10

The same here.
It seems like everything was working OK yesterday and now it does not.
For OPENAI team would be useful to use ChatGPT option on trying to predict what would be the response for a general chat-user when the Company switched some of the services to a newly created domain. The most anti-viruses software treat the newly created domains as a potentially harmful. For the professional OPENAI developer team that would be probably a ‘common knowledge’, which is not the fact for general ChatGPT-user.
Please consider this constructive feedback for future releases of very useful AI platform as ChatGPT.
Best wishes from occasional user of ChatGPT.
Victor

11

You can go into your WiFi router’s configuration portal.

In many, they allow you to keep the dynamic IP address that is assigned by your ISP, while at the same time you can modify the DNS server that is used for name lookups.

DNS servers:
1.1.1.1 - Cloudflare
4.2.2.4 - Level3
8.8.8.8 - Google

12

Unlikely.

It’s far more likely whatever DNS server used by your ISP is simply out of date and will be updated eventually.

I am guessing if you took the laptop home and connected to your Wi-Fi (or some other network) it’s very likely the page would work without issue.

13

What you have to realize is the number of users affected is actually incredibly small—you’re just very vocal.

The vast majority of DNS servers are updated within 24–48 hours. OpenAI waited several days after registering the new domain before funneling traffic to it.

They did exactly what they should have done.

They cannot be expected to wait forever while some DNS servers drag their feet on updating their indices.

Antivirus software shouldn’t be doing anything with the domains your browser connects assets from.

14

I understand that the number of affected users is relatively small, but it would be helpful to have more specific information on the percentage. Could you please provide clarification on what is meant by ‘incredibly small’? Is it around 10%, 40%, or some other number?

While it is true that the majority of DNS servers are updated within 24-48 hours, it would have been more user-friendly if OpenAI had waited for a month before redirecting traffic to the new domain. This is because it typically takes that amount of time for a newly created DNS domain to transition from ‘new’ to ‘not-new’ status, which would have avoided any potential issues.

I respectfully disagree with the statement that OpenAI did exactly what they should have done. It would have been beneficial to take preventive measures if the new configuration of the service affected even a small group of users. Especially if these prevention efforts are easy to implement.

I understand that waiting forever is not expected, but a reasonable waiting period of one month would have facilitated a smoother transition to the new service.

Regarding the statement about antivirus software, it appears that the term ‘antivirus’ is being used to refer to blocking software that prevents access to ChatGPT services.

2 Likes
15

In the future, OpenAI should definitely consider aging a newly registered domain for a period of one month prior to general use.

Many security platforms and DNS filtering solutions block NRDs: Zscaler, FortiGuard, Palo Alto, Check Point, NextDNS, ControlD… Many of these block NRDs by default. Consequently, for users within high-security environments, ChatGPT could potentially become generally unavailable for an extended period of time.

(I’m wondering how much extraneous volume OAICS had to absorb as a result of oaistatic.com).

It’s also an industry-standard security recommendation to block NRDs:

Based on the high volume of problem reports that I’ve observed across multiple channels—and distinct users—I would suspect that the impact has been significantly greater than what some may believe.

2 Likes
16

While I get why newly-registered domains are blocked, it seems rather heavy-handed and borderline abusive to their own customers for companies to blanket-ban newly-registered domains.

Is everyone at the companies you mentioned asleep at the wheel?

When these many, many requests are pouring in for cdn.oaistatic.com side they don’t have a mechanism in place for better evaluating whether the block is deserved?

17

Quite the opposite. If NRDs were not blocked, it would be borderline abusive: the blocking of NRDs alone prevent an astonishing number of cybercrimes. NRD blocking is a vital—and uniquely effective—countermeasure against bad actors.

Infact, it’s so effective that this very forum leverages the same general strategy. New users start out untrusted, just like newly-registered domains. As a user ages, and engages in reputation-building activities, the user gains trust, and consequently limitations are lifted; same for NRDs.

No. If you’re volunteering to author an RFC on a trust protocol for NRDs, you have my full encouragement.

1 Like
18

I agree with one caveat…

Malicious NRD blocking is vital and effective.

Blocking all NRDs is like an over-active immune system.

Sure, if new users were greeted with a 404 error page for the first 30 days they visited the forum.

Not at all.

But it would be nice if these

understood the gilded-cage they climbed into well-enough to not go around blaming everyone else for their misfortunes.

