[stblack]

This repo has a 3-week track record, by one contributor.

Disclosure: Some of us have been actively curating such amalgamated lists for a long time. https://github.com/StevenBlack/hosts

[jedisct1]

It has been around for a while, and is quite popular, especially in the Android community.

On April 23, GitHub disabled the repository. Exact reasons are unknown.

The repository was then deleted and recreated.

[tetris11]

I have been using your lists for years, and is the first thing I install on all my machines. Thank you so much for your good and tireless work!

[moreorless]

Thank you for your contribution. I have a few PfSense/OPNSense deployments that leverage your list. Works great!

[vsskanth]

Thank you! I use your blacklist on all my devices.

[ciarannolan]

What are the dangers of using a sketchy blocklist?

[stblack]

(I'm wasn't implying the EnergizedProtection is sketchy...)

The essential problem is, without active curation, source lists can't quickly react to emerging threats.

Without active curation, source lists become add-only buckets where domains land, and are rarely removed, long after they are abandoned.

The soft option is to simply cumulate domains. We've seen candidate block lists grow from 350,000 domains to 750,000 domains. These are just endless one-way buckets. Use that as your Android phone's hosts file, or you Windows PC hosts file, and you're going to have a bad time.

At the edges, there are myriad grey areas. We can all agree that YouTube serving ads is painful. But what about Youtube retaining your viewing history, which some people find very useful and handy. Over the years we've often had discussions such as this. This is what it means to actively curate.

[willis936]

I'm no expert, but the most obvious answer is "you MITM yourself".

If there is a userbase for a list, they have to trust the list to not filter out domains that shouldn't be filtered. I have a hard time thinking how this could lead to hidden repercussions, other than some security flaw that is only exploitable when some subset of requests go through.

[ciarannolan]

Perhaps they can point a particular host to a malicious IP rather than "0.0.0.0". In a list of several hundred thousand domains, you wouldn't be able to notice this manually.

ex., make Bank of America resolve to a phishing site rather than the real BoA IP.

Pi-Hole and others might check for this though, I don't know.

[tejtm]

Back before security fatigue set in, I would filter the lists through my own sanity checks for this sort of thing (never found a single one amiss after years) then point my clients at my vetted lists.

[willis936]

I am under the impression that the blocklist programs (such as ublock origin or pi-hole) do not have an option to redirect to anything other than the void. I can only see downsides to allowing this.

[contravariant]

Actually ublock-origin has some options to replace Javascripts with custom (presumably less intrusive) scripts. Although I don't think 3rd party lists can do this.

Anyway the repository in this post also provides host files, which most definitely can redirect you to malicious IPs.

Edit: Turns out 3rd party block lists can use the redirect feature but only to Ublock Origin managed resources: https://github.com/gorhill/uBlock/wiki/Resources-Library

[jlgaddis]

> ... do not have an option to redirect to anything other than the void.

Pi-hole uses dnsmasq [0], a caching DNS resolver (among other things), and includes its own customized configuration files for it.

With that level of control, Pi-hole has the ability to redirect you anywhere on the Internet that they want.

We all hope that the folks behind Pi-hole would never do such a thing -- but they do have the "option".

---

[0]: http://www.thekelleys.org.uk/dnsmasq/doc.html

[csunbird]

HTTPS should protect you from that.

[wp381640]

I added a random blocklist to my pihole once and found it was blocking random sites like Gizmodo purely based on politics