BlackHatWorld is currently experiencing a large-scale DDoS attack. We’re working on it and will be back up soon.
Thanks for your patience.
It officially feels like December here at the blackhatzen offices. Snow is on the ground, coats are no longer optional, and we’re spending more and more time inside enjoying the warmth. Aside from providing customer support, we have three things on our agenda this month:
- Forum Generator 2.0
- WP Guardian 1.4
- Referer Guardian 1.3
Forum Generator 2.0
Over the last 24 hours, the basic framework that will become Forum Generator 2.0 has been written. We’re going to continue with the same UI stylistically, but a lot of changes are happening under the hood. A massive overhaul of the gathering system is my biggest priority at the moment, along with adding support for various forum platforms other than phpBB3. While phpBB has a lot to offer, it is limited by a lack of basic plugin support. After spending some time working with the bbPress and vBulletin forum platforms more closely, this limitation is blatantly obvious. As development continues, my plan is to continue updating the blog with what I’m finding so that others who are developing plugins for forum platforms can gain from what will most likely be a major learning experience for me.
WP Guardian 1.4
I’m going to begin integrating some of the features requested in this post, as well as changes and bug-fixes we’ve discovered since the last release. One thing that I plan on working on is the UI. Specifically, I’d like to integrate some of the design features used in Referer Guardian to make it easier for users to assign links to advertisements and advertisements to posts, pages, and categories. Once the feature set of 1.4 becomes set in stone, I’ll update the blog.
Referer Guardian 1.1
The Referer Guardian launch was a success. We’ve received a handful of feature requests for the next version from customers. One big new feature will be the inclusion of basic statistics into the Referer Guardian control panel. This tracking isn’t intended to compete with any of the various analytics packages available, but will allow Referer Guardian users the ability to see how their campaigns are performing in real-time.
Other News
During non-development hours in the next week or so, I’m going to put together a thorough tutorial (or potentially series of tutorials) on utilizing WP Guardian and Referer Guardian together. This probably should have been done before launch, but the main focus at that point in time was testing. We are also requesting that customers of any of our products provide us feedback ASAP for any new features they’d like to see in the next releases of all three of our current products.
That is all for now. I hope you all are having a good December and looking forward to a great start to the new year.
We’ve just sent out the updates for Referer Guardian 1.0.2. This update includes the following improvements:
- More adaptive to different permalink structures.
- You can now redirect through pages AND posts
Customers, please let me know if you do not receive an update email.
After yesterday’s debacle, we’re happy to announce that Referer Guardian has launched! All who signed up for launch announcements should be receiving emails soon. If for some reason you don’t receive one or have any questions about the product, please contact us by clicking the questions button on the left-hand side of your screen!
About half of the announcement list emails weren’t ever sent. Everyone expecting them should be receiving them within the next 10-15 minutes. Sorry for the inconvenience!
We here at blackhatzen have to apologize. Our home state of Pennsylvania got rocked by some serious storms this evening. Rocked so hard, in fact, that we lost power here at blackhatzen manor until just before 4:30AM. Obviously, we didn’t launch on time, and that sucks, but chaos will be chaos and over the years we’ve learned to embrace this sort of thing as a sign that we are indeed still living in a universe that is, for the most part, completely out of our control. Either that or we just have really bad luck and need to buy a back-up generator … or move back into civilization where we can get 3G reception without having to scale mountains… whatever.
The long and tall of it is that we’re going to launch Referer Guardian at 2PM EST today. Fifteen hours later than we anticipated, but we need to get some sleep and no one likes reading email early in the morning anyway.
Thanks for understanding,
bhz
Referer Guardian launches TONIGHT at 11PM EST!
Just a quick update for everyone waiting for Referer Guardian to launch.
We made a great discovery yesterday during the final round of testing. We’ve tested and scrutinized the human generated clicks themselves extensively without ever having a leak, but had never seriously abused a Referer Guardian guarded iframe. So, a good friend was kind enough to lend us a 1×1 iframe on a site that gets hundreds of thousands of hits a day. We routed this iframe through Referer Guardian and to a tracking page where we recorded the referer as well as the header information (which carries browser information, among other things.) What better way to do a final test than to put it through some insane abuse?
The results were very, very good and we learned something that, as far as we know, no one else has ever discovered. After well over 100,000 iframe loads, we had a leak rate of ~0.03%. That means that for every 100,000 visitors that hit the iframe, we recorded 30 leaks. Now, leaks are a scary thing when you’re developing (or using) something to hide your referer, but this isn’t a surprise. Iframes are notoriously hard to deal with because each browser handles them a little bit differently.
When we began to analyze the logs, we saw a very clear pattern for the tiny amount of referers that did leak through; they were all (as in 100%) based on the Apple WebKit browser framework, which is used by both Safari and Chrome. What was even more strange was the fact that there were literally thousands of other users, using the same browsers and operating systems, whose referers were cloaked perfectly. Our first thought was security software, but the fact that a majority of these leaks were from iPhones and Mac users indicates otherwise.
We also noticed that almost all of these leaks happened in pairs in very close succession to one another. After putting some serious thought into the issue, what we’re almost positive is occurring is the result of pre-fetching and caching. Under certain, rare circumstances (such as an extremely fast refresh or back button hit) some browsers will load the end result of a series of redirections rather than follow the redirection path itself. We have been unable to recreate this event using the same browsers (including the iPhone) after many, many, many tries, but we’re almost certain this is the case.
Since we are unable to control browsers’ behavior at the system-level, we’ve added the option to block all WebKit-based browsers. The referer is checked all along the cloak path, so it isn’t possible for a browser that either sends no referer or an unexpected referer to actually pass through Referer Guardian directly. We added the option specifically for people who choose to iframe.
For the sake of comparison, we also tested the currently most popular referer cloaking plugin, CPA-Redirector, and found that a little more than 5% of referers passed through during the same iframe test with very little pattern to the browsers or operating systems of those leaks. This means that under a strenuous iframe test, CPA-Redirector was 167 times more likely to leak the referer than Referer Guardian.
How is that for extensive research?
