Hosts: Is hosts secure?

Created on 1 Oct 2016  ·  20Comments  ·  Source: kelthuzadx/hosts

想问问如何检测hosts文件里面的ip是否安全,我是新手。
感谢你们的工作

question

Most helpful comment

一般被qiang的网站都用的是https连接,浏览器会负责检查网站证书是不是和公司相符,当被替换证书是浏览器会提醒,所以用安全的浏览器,拉黑cnnic证书,平时不往钥匙里面添加证书信任证书就没问题
// 才发现已经有人提到了这个问题

All 20 comments

一路向西,少侠珍重。

is hosts secure的含义和原问题不符吧。。。 还是我又理解错了。。。。


“大圣,此欲何为”
“踏南天,破九霄”
“若一去不归?”
“便一去不归!”

= =安全性就和ip地址有关啊 难道不是吗

一直在裸奔

hosts 只是重定向了主机和 IP 的映射。注重网络安全,请防止骇客入侵路由器,不要随意连接陌生WIFI,不要点击不明链接。

hosts 为多人贡献,总有难以审查到的部分,使用 hosts 文件风险请自负。

我感觉问的是如何识别反代这种吧

安全我们不能保证,所以用前请自行斟酌

@andytimes 同上

@cjkzwe 已修改

@8thchef 不好意思,答非所问了。之前没有仔细看问题描述。
问题描述问的是“如何”,我之前的回答是“是否”。

关于如何检测 hosts 里的 IP 是否安全,可以这样做:

先把 hosts 中的 IP 提取出来,然后从网络上获取 IP 信息。
比如,站长工具有一个批量查询 IP 的功能就很不错,地址: http://ip.chinaz.com/ipbatch

#!/bin/bash

curl -s https://raw.githubusercontent.com/racaljk/hosts/master/hosts |
                cut -f 1 | sort -u | sed "/#\|::/d"

用上面脚本可以筛选本项目的 IP,这里是我刚刚运行后,筛选出的 IP:ip.txt

把里面的 IP 复制到 http://ip.chinaz.com/ipbatch 批量查询,“IP的物理位置” 这一栏提供了 IP
的信息,根据显示的内容,大致可以知道 hosts 里面的 IP 安不安全了。

Most ips used in this file are secure. They were often found by dns resolution, and that's official. However, some ips used in this file are sniproxy ip (like 218.254.1.13 and 219.76.4.4, used in dropbox's domain). Though dropbox used ssl to encrypt the transmission, but your data will not be transferred to its official servers directly. Personally I think that might be a security problem.

@myguybetter
First of all you should trust TLS. If you regard TLS as something not secure, This issue won't be related to hosts files, you'll face MITM attacks even without hosts files.
Then TLS was designed to mitigate MITM attacks, so men in the middle(e.g. the SNI proxy) won't have any chance to know what you're doing or pretend to act like the actual server. The only thing they know is that when you tries to connect to it, and how often you do that.
Finally, as you mentioned, your data isn't transfered directly, so there isn't any guarantee that your data will be transfered to the official server. But it is guaranteed that any data you received is from the official server as long as you use TLS.

@sqc1999
I understand. I surely trust TLS :)
So what I mean is that, depending on this file's position and this project's sensitivity, I think it might be better not to use 3rd-party proxy services to fix the connectivity issues, even though there isn't any available ips to one domain.
Just like the commit #689, by replacing blocked ip to an sni, FB can be connected, as long as this proxy ip not to be blocked.
But, that's not a permanent solution. After all, this kind of service is provided by those ISPs, and we don't know when it would become invalid. Then some mobile apps don't recognize sni, so there would be problems when using these apps.
So, personally I think sni can just be a temporary plan, not a long-time solution.

@myguybetter
I agree that it's not a good idea to use SNI proxies in such a project.
But there is something to clarify.

  • The current hosts file also relies on the compatibility with SNI. There are a lot of DNS names pointed to a single IP. In this case TLS won't work without SNI.
  • The IP addresses in this project also have probability of being blocked. They are just not being blocked currently.

Furthermore, I think all kinds of ways to get across the GFW are temporary solutions. As far as I know, all these ways are able to be blocked in theory(but may cost too much). In critical situations, the government can even get the whole country disconnected from the Internet physically.

@sqc1999
Agree with you :)
I worried too much.

@andytimes 工作量有点大,怎样才算不安全呢

2016-10-16 16:03 GMT+08:00 wlm [email protected]:

@andytimes https://github.com/andytimes 工作量有点大,怎样才算不安全呢

好像也就 200+ ip,批量查询三次即可。如何检测 ip 安全性,这个我也没有什么好的想法。

Andy

一般被qiang的网站都用的是https连接,浏览器会负责检查网站证书是不是和公司相符,当被替换证书是浏览器会提醒,所以用安全的浏览器,拉黑cnnic证书,平时不往钥匙里面添加证书信任证书就没问题
// 才发现已经有人提到了这个问题

可以查下whois

Was this page helpful?
0 / 5 - 0 ratings

Related issues

lishoujun picture lishoujun  ·  3Comments

lrinQVQ picture lrinQVQ  ·  5Comments

IssaTan1990 picture IssaTan1990  ·  9Comments

outsinre picture outsinre  ·  8Comments

liuxsen picture liuxsen  ·  5Comments