Forum HTTPS problems

[Hyena]

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

[Jay_Pal]

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

[Hyena]

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

[cr1776]

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

Mine shows GeoTrust -> RapidSSL

You can use browser plugins, eg certpatrol type to monitor the certs for example.

You can also check the ssl fingerprint, like shown here:
http://www.reddit.com/r/Bitcoin/comments/1rvrrn/bitcointalkorg_man_in_the_middle_attack_change/

(Of course if you are mitm'd they could, in theory replace that. )

[Hyena]

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

Mine shows GeoTrust -> RapidSSL

You can use browser plugins, eg certpatrol type to monitor the certs for example.

You can also check the ssl fingerprint, like shown here:
http://www.reddit.com/r/Bitcoin/comments/1rvrrn/bitcointalkorg_man_in_the_middle_attack_change/

(Of course if you are mitm'd they could, in theory replace that. )

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S

[Hyena]

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S

Can anyone compare this with theirs?

edit:
it seems that *.bitcointalk.org (ip.bitcointalk.org) is sometimes accessed and then it says  COMODO CA Limited for issuer organization and the SHA1 fingerprint is 27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26. The strange this is that I don't see that certificate in my list of certificates.

[Christian1998]

@Hyena
I have the same SHA1-Fingerprint:

Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

[Hyena]

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

[Jay_Pal]

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

[fenghush]

They can still hijack your DNS requests over SSH tunnel though.

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

[cr1776]

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S

Can anyone compare this with theirs?

edit:
it seems that *.bitcointalk.org (ip.bitcointalk.org) is sometimes accessed and then it says  COMODO CA Limited for issuer organization and the SHA1 fingerprint is 27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26. The strange this is that I don't see that certificate in my list of certificates.

Domain Control Validated - RapidSSL(R)
GeoTrust, Inc.
Serial: 1302870
SHA1: 7B CF 43 CE 3B 6A 9E 78 62 81 76 6F 9A 71 7A DA E2 7C 37 C6
MD5: 9B B9 0C 19 73 32 0A 2D CF 34 08 55 14 7B 59 BC
Pub key:
256 bytes : C8 9D 5F 0E 95 79 AD B9 9F 6E B5 16 C9 BD 12 0E 98 2F 23 08 00 73 3F 71 B2 CE FB 93 8E 5F 2A 12 7D 35 C6 91 F3 F6 EC 3E AB BD 06 08 5B 12 C1 6E 96 71 33 20 BA 93 1A A2 C3 15 56 6D DE 9B 3F 6F F4 06 0A 92 06 96 B7 F8 7F 65 F5 C8 0E AB A2 8B A6 33 11 82 8E EB BA A0 67 48 93 D1 F0 2B 45 68 5F 07 FD 6F 1F 3F 3E 11 58 E7 E3 C9 91 24 8F AA F9 C9 B2 84 1D 13 67 94 63 D4 EF D0 E3 4D 48 4F F8 47 A7 EC 95 72 5A 03 F6 94 4F D5 F7 76 92 ED 55 71 A8 12 14 E7 BE 5E BF 33 9A B2 EA 10 D9 54 93 42 25 60 0C 86 D5 A3 F6 5E D5 EE 0D C9 94 23 F2 D6 CB 24 EE E0 6C 50 37 2A 9D 6E 41 19 3B 9F C0 D7 16 BD AC 1E A8 59 D1 0A 23 E4 E8 61 1F 7E CD DA D5 91 74 65 F1 E0 D8 96 D8 28 2C 0F 5E 94 67 F9 18 B6 D0 4F 2E 39 A4 67 13 51 AA 4B 21 04 8B A8 45 91 E0 8C 25 8D B3 FD 10 D9 61 10 9D 1F


It does appear to match here too.

[Jay_Pal]

They can still hijack your DNS requests over SSH tunnel though.

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

Yes, they could, although I can't see how that would affect my personal data.
I might not be seeing the hole problem, I confess.
I just don't want them to be reading my facebook, or my gmail. I don't really care if they know I went to those pages (everybody does). I just don't want them to be able to access my accounts and read my personal and private stuff.
They claim security measures to avoid data stealing like encrypting usb drives (including mobile phone storage!! Hell of a problem to solve, since my phone was unable to access the files...!!) but they never talked about this measure and one day I stumble on it.
They don't realize those who steal data from them are recording DVD disks, printing the data and chatting in real life to other people, not using pen drives or email accounts!!

[Hyena]

They can still hijack your DNS requests over SSH tunnel though.

Yeah, I lately discovered (https://dnsleaktest.com/) that my VPN had DNS leak for who knows how long. I had to explicitly define the DNS to use for that VPN connection (luckily my VPN service provider has its own DNS). So, my government probably knows what porn sites I visit

[fenghush]

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

They can still hijack your DNS requests over SSH tunnel though.

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

Yes, they could, although I can't see how that would affect my personal data.
I might not be seeing the hole problem, I confess.
I just don't want them to be reading my facebook, or my gmail. I don't really care if they know I went to those pages (everybody does). I just don't want them to be able to access my accounts and read my personal and private stuff.
They claim security measures to avoid data stealing like encrypting usb drives (including mobile phone storage!! Hell of a problem to solve, since my phone was unable to access the files...!!) but they never talked about this measure and one day I stumble on it.
They don't realize those who steal data from them are recording DVD disks, printing the data and chatting in real life to other people, not using pen drives or email accounts!!

[Jay_Pal]

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

[Hyena]

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

[Jay_Pal]

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

[Hyena]

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

There is real threat that your DNS may take place earlier than any tunneling. To be sure, use this test: https://dnsleaktest.com/

edit: I don't know the specifics of SSH tunneling but with VPN it is a threat.

[Jay_Pal]

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

There is real threat that your DNS may take place earlier than any tunneling. To be sure, use this test: https://dnsleaktest.com/

Oh great!
I'll test it out tomorrow at my workplace...
Thank you very much for the help!

[fenghush]

Your browser or any other client software which passes the requests via the proxy first tries to resolve the hostname via the DNS specified on your network interface, the DNS requests are NOT passed via the ssh tunnel. A misconfigured VPN server can suffer the same, although the DNS requests are passed via the VPN interface and are encrypted, if the DNS server is run by an untrusted party such as your ISP the resolved IPs cannot be trusted as they may be transparent proxies which log requests.
Another thing to keep in mind when browsing via SSH tunnel is flash, connections made by the flash plugin are NOT passed via the SSH tunnel but the actual direct internet connection which may compromise your anonymity, same applies for JAVA applets and other browser plugins which are able to create remote sockets which bypass the proxy settings in your browser.

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?