Bitcoin Forum
November 13, 2024, 08:54:43 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Forum HTTPS problems  (Read 1197 times)
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 10, 2015, 09:01:10 PM
Last edit: January 12, 2015, 12:40:38 AM by theymos
 #1


This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
Jay_Pal
Legendary
*
Offline Offline

Activity: 1493
Merit: 1003



View Profile
January 10, 2015, 09:58:13 PM
 #2


This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?
I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Best faucet EVER! - Freebitco.in
Don't Panic... - 1G8zjUzeZBfJpeCbz1MLTc6zQHbLm78vKc
Why not mine from the browser?
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 10, 2015, 10:25:53 PM
Last edit: January 10, 2015, 10:37:06 PM by Hyena
 #3


This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?
I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
cr1776
Legendary
*
Offline Offline

Activity: 4214
Merit: 1313


View Profile
January 11, 2015, 01:47:54 AM
 #4


This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?
I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

Mine shows GeoTrust -> RapidSSL

You can use browser plugins, eg certpatrol type to monitor the certs for example.

You can also check the ssl fingerprint, like shown here:
http://www.reddit.com/r/Bitcoin/comments/1rvrrn/bitcointalkorg_man_in_the_middle_attack_change/

(Of course if you are mitm'd they could, in theory replace that. )


Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 11, 2015, 07:05:30 AM
 #5


This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?
I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

Mine shows GeoTrust -> RapidSSL

You can use browser plugins, eg certpatrol type to monitor the certs for example.

You can also check the ssl fingerprint, like shown here:
http://www.reddit.com/r/Bitcoin/comments/1rvrrn/bitcointalkorg_man_in_the_middle_attack_change/

(Of course if you are mitm'd they could, in theory replace that. )

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 11, 2015, 07:23:57 AM
Last edit: January 11, 2015, 07:36:07 AM by Hyena
 #6

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S


Can anyone compare this with theirs?

edit:
it seems that *.bitcointalk.org (ip.bitcointalk.org) is sometimes accessed and then it says  COMODO CA Limited for issuer organization and the SHA1 fingerprint is 27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26. The strange this is that I don't see that certificate in my list of certificates.

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
Christian1998
Sr. Member
****
Offline Offline

Activity: 474
Merit: 500


View Profile
January 11, 2015, 07:37:57 AM
 #7

@Hyena
I have the same SHA1-Fingerprint:

Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 11, 2015, 07:47:05 AM
 #8

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:
Code:
openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
Jay_Pal
Legendary
*
Offline Offline

Activity: 1493
Merit: 1003



View Profile
January 11, 2015, 12:52:43 PM
 #9

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:
Code:
openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

Best faucet EVER! - Freebitco.in
Don't Panic... - 1G8zjUzeZBfJpeCbz1MLTc6zQHbLm78vKc
Why not mine from the browser?
fenghush
Sr. Member
****
Offline Offline

Activity: 658
Merit: 250



View Profile
January 11, 2015, 12:55:22 PM
 #10

They can still hijack your DNS requests over SSH tunnel though.
@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:
Code:
openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

cr1776
Legendary
*
Offline Offline

Activity: 4214
Merit: 1313


View Profile
January 11, 2015, 01:04:30 PM
 #11

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S


Can anyone compare this with theirs?

edit:
it seems that *.bitcointalk.org (ip.bitcointalk.org) is sometimes accessed and then it says  COMODO CA Limited for issuer organization and the SHA1 fingerprint is 27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26. The strange this is that I don't see that certificate in my list of certificates.

Domain Control Validated - RapidSSL(R)
GeoTrust, Inc.
Serial: 1302870
SHA1: 7B CF 43 CE 3B 6A 9E 78 62 81 76 6F 9A 71 7A DA E2 7C 37 C6
MD5: 9B B9 0C 19 73 32 0A 2D CF 34 08 55 14 7B 59 BC
Pub key:
256 bytes : C8 9D 5F 0E 95 79 AD B9 9F 6E B5 16 C9 BD 12 0E 98 2F 23 08 00 73 3F 71 B2 CE FB 93 8E 5F 2A 12 7D 35 C6 91 F3 F6 EC 3E AB BD 06 08 5B 12 C1 6E 96 71 33 20 BA 93 1A A2 C3 15 56 6D DE 9B 3F 6F F4 06 0A 92 06 96 B7 F8 7F 65 F5 C8 0E AB A2 8B A6 33 11 82 8E EB BA A0 67 48 93 D1 F0 2B 45 68 5F 07 FD 6F 1F 3F 3E 11 58 E7 E3 C9 91 24 8F AA F9 C9 B2 84 1D 13 67 94 63 D4 EF D0 E3 4D 48 4F F8 47 A7 EC 95 72 5A 03 F6 94 4F D5 F7 76 92 ED 55 71 A8 12 14 E7 BE 5E BF 33 9A B2 EA 10 D9 54 93 42 25 60 0C 86 D5 A3 F6 5E D5 EE 0D C9 94 23 F2 D6 CB 24 EE E0 6C 50 37 2A 9D 6E 41 19 3B 9F C0 D7 16 BD AC 1E A8 59 D1 0A 23 E4 E8 61 1F 7E CD DA D5 91 74 65 F1 E0 D8 96 D8 28 2C 0F 5E 94 67 F9 18 B6 D0 4F 2E 39 A4 67 13 51 AA 4B 21 04 8B A8 45 91 E0 8C 25 8D B3 FD 10 D9 61 10 9D 1F


