Captcha.nsa.gov | Hacker News

Captcha.nsa.gov | Hacker News

2020-02-03 21:12:24

As someone very confused as to what people are commenting about, thank you. I'm clearly just seeing the post-patch version


As someone very confused as to what people are commenting about, thank you. I'm clearly just seeing the post-patch version

I'm guessing that the NSA website uses recaptcha, which is served by Google. Perhaps in order to comply with strict origin policy, they want everything on nsa.gov to be served from their domain. They seem to have a reverse proxy that proxies requests to google.com.

That's one plausible explanation, but in any case, even if my explanation is wrong, I doubt the explanation is interesting.

If that's the case, they are being sloppy, considering that everything under www.google.com is proxied through their servers, not just specific reCAPTCHA assets.

Gmail by NSA: https://captcha.nsa.gov/intl/us/gmail/about/

They're inheriting a considerable part of Google's attack surface. For example, Google's open redirects could be used to bypass origin checks as part of an attack on nsa.gov, or to phish NSA employees.


They appear to have change something in the past few minutes. When I first opened this HN thread it showed me Google's homepage. Now I'm also seeing that redirect.


Can someone explain what's going on? Is this a domain hack to get Google's captcha working under an nsa.gov hostname, presumably so that it's usable on whitelist firewalls? I'm surprised Google serves a homepage to the domain, and that it doesn't only respond to requests to google.com (etc.)

My guess: a custom version of Google that allows NSA analysts to do "Google dorking" - searching for vulnerable hosts with Google - without triggering a captcha. Somebody on twitter mentioned they could not get a captcha with strings that usually reliably cause one.

Maybe this is just a fake front page that calls to the Google search API and pretends to be Google proper. Either it is for agents in the field to inconspicuously use google or they misconfigured it to be public?

Your guess is wrong. This isn't a custom version of google. It's just a regular akamai reverse proxy setup.

> Either it is for agents in the field to inconspicuously use google

By visiting a nsa.gov subdomain served by akamai? Yeah right. I feel like heading to www.google.com would be far less conspicuous.

You can do that? I would expect Google to flag connections to the search page that don't terminate on a residential/commercial IP as suspicious and show you the near "unsolvable" captcha.

At least that is my experience with proxying google services (e.g. silly setup for accessing them from China). Datacenter IPs or SSL "MitM" connections reliably trigger it.

Anecdotal, and I'm guessing it's because I was logged in (to my long standing personal Google account) - but I didn't have any issues when I was VPN'd through a Vultr vps of mine when I was in my dorm.

Again I'm guessing it's because I was logged in, from google chrome.


I'd love to know what the distribution of tries on the "unsolvable" captcha is when served to real people operating in good faith.


Depends very much on which datacenter you're using. I'd imagine google doesn't get much (any) bot traffic from Akamai, so I'm not surprised that their ranges aren't flagged yet.


But all it takes is a few dozen queries in fast succession and google will start showing a captcha. At least, that is how it seemed to be a few years ago.


If the NSA rids the web of google captchas, it will have fully deserved its budget and all past mistakes will be forgiven!


Huge fan of your work. Use it daily with no problems. Just wanted to say, from the bottom of my heart, thanks.


Seems to be on purpose, unless someone really misconfigured their Akamai setup. Your purpose sounds viable


Is this more than a reverse proxy to google.com? Seems like the real question is _why_.

>I'm surprised Google serves a homepage to the domain

Google doesn’t, the reverse proxy just rewrites the Host header.


Could this backfire in any way and create some sort of exploit on nsa.gov? What if someone happened to somehow have access to google.com?


Yeah it's clear that a system is just blindly grepping the request url for certain keywords and killing the query.


So you can't search for `traceroute` or `tracert` directly but you can search for misspelling like `tracerout` and the results page just ends up showing the search results for `traceroute` so it's not exactly a very sophisticated filter.


Well the purpose of the filter is almost certainly to prevent running the command on the server in case of an attack, not to prevent it from being searched on Google. You'd have to spell it correctly to get the server to execute it.

Looks to be cname forwarding.

> $ dig captcha.nsa.gov

> ;; ANSWER SECTION:

> captcha.nsa.gov. 13246 IN CNAME www.nsa.gov.edgekey.net.

> www.nsa.gov.edgekey.net. 21528 IN CNAME e6655.dscna.akamaiedge.net.

> e6655.dscna.akamaiedge.net. 19 IN A 23.213.xxx.xxx

The IP addreses at the last one all seem to be Akamai IPs. So So that is fronting Google here it seems?


Can anyone just do that to any domain? My website is hosted at GitHub Pages and requires a CNAME file in the repo root as well as the DNS entry at Cloudflare.

Agreed. The copyright holder / trademark owner must be the party that wants to limit distribution, not the government or some unrelated third party.

i.e. if I see you producing fake Coca Cola drinks, I can't sue you for infringing on The Coca Cola Company's trademark. They would have to sue you. Same applies for the government.

And of course, if NSA does have an agreement with Google to reverse proxy https://google.com/, them doing exactly that would be perfectly legal. I presume they have SOME sort of agreement, and aren't just doing this behind Google's back, as the website is on HN's first page in the first 5 places for an hour already, and Google hasn't banned access.

