
iTerm2: Please disable 'Perform DNS lookups to check if URLs are valid' - grhmc
https://gitlab.com/gnachman/iterm2/issues/6050
======
gnachman
Given the level of concern, I will change the default and release a new
version right away.

~~~
gnachman
This is done. A summary of the issue and apology can be found here:
[https://gitlab.com/gnachman/iterm2/wikis/dnslookupissue](https://gitlab.com/gnachman/iterm2/wikis/dnslookupissue)

~~~
teddyh
Why didn’t you do this two years ago, when the first bug report about this was
made?
([https://gitlab.com/gnachman/iterm2/issues/3688](https://gitlab.com/gnachman/iterm2/issues/3688))
Or a year ago, when a second report was made?
([https://gitlab.com/gnachman/iterm2/issues/5303](https://gitlab.com/gnachman/iterm2/issues/5303))
Note that the first bug report _explicitly mentions_ the leaking of passwords.

Was it really all about the “ _level of concern_ ”, as you say, and you
wouldn’t have changed this without the exposure?

~~~
yanokwa
This is a deeply unkind thing to say to someone who donates their free time to
provide a public good. George apologized for his oversight and fixed the
problem. Take him at his word and thank him.

~~~
woof
Please don't call this "oversight".

He was (made) aware of the problem and _chose_ to keep the default.

------
tlb
It's horrifying to watch your own DNS traffic. All sorts of mysterious domains
show up. (On a typical macbook on WiFi, this will do it:)

    
    
       sudo tcpdump -i en0 -s 5000 -n port 53
    

On mine, these get resolved every 30 seconds (probably some Adobe updater):

    
    
      scss-prod-ue1-notif-39.adobesc.com.
    

Several servers get lookups of names long enough to be exfiltrating data:

    
    
      r3---sn-nvopjoxu-25ve.gvt1.com.  (Google)
      gzunified-ecselast-1isehuisml2g4-663788831.us-east-1.elb.amazonaws.com. (???)
      kube-nimbus-471965604.us-west-2.elb.amazonaws.com. (BitDefender)
    

If you hit a popular commercial site without AdBlock enabled, the list is
loooong and sketchy-looking.

~~~
exikyut
That Google one uses a similar naming scheme to the servers used for video
data for YouTube etc.

You just made me realize something, though. The Google and AWS examples you
gave won't be able to do this, but if you set up wildcard DNS and tell DNS
that you have your own nameserver via CNAME aliasing, you could make your
software do a lookup for eg something like
"bm9ib2R5IHdpbGwgZXZlciBub3RpY2UgaWYgSSB0cmFuc21pdCBkYXRhIGxpa2UgdGhpcyEKCg.example.com"
and exfiltrate data via DNS request in the process. The server could then
return 127.0.53.53 to mean "ACK; data received OK", whereas NXDOMAIN or any
other error would mean to try again.

Hmmmmm. Wondering if I should delete this...

(I realize this is exactly how the Iodine DNS tunnel works. FWIW,
freedns.afraid.org's free options are perfectly capable to get iodine working,
I was very pleased to discover.)

~~~
cyphar
I know several people who use these sorts of techniques to exfiltrate data
from a network where you don't have outbound TCP but you can leak information
through DNS. As you mentioned, Iodine lets you do this (though by default it
tries to use VOID DNS responses that are blocked by a lot of networks).

It's pretty cool being able to do an rsync-over-DNS.

~~~
exikyut
> _VOID DNS responses that are blocked by a lot of networks_

For ages I've been meaning to [figure out how to] report this to the iodine
dev, but I actually set up iodine specifically to get a working network while
I knew I'd briefly be visiting a hospital.

I discovered to my amusement that the (public!) hospital's IT infra is
_really, really good_ ; I was trying to SSH directly on top of the iodine
tunnel, and while the first few DNS requests associated with the connection
setup would work and I'd get as far as getting a shell prompt, but everything
would rapidly screech to a halt and jam up pretty much instantly after that;
maybe I'd get a single character typed, then it would completely die. I
figured I was looking at a remarkably well-put-together leaky-bucket
implementation.

So I tried hacking usleep()s into likely-looking spots in the code, but that
didn't seem to slow it down enough. iodine is a rather _interesting_ program
internally, and a quick overview while distractedly sitting in a waiting area
wasn't entirely sufficient to figure out why I didn't seem to be slowing it
down enough to be a problem.

Before this "production" test, I previously verified that iodine was working
by running the client on an AWS box. IIRC, ping ran over the link for quite
some time (less than an hour; many minutes) without a single hitch.

On another note, I found that iodine seemed utterly incapable of setting up a
correctly-configured tunnel on my Arch (receiving/server) box; I always had to
ifconfig the tunnel (I forget exactly) to make it work. Problem with that was,
my ifconfig-ing only routed one specific IP address, iodine wanted to give
connections their own discrete IPs, and old sessions that locked up would take
a while to time out. So I made a gigantic hack-script that would repeatedly
kill iodine over and over every 1.5 minutes if it didn't see an authenicated
SSH login. Would be nice for everything to just work properly...

------
kator
I hardly go a day without using iTerm2.

Don't worry George your responsiveness more than makes up for an honest
mistake.

To everyone else: I would highly recommend if you make money on a daily basis
using iTerm2 that you support his efforts:

[https://www.patreon.com/gnachman/posts](https://www.patreon.com/gnachman/posts)

Before you ask, yes I'm a patreon for George, his work inspires me.

~~~
sgt
I recently switched back to Terminal.app due to poor performance in iTerm 2.
Keystrokes were lagging to the point it got frustrating. Then a few days ago
someone pointed out that I should try the iTerm 2 nightly build, and sure
enough the lag is gone, so I'm now back on iTerm 2 again.