I have MFA enabled everywhere it’s supported, I don’t cry about all the things it makes difficult or impossible.

1 Like
19

You can thank the bad actors that ruined it for everyone else: well over a whopping 7 out of every 10 NRDs are malicious.

Given that reality, and given that a trust protocol for NRDs doesn’t yet exist; temporarily blocking all NRDs is a sensible approach to keep users much safer than they would otherwise be. This is why it has been adopted as the default across most flagship security platforms.

Users were literally greeted with NXDOMAINs for weeks when they visited ChatGPT.

So you’re—as examples—blaming a 19-year-old anthropology student for not being able to access ChatGPT for weeks because someone on her university’s technical staff, years ago, implemented a recommended security practice? And you’re blaming a 23-year-old intern at a startup for not being able to access ChatGPT because a contractor that set up the startup’s network implemented controls required to pass a security audit?

To the extent that OpenAI is interested in ensuring that this doesn’t happen again, it would be OpenAI’s responsibility to conform to an industry standard—not for industry, that has adopted a reasonable security practice, to be attacked for adopting a reasonable security practice.

20

No, I’m suggesting they point their ire at the parties responsible for their troubles, the university’s technical staff or the contractor who set up their network, respectively.

Please point me to this “industry standard,” I can’t seem to find any reference to it at ICANN.

And if this is, in fact, “industry standard,” why don’t the largest providers of DNS services follow this “standard?”

21

This isn’t a networking standard, but it is a security best practice to consider the risk of NRD’s. In fact, this originated in the mail security space, where every mail security platform has NRD as one of the attributes it considers for spam/suspicious/malicious content filtering.

You can find research online that have similar conclusions along the lines of (generalizing) “70% of NRD’s including malicious content such as phishing or are otherwise not safe for use at work.”

As a security best practice, there are multiple approaches to reducing risk from NRD’s. For example, Palo Alto Networks doesn’t just block them outright, they utilize the “block-continue” response which redirects the user to a customizable warning page describing the risk and website categorization before continuing.

Usually that redirected warning page via “block-continue” is a good middle ground that doesn’t impact UX that often (because users generally aren’t visiting new domains that often). The problem with ChatGPT is that their site started using calls to cdn.oaistatic[.]com in link preload at the top of the html, so the browser, even in environments that use “block-continue,” just loads nothing for the .css and .js files rather than redirecting the user to a warning page.

Further, the implementation of risk reduction vs. NRD’s varies by vendor. Using Palo Alto Networks again, they don’t classify NRD’s just based on registrar date, but based when they first see the domain it in their global network of passive DNS monitoring. Then, for the next 33-days, that domain is dynamically categorized as an NRD within the Palo Alto Networks ecosystem.

Of course, one can customize security policues and exempt specific domains or the NRD categorization altogether. My point, though, is to provide context on how common a practice it is to block NRD in various ways within an enterprise network.

2 Likes
22

@tommyai Welcome to the Community :handshake:

23

Please trust me when I tell you I am aware of all of this. You are not educating anyone on anything here.

My point, which everyone seems to have missed, is that it is not the responsibility of OpenAI (or anyone else) to work around whatever security policies you or those around you have chosen to implement.

You also seem confused, because the “industry standard” being discussed here is emphatically not related in any way related to the blocking of NRDs, but rather the idea that entities must register and sit on a domain for at least 30 days before using it.

That is what was suggested by the person to whom I was responding.

As a general practice blocking NRDs does do a lot to protect unsophisticated users from a wide variety of attacks, but the choice of some networks and entities to proactively block NRDs “breaks” the underlying structure of the internet which, when it was conceived, was built upon the assumption of trust—both in the good intentions of hosts and in the ability of users to fend for themselves.

It is unrealistic to expect all companies to universally park domains for a month before using them because a very small minority of people are on networks with a draconian NRD policy.

If people cannot access the site because of those policies, those people shoul be addressing their concerns with those responsible for maintaining their network.

As far as the DNS servers /dev/nulling all requests to all NRD domains, I can’t imagine it would be too difficult to come up with a heuristic to whitelist some NRDs.

Now, I am by no means an expert in this field, but I can only imagine it would be possible to,

  1. Identify a NRD which is queried coincident with a known domain. E.g. See that oaistatic.com is being queried immediately after a query for chat.openai.com.
  2. Detect a sudden pattern of such events coming, simultaneously from all over the world.
  3. Spider the page chat.openai.com and confirm it is requesting assets from chat.openai.com.
  4. Whitelist the url.

