Is dalk4zrp4jp3q.cloudfront.net used by Agile Bits / 1Password for CDN?

TheNaughtyOtter
TheNaughtyOtter
Community Member

Hi! I've read the relevant posts on this site, but haven't found the Cloudfront domain dalk4zrp4jp3q.cloudfront.net mentioned.

LittleSnitch has told me that something is contacting dalk4zrp4jp3q.cloudfront.net using NSURLSessiond - so I can't actually trace which app it is. But I have been uninstalling Apps one by one to try and work it out, and I'm down to a skeleton install - I basically have BitDefender and 1Password left that's not a core Mac app - I am fairly confident it's not malware. My best Google-fu shows that it is often used for a Mac App Store Icon, and it appears in a few open source projects (though none that are in use that I know of on my Mac).

I have disabled 1Password mini, rich icons and watchtower, and it hasn't fixed it, so I suspect that it is not 1Password, but just want to make sure!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • TonyHall
    TonyHall
    Community Member
    edited October 2016

    LiitleSnitch tells me that SpotlightNetHelper located at...
    /System/Library/PrivateFrameworks/ParsecUI.framework/Versions/A/Support/SpotlightNetHelper.app/Contents/MacOS/SpotlightNetHelper
    ...connects to dalk4zrp4jp3q.cloudfront.net

    Hope that helps.

  • TheNaughtyOtter
    TheNaughtyOtter
    Community Member

    Hi TonyHalll, actually that does track with an earlier indication I saw that parsecd was also calling that domain.

    I have obviously missed something in Little Snitch, could you tell me how you made that connection to Spotlight?

    (for what it's worth I thought I had cleared out all the things in Spotlight that were phoning home, but it seems not - any idea what in Spotlight it might be?)

  • TheNaughtyOtter
    TheNaughtyOtter
    Community Member

    Ok, i just disabled EVERYTHING in Spotlight, and it's still calling to Cloudfront! (I know this is not the right forum for this, but I thought it might be interesting for others - and a googling for that domain calls brings this discussion up)

  • TonyHall
    TonyHall
    Community Member
    edited October 2016

    I have obviously missed something in Little Snitch, could you tell me how you made that connection to Spotlight?

    If you've created a 'rule' with LittleSnitch (ie. allowed or denied a connection) you simply open up the Little Snitch Configuration application, highlight the rule in question from the list, then the information for that rule can be seen on the right hand side panel (cmd-i to toggle viewing the Info panel).

    Cloudfront.net is a content delivery network (CDN) from Amazon Web Services, and is used by a huge number of legitimate services to cache content.

    What is concerning you about this connection attempt?

    I may be foolish...but while I monitor and block certain outgoing connections (and attempt to exert some control over the information being transmitted), I also try not drive myself mad by tracking and analysing every single connection my computer makes as it can become a never ending game of whac-a-mole and unwittingly disable some useful functions. Ultimately I guess I'm just not that paranoid.

    However, if there's a good reason to be wary of Spotlight connecting to this cloudfront address then please let me know. (For testing purposes with respect to this thread, I've now denied this particular connection; I await to see what effects that may have.)

  • AGAlumB
    AGAlumB
    1Password Alumni

    I hope you don't mind, but I've moved this discussion since CDN issues aren't app- or platform-specific.

    While I can't say I recognize that specific subdomain (these change over time and are pretty inscrutable, as you can tell), I can confirm that AgileBits uses CloudFront/AWS for hosted content (downloads, icons, updates, etc.) From our perspective, we're usually referencing something like https://cache.agilebits.com, which is then redirected based on region, so that you'll get a server as close to you (and therefore as fast) as possible.

    How the OS itself routes these calls can also be pretty opaque, but I'll see if we can provide any more insight for you. We'll get back to you! :)

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited October 2016

    Hi @TheNaughtyOtter & @TonyHall,

    One sure-fired way to get that request is to select a word and request a definition from the OS X contextual menu. So for me it's denied because I don't care what it is. I've had that connection denied for I don't know how long and I've never noticed any detriment to either OS X or 1Password. I'm extremely confident you would see the same connection attempt on a clean copy of OS X with nothing but Little Snitch installed.