------
jakobegger
It never ceases to amaze me how otherwise intelligent people think it‘s a good
idea to send unencrypted user data to random servers on the internet in the
background.

~~~
JadeNB
It makes me scared to be an iTerm2 user, frankly. Because I am an idiot, it
never occurred to me that I'd have to wonder about the security implications
of my choice of terminal emulator. Does it otherwise have a good reputation
for security?

~~~
problems
Just ditch it - clearly the author has no regard for privacy.

I cringe just thinking about implementing something like that.

~~~
mw6621
iTerm2 is great and George is absolutely responsive with any issue I've ever
brought up. I am personally going to give him the benefit of the doubt here,
I'm sure he'll fix things ASAP.

~~~
derimagia
Yep was already fixed:
[https://gitlab.com/gnachman/iterm2/wikis/dnslookupissue](https://gitlab.com/gnachman/iterm2/wikis/dnslookupissue)

------
hannob
Reminded me immediately about this whatsapp-issue, which is also very
problematic:
[https://twitter.com/mulander/status/874370124932943874](https://twitter.com/mulander/status/874370124932943874)

~~~
exikyut
Also affects FB Messenger (scroll down the thread for a while) and Telegram.

A WA crash was also presented.

Well that was a very interesting thread...

------
geofft
One of the nice things about GitLab instead of GitHub is that there isn't a
flood of low-information, high-anger comments once a thread makes the HN front
page.

~~~
davidgerard
No, that's because the server is melting and giving 500 errors ;-)

------
pishpash
What's more interesting to me is that some people are okay with a lookup on
click but not a lookup on hover. It seems a difference in affirmative intent
exists between hover and click; and more generally perhaps categories of user
actions should be formalized into degrees of affirmation that could mitigate
errors like this.

~~~
justinclift
Hovering can be a part of the everyday copy-n-paste action though, for
selecting the text to copy.

~~~
EnigmaticLion
If i use iTerm's autocopy feature (e.g. that the selected text automatically
goes to the clipboard) and rarely press CMD+C then i'm safe? Or should i start
changing my passwords? Since i usually generate passwords with `pwgen`, then
copy with double click.

~~~
justinclift
Sorry, no idea personally. I don't use iTerm, I was just pointing out that
hovering is a common user action (due to cut-n-paste). :)

------
csours
Wow, this reminds me of how Cisco routers automatically try to SSH to anything
that isn't a recognized command. (I may be mis-remembering part of this)

~~~
icedchai
I remember it being telnet, not SSH. I started working with Cisco routers in
the early 90's, before SSH was even a thing.

~~~
csours
Yup, that's right.

------
JosephRedfern
I've submitted a PR to change the default behaviour:
[https://github.com/gnachman/iTerm2/pull/332](https://github.com/gnachman/iTerm2/pull/332)

------
JadeNB
Since I didn't see it on a quick skim, it seems that the way to do this is
Preferences > Advanced > Semantic history.

~~~
chadlavi
Or if you're lazy like me, Preferences > Advanced > type "DNS" (the search
field gets autofocus on the Advanced prefs pane).

~~~
whoisjohnkid
lol this is exactly what I did. Worked like a charm.

------
NelsonMinar
It's a shame DNS traffic isn't at least encrypted. That doesn't solve the
whole problem (you're still sending data to a potentially untrusted DNS
server) but it'd help a little.

------
cnst
CVE-2015-9231 has been assigned to this issue.

[http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2015-9231](http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2015-9231)

[https://nvd.nist.gov/vuln/detail/CVE-2015-9231](https://nvd.nist.gov/vuln/detail/CVE-2015-9231)

------
_of
I just upgraded. Is there any way to turn off the new Iterm2-specific MacBook
touch-bar buttons?

------
stiangrindvoll
Makes you wonder how your own port 53 traffic looks like...

------
clairity
a local firewall (hands off & little snitch are handy commercial ones for mac)
will help you catch these kinds of info leaks (i caught this one a long time
ago because of mine).

it does come with a time cost however--little popups every time you launch a
new application or connect to a new service that you have to evaluate and
handle, since you haven't set rules for them already.

~~~
duskwuff
A local firewall probably wouldn't have helped here -- the DNS lookups would
be performed by mDNSResponder, not by iTerm itself.

~~~
clairity
you might be right about the DNS lookup.

but i do distinctly remember getting alerts for this and being annoyed enough
to go figure out how to disable the feature in iterm2 (it was at least a
couple years ago, so my memory is hazy).

maybe someone with more recent experience can clear up the mystery for us. =)

~~~
ThisIs_MyName
I don't think this "feature" existed a couple of years ago.

------
trapperkeeper74
In general, dnscrypt can help defend against DNS privacy loss for situations
like these.

~~~
Habbie
You said it right - can _help_ defend. On the other end of your dnscrypt
tunnel, the queries will still go out unencrypted. They will just be harder to
correlate to you specifically.

------
knodi
Is gitlab throwing a 500 for anyone else?

~~~
sytse
It was but it was fixed, see
[https://twitter.com/gitlabstatus/status/910274484992663552](https://twitter.com/gitlabstatus/status/910274484992663552)

------
Azkar
Fantastic response.

~4 hours from report to release.

~~~
cnst
4 hours?

More like 2 years! And at least 3 separate bug reports, roughly one year apart
each!

[https://gitlab.com/gnachman/iterm2/issues/3688](https://gitlab.com/gnachman/iterm2/issues/3688)

[https://gitlab.com/gnachman/iterm2/issues/5303](https://gitlab.com/gnachman/iterm2/issues/5303)

Unless you are into alternative facts, of course, then, yeah, very prompt
release engineering and vulnerability fixing!

