll sill enjoy TastyBite but now that I’ve tasted the real thing it will never quite compare.

I leave in about 3 hours but I won’t be home until Wednesday afternoon.

Still a small office

Someone asked me at lunchtime what I thought of the Yahoo! India Software Development Center office. I answered that it reminded me of the Y! office 5 years ago in Santa Clara. It’s still small enough that you can know every engineer, all-hands meetings don’t require a microphone or PowerPoint presentations, and the cafeteria has a payroll-deduction scheme for lunch (instead of a la carte and cashiers like we have nowadays in Sunnyvale).

I thought this was a pretty original insight, but apparently I gave more-or-less the same answer as Zod, Filo, Ash and other old-timers gave. :-)

Only one more day in the office and then it’s back to the US. We’ll probably go back to doing weekly videoconference calls so we can continue the momentum on the project, but it won’t be the same.