[hda111]

What is a nefarious redirect? Does it look for entries without 127.0.0.1?

[8organicbits]

There's a concern that a malicious list could point domain names to a malicious IP address. I don't think its a big concern with https:// since the cert will be invalid, but it's still a concern.

[DaiPlusPlus]

I suspect it’s very likely that somewhere in the world is a domain-validation server, used by a trusted CA, which has this very anti-advertising hosts file installed onto it.

[8organicbits]

Why? A CA would be unable to issue certificates for advertising sites with that configuration.

[DaiPlusPlus]

It could be a lesser-known CA, perhaps the national CA of a small country (under 2m people) that normally only issues less than tens-of-thousands of certs and only exists for regulatory reasons (e.g. the country requires all of its own gov services to use its internal CA, while all commercial/popular services use CA based in another country, usually LetsEncrypt)

[miles]

A redirect to some unexpected IP address. Here's what the output looks like:

    190625 0.0.0.0
      3 127.0.0.1
      1 255.255.255.255
      3 ::1
      1 fe80::1%lo0
      2 ff00::0
      1 ff02::1
      1 ff02::2
      1 ff02::3