Certificate Renewal or Man-in-the-middle attack?

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: ABCbits on February 15, 2024, 03:28:51 AM

Regarding your original question, it seems it's already answered on Sparrow Wallet FAQ.

Quote from: https://www.sparrowwallet.com/docs/faq.html

I’m getting a “man-in-the-middle” certificate warning when connecting

This is an SSL error, mostly likely due to an expired certificate. If you are using a public server, it may simply be that the certificate has been replaced, in which case it is safe to proceed. Otherwise, it may make sense to be cautious, especially if you are connecting over a public wifi. To find the existing certificate, look in the certs folder of Sparrow home for a file with the same name as the URL of the server. You can delete that file to clear Sparrow’s record of the SSL cert. It will download the cert again on reconnection.

An expired certificate is not the only way you'll get a warning when connecting to Sparrow Wallet. Also if the certificate being served is for a different hostname than the one that the wallet is making the request to, the validation will fail and you will also get this recording.

SSH was (and still is) very big about this back in the day. That's why it always shows you the fingerprint before you connect to a server and even makes you type "Yes" or click OK before proceeding, and a lot of software has copied it. It is something that Sparrow should also do tbh. With a checkbox to "don't show this again" of course.

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Regarding your original question, it seems it's already answered on Sparrow Wallet FAQ.

Quote from: stackyoursats on February 14, 2024, 09:49:21 PM

Quote from: ABCbits on February 13, 2024, 05:14:37 AM

I tried accessing the website from browser and got different error.

Quote

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for electrum.diynodes.com. The certificate is only valid for api.testnet.diynodes.com.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

It looks like owner of that domain doesn't configure SSL certificate properly. And after i choose to proceed, it shows 504 Gateway timeout. I don't think it's dangerous to click yes, but you better use properly configured Electrum server.

Got it, thank you for checking with Firefox. Is there a rule of thumb for which public servers are safe to go with?

I never see anyone create or share such rule of thumb. List of server on Electrum wallet actually list server which has been online for long time, excluding known malicious node. And IIRC Sparrow already manually choose 5 or 6 public Electrum server that seems trustworthy.

Quote from: stackyoursats on February 14, 2024, 09:49:21 PM

If I run my own bitcoin node, will my sparrow wallet still be compromised from connecting to public servers in the past?

Most likely no. If they compromise your wallet in past, they usually would take everything you have back then.

nc50lc

legendary

Activity: 2534

Merit: 6080

Self-proclaimed Genius

Quote from: stackyoursats on February 14, 2024, 09:57:43 PM

Currently I have the most air gapped solution where my cold storage hasn't once been connected to my laptop at any point.

In that case, it's completely safe.
That's considering that you haven't exported any of your air-gap wallet's private key, even one.
Because if you do, if compromised, it can be used together with the extended public key in the online machine to compute all of your other private keys.
Otherwise, it's safe.

Quote from: stackyoursats on February 14, 2024, 09:57:43 PM

Is my sparrow wallet at all compromised for having connected to public servers in the past? If so, is there anything I can do to ensure my funds don't get stolen via man in the middle attack once I set up my own node? (i.e. delete and reinstall Sparrow) Currently I have the most air gapped solution where my cold storage hasn't once been connected to my laptop at any point. Thank you for the help!

The public server and the MITM attacker don't have access to users' private keys even in a non-air-gap setup anyways.
All it can access are privacy-related data which are your transactions and addresses, and as you know it, fake the data that you receive.
SPV wallets sign transactions locally.