Try getting even 50 Google queries with a reverse proxy, and you will see what I mean -- they will show you a progressively more difficult ReCAPTCHA until a certain treshold, after which the CAPTCHA is unsolvable and is there only to waste your time. This hasn't happened to HN readers [yet].


Meanwhile I presume they misconfigured a service meant for doing captcha checks using Google. What's more likely? Why are you so aggressively.. eh.. okay, not going to write that.


Because HN voted so perhaps. So much aggressive and frankly stupid presumption here. But, the vote wins.

you can do it to any domain that isn't checking the hostname header. Most sites check that the hostname header matches the sites actual domain (like is specified in the CNAME file on github pages)

that's definitely not what's happening here though, most obviously because it has an SSL certificate. If it were just being CNAMEd over to google, the SSL would be invalid. NSA has to be catching the request to terminate the SSL, and then proxying it back to google.

I'm curious if this is a (temporary, unsecure) way to use google if you're in a place that google is currently blocked.

Small chance, but in case anyone on HN is in a place google is blocked, would be an interesting test to run.


If you're in a country which bans Google, I'd suspect a high chance having nsa.gov wouldn't be too favourable on your DNS lookup records!


Genuinely curious: are there places that block google but don't block the NSA?


The certificate provider of the captcha.nsa.gov is DigiCert Inc while www.nsa.gov using Let's Encrypt currently. Interesting.

Interesting alt names on the SSL certificate:

DNS Name=www.nsa.gov

DNS Name=nsa.gov

DNS Name=apps-test.nsa.gov

DNS Name=stage.nsa.gov

DNS Name=apps.nsa.gov

DNS Name=www2.nsa.gov

DNS Name=captcha.nsa.gov

DNS Name=m.nsa.gov

It looks like it's actually required by law.

https://www.congress.gov/bill/115th-congress/house-bill/2331

>If, on or after the date that is 180 days after the date of the enactment of this section, an agency creates a website that is intended for use by the public or conducts a redesign of an existing legacy website that is intended for use by the public, the agency shall ensure to the greatest extent practicable that the website is mobile friendly.


So someone with control of a .google.com address can get a certificate for the equivalent .nsa.gov subdomain ?


My first instinct is that this is some kind of puzzle. It'd be pretty disappointing if this was just a misconfiguration or oversight.


That's actually a really viable theory, especially given the "can't search for traceroute" thing - that spits out what seems to be a time-based error string.

It’s not, that’s just standard akamai WAF behaviour.

E: sorry, HN is throttling me and I can’t reply below. This is just a silly web application firewall that blocks a list of “suspicious strings”. There’s not much else to be said about it.


Can you explain in more detail? captcha.nsa.goving for more information didn't return anything.


(I've turned off the throttling since your recent comments look to have been fine. Please don't do flamebait/flamewar in the future!)


Looks like the good folks over at the NSA are reading Hacker News. And fix issues quickly. I’m proud of them.


It's just a CNAME to an akamai IP:

    $ host captcha.nsa.gov
    captcha.nsa.gov is an alias for www.nsa.gov.edgekey.net.
    www.nsa.gov.edgekey.net is an alias for e6655.dscna.akamaiedge.net.
    e6655.dscna.akamaiedge.net has address 104.75.125.118
    e6655.dscna.akamaiedge.net has IPv6 address 2600:1406:5800:7b5::19ff
    e6655.dscna.akamaiedge.net has IPv6 address 2600:1406:5800:792::19ff
edgekey.net is an akamai thingy, all of nsa.gov seems to go through it
    $ host www.nsa.gov
    www.nsa.gov is an alias for nsa.gov.edgekey.net.
    nsa.gov.edgekey.net is an alias for e16248.dscb.akamaiedge.net.


NSA thanks you for you participation in this experiment. Please terminate all knowledge with the purple pill at this time.


Why wouldn't it be valid? Its for O=National Security Agency and it has alternate names matching this URL authority.


A potential vector would be to potentially load images/content through google image/AMP and make it appear as legitimate NSA content


It seems like we broke it -- it now refuses to do any searches for me (due to suspicious activity from 'my' ip)


What's odd is that it came up in English at first, but now it's Portuguese for me. Another comment here mentioned it's the Brazilian version of Google's search page.


It depends on the IP of the Akamai server that's hitting it. If you search "what is my ip" you'll see it.


depends on where the traffic exits the Akamai network... they are likely using it to proxy Recaptcha, so they likely said "we don't care where it exits" and Akamai picks whatever is most convenient for them... in that case, Brazil.

Nothing especially interesting happening here, someone just pointed captcha.nsa.gov at google.com in their akamai config.

Perhaps they’re just using google.com like example.com, or they’re trying to serve recaptcha under nsa.gov.


They could be doing something else on their internal network and this is just fallback for when their apps are outside the network.


This looks really really dumb. I wonder if you can get personal sites to display through nsa.gov somehow through this.

Among other things, it's weird that it shows up with a different GeoIP triangulation for different users. Someone commented here about seeing this in Portuguese. I'm seeing this in Japanese. Does anyone what's going on?

EDIT: And now it's showing up in English.