The Benefits of Using HTTPS - It's Not Just for the Encryption

Out of good habit, i access websites that require authentication using the HTTPS protocol whenever possible (i.e. whenever it is supported by the site). These websites include Yahoo! Mail, Gmail and Facebook.

Yesterday, when i tried to access Facebook (using HTTPS), Firefox gave me a warning:

www.facebook.com uses an invalid security certificate.

The certificate is only valid for a248.e.akamai.net

(Error code: ssl_error_bad_cert_domain)

Fearing that my DNS cache had been polluted, i decided to compare the DNS lookup for www.facebook.com with the result of the same lookup using OpenDNS.

OpenDNS resolved www.facebook.com to:

69.63.184.31
69.63.176.15
69.63.176.15
69.63.187.11
69.63.184.142
69.63.186.12

While doing a nslookup www.facebook.com on my own machine returned

Non-authoritative answer:
www.facebook.com canonical name = www.facebook.com.edgesuite.net.
www.facebook.com.edgesuite.net canonical name = a1875.w7.akamai.net.
Name: a1875.w7.akamai.net
Address: 125.56.199.40
Name: a1875.w7.akamai.net
Address: 125.56.199.89
Name: a1875.w7.akamai.net
Address: 125.56.199.11
Name: a1875.w7.akamai.net
Address: 125.56.199.19

The fact that www.facebook.com mapped to www.facebook.com.edgesuite.net seemed pretty phishy (pun intended) to me, though the domain akamai.net looked vaguely familiar.

Doing some search online revealed that the edgesuite.net domain is a result of Facebook making use of web application acceleration service provided by the company Akamai. It was definitely a relief to know that my DNS cache or my home machine has not been compromised.

To be on the safe side however, i configured my modem/router to use OpenDNS's nameservers. Now nslookup www.facebook.com returns a result that looks more normal:

Non-authoritative answer:
Name: www.facebook.com
Address: 69.63.184.142

The key thing here is that if this was indeed a good phishing attempt, and if i wasn't using the HTTPS protocol, i would not have known that the URL that i trusted had taken me to a bogus site injected into my DNS cache.