:man_shrugging:

Regardless, if I build a house and throw a housewarming party and you can’t figure out how to get there because you choose to use a niche mapping application which refuses to give you directions to a new development even though I published my address far and wide for anyone who wanted it, that’s not on me.

24

I am happy for discussion around technical aspects of ChatGPT as well as aspects of it’s use and problems encountered to reside on the developer forum.

It should be noted that requests for assistance on specific issues relating to accounts, payments and access should be addressed to help.openai.com for resolution.

On this particular topic, the facts are these:

  1. OpenAI created a new domain.
  2. Some firewall and internet protection systems have flagged this new site as potentially harmful.

The typical way to manage this situation would be to contact the network administration team and inform them of the issue, they can then use there own internal best practices to make a determination of work to be carried out. Hopefully this work involves allowing the OpenAI domain through the firewall. If this is not the case then it is up to the individual concerned to raise the problem with their department head to be escalated.

The new domain is a requirement of authentication systems used by industry and are not optional, use of the OpenAI services is clearly dependant upon a compatible network infrastructure being available.

This issue is self resolving 30 days from the domain creation so hopefully it will be moot shortly.

1 Like
25

The issue is because OpenAI is using a newly registered domain (oaistatic[.]com) to host some content. A common red flag for malicious content is new domains. Many security tools and DNS providers prevent resolving DNS lookups of new domains. They registered the domain in late September 2023. If you go to developer tools you will see calls to cdn[.]oaistatic[.]com

1 Like
27

@elmstedt Newly registered domains are a common vector used by bad actors for phishing campaigns and Command and Control. It is also not a practice relegated to small niche players or draconian lockdown measure. Palo Alto’s Unit 42 found that over 70% of NRDs were used for malicious. It is common, good, security practice to block NRDs. Not just for unsophisticated.

1 Like
28

@jello01drake Welcome to the Community! :handshake:

29

Newly registered domains are a common vector used by bad actors for phishing campaigns and Command and Control.

Yes, I am aware.

It is also not a practice relegated to small niche players

No, but blocking all NRDs also is not something done by the vast majority of DNS servers nor is it done by the most significant public DNS servers.

or draconian lockdown measure.

It’s a perfect example of a draconian measure.

Palo Alto’s Unit 42 found that over 70% of NRDs were used for malicious.

They did not. They found,

Our analysis shows that more than 70% of NRDs are “malicious” or “suspicious” or “not safe for work.”

Specifically,

Only 1.27% of NRDs are actually confirmed to be malicious

Some other statistics,

This is why I wrote that blocking all NRDs for 33 days as a default is draconian—it’s excessively harsh and severe.

100% of legitimate users are punished by a blanket NRD blocking policy while it is easy enough for bad actors to simply age a domain.

It’s also, completely arbitrary and extreme to block for 33 days when the vast majority of such malicious domains are much younger.

It is common,

I’m not saying it’s uncommon, but to say it’s “common” is a stretch unless you’re talking about some very specific networks like banking, government, and universities. The best estimates I’ve seen out is at under 10% of DNS servers block NRDs, and those that do are typically much smaller than average in terms of the volume of lookups they process.

good, security practice to block NRDs.

An even “better” security practice would be to block all domains younger than a year… Or ten years even!

Does it provide security? Yes, a very little amount. It’s it a “good” practice? No.

Not just for unsophisticated.

You’re right, there are some use cases where it does make sense to use these draconian policies—the aforementioned banking and government, but I would hope you would agree the the overwhelming majority of people who fall victim to phishing attacks are unsophisticated at least in the realm of online security.

1 Like
30

And those banking and government use cases are of such crucial importance to OpenAI that OpenAI has dedicated multiple, sections of its website referencing these customers, which include, but are not limited to:

  • Government of Iceland
  • Morgan Stanley
  • CARLYLE
  • Robinhood
  • Stripe
  • Square
  • Ramp
  • Broadridge

Further, OpenAI’s own research shows that 4 out of every 5 Fortune 500 companies use ChatGPT for work. All of which run high-security network environments.

Everyone makes mistakes. OpenAI made a mistake here. That reality caused far-reaching consequences—especially to OpenAI’s commercial customers. I’m confident that this has been a lesson-learned for OpenAI, and that it’s not something that we’ll see recur.