It does appear to match here too.
Jay_Pal
Legendary
*
Offline Offline

Activity: 1493
Merit: 1003



View Profile
January 11, 2015, 01:09:34 PM
 #12

They can still hijack your DNS requests over SSH tunnel though.
@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:
Code:
openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.
Yes, they could, although I can't see how that would affect my personal data.
I might not be seeing the hole problem, I confess.
I just don't want them to be reading my facebook, or my gmail. I don't really care if they know I went to those pages (everybody does). I just don't want them to be able to access my accounts and read my personal and private stuff.
They claim security measures to avoid data stealing like encrypting usb drives (including mobile phone storage!! Hell of a problem to solve, since my phone was unable to access the files...!!) but they never talked about this measure and one day I stumble on it.
They don't realize those who steal data from them are recording DVD disks, printing the data and chatting in real life to other people, not using pen drives or email accounts!!

Best faucet EVER! - Freebitco.in
Don't Panic... - 1G8zjUzeZBfJpeCbz1MLTc6zQHbLm78vKc
Why not mine from the browser?
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 11, 2015, 01:13:32 PM
 #13

They can still hijack your DNS requests over SSH tunnel though.

Yeah, I lately discovered (https://dnsleaktest.com/) that my VPN had DNS leak for who knows how long. I had to explicitly define the DNS to use for that VPN connection (luckily my VPN service provider has its own DNS). So, my government probably knows what porn sites I visit Tongue

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
fenghush
Sr. Member
****
Offline Offline

Activity: 658
Merit: 250



View Profile
January 11, 2015, 02:11:17 PM
 #14

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.
They can still hijack your DNS requests over SSH tunnel though.
@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:
Code:
openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.
Yes, they could, although I can't see how that would affect my personal data.
I might not be seeing the hole problem, I confess.
I just don't want them to be reading my facebook, or my gmail. I don't really care if they know I went to those pages (everybody does). I just don't want them to be able to access my accounts and read my personal and private stuff.
They claim security measures to avoid data stealing like encrypting usb drives (including mobile phone storage!! Hell of a problem to solve, since my phone was unable to access the files...!!) but they never talked about this measure and one day I stumble on it.
They don't realize those who steal data from them are recording DVD disks, printing the data and chatting in real life to other people, not using pen drives or email accounts!!

Jay_Pal
Legendary
*
Offline Offline

Activity: 1493
Merit: 1003



View Profile
January 11, 2015, 03:12:07 PM
 #15

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

Best faucet EVER! - Freebitco.in
Don't Panic... - 1G8zjUzeZBfJpeCbz1MLTc6zQHbLm78vKc
Why not mine from the browser?
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 11, 2015, 03:24:56 PM
 #16

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
Jay_Pal
Legendary
*
Offline Offline

Activity: 1493
Merit: 1003



View Profile
January 11, 2015, 03:29:41 PM
 #17

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.
But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

Best faucet EVER! - Freebitco.in
Don't Panic... - 1G8zjUzeZBfJpeCbz1MLTc6zQHbLm78vKc
Why not mine from the browser?
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
January 11, 2015, 03:34:02 PM
 #18

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

There is real threat that your DNS may take place earlier than any tunneling. To be sure, use this test: https://dnsleaktest.com/

edit: I don't know the specifics of SSH tunneling but with VPN it is a threat.

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
Jay_Pal
Legendary
*
Offline Offline

Activity: 1493
Merit: 1003



View Profile
January 11, 2015, 03:36:50 PM
 #19

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.
But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

There is real threat that your DNS may take place earlier than any tunneling. To be sure, use this test: https://dnsleaktest.com/


Oh great!
I'll test it out tomorrow at my workplace...
Thank you very much for the help!

Best faucet EVER! - Freebitco.in
Don't Panic... - 1G8zjUzeZBfJpeCbz1MLTc6zQHbLm78vKc
Why not mine from the browser?
fenghush
Sr. Member
****
Offline Offline

Activity: 658
Merit: 250



View Profile
January 11, 2015, 03:44:19 PM
 #20

Your browser or any other client software which passes the requests via the proxy first tries to resolve the hostname via the DNS specified on your network interface, the DNS requests are NOT passed via the ssh tunnel. A misconfigured VPN server can suffer the same, although the DNS requests are passed via the VPN interface and are encrypted, if the DNS server is run by an untrusted party such as your ISP the resolved IPs cannot be trusted as they may be transparent proxies which log requests.
Another thing to keep in mind when browsing via SSH tunnel is flash, connections made by the flash plugin are NOT passed via the SSH tunnel but the actual direct internet connection which may compromise your anonymity, same applies for JAVA applets and other browser plugins which are able to create remote sockets which bypass the proxy settings in your browser.
They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.
But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!