  • TheNaughtyOtter
    TheNaughtyOtter
    Community Member

    @TonyHall - thanks for the tip and post; unfortunately in my version of LittleSnitch (3.7) I just see :

    /usr/libexec/nsurlsessiond
    Deny outgoing connections to port 443 (https) of dalk4zrp4jp3q.cloudfront.net

    and

    On 2 Oct 2016, nsurlsessiond tried to establish a connection to dalk4zrp4jp3q.cloudfront.net on port 443 (https). The request was denied via connection alert.

    With respect to your second comment, I can certainly understand your view point - in my case I had reached a fairly good steady-state where nothing new was really popping up ever. So when this came up, it immediately caught my attention. With hindsight I can attribute it to the same time I did the Sierra update. But, to be honest, this is just terrible design (IMO) - and allows for anonymous connections, from unknown applications (but Little Snitch will say are signed by Apple, due to it using nsurlsesisond) to anonymous servers!

    @littlebobbytables : Indeed you are correct! I had been looking for a good excuse to rebuild my Mac for a while, and this was a perfect chance.. so that's what I did! From memory my install process went

    1. Brand new Sierra install
    2. Install Bit Defender
    3. Install Little Snitch

    As soon as I had installed Little Snitch, this connection popped up! So, either it's in the OS (Spotlight for instance) or it's in BitDefender, or LIttle Snitch. I have checked in with BitDefender, and they have laid claim to it!

    Does anyone else here use BitDefender as well? Is it a common thread?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @TheNaughtyOtter: Thanks for following up! After playing around with this in a VM and discussing it with others, this appears to be Spotlight. I'd come to that conclusion already, but given that I don't have BitDefender, it seems like that serves as confirmation. I can't speak for them, but I was hesitant to say definitively that it couldn't be 1Password since we also use that CDN. SO they may be thinking along the same lines if they do as well. But as far as I'm concerned, if we're both seeing this with a new macOS install, Spotlight seems to be the common element between us here.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @TheNaughtyOtter,

    I don't use BitDefender so while they may be accessing something they store on Amazon's CDN something else in OS X is too at a guess. At least you got your answer :smile:

  • TheNaughtyOtter
    TheNaughtyOtter
    Community Member

    @brenty - no worries mate, to me this is a rather interesting discussion! But I must admit, I am a little perplexed as to why I am not seeing the reference to Spotlight in Little Snitch, only nsurlsessiond and parsecd - this leads me to believe that what I'm seeing is not Spotlight, but rather BitDefender. This might also be confirmed as I have Spotlight Suggestions disabled.

    Thus the conclusion is that multiple applications are using the same CDN. That is interesting. Spotlight (and therefore Apple - as we have seen this on default installs) are using it - and BitDefender seem to be using it as well. Googling reveals very little about it.

    So...

    • who owns it?
    • what content is it delivering?

    Systems that call home make me curious, and when it's multiple applications even more so! You would think that a CDN being accessed by both Apple and BitDefender would produce more hits on Google.

    Interesting! But yes @littlebobbytables I got my answer, but somehow the more I learn, the more questions I have (a pattern I find repeated often!)

    @brenty - one more questions, was it Sierra you tested on? I appear to have had this only since upgrading to Sierra (but some Google responses and answers in this thread are older)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thus the conclusion is that multiple applications are using the same CDN. That is interesting. Spotlight (and therefore Apple - as we have seen this on default installs) are using it - and BitDefender seem to be using it as well. Googling reveals very little about it.

    @TheNaughtyOtter: Yknow what, that seems stupidly obvious now that you mention it. Of course a CDN could be hosting resources for multiple vendors! :lol:

    And yeah, I'm just on 10.12 stable. Nothing fancy here. I was poking around some more, and while you're right that you can turn off Spotlight suggestions, there doesn't seem to be a way to stop it alone from accessing network resources completely. Have you also disabled location services for Spotlight? I found this in the privacy info in its System Preferences:

    To deliver relevant search suggestions, Apple may use the IP address of your Internet connection to approximate your location by matching it to a geographic region.

This discussion has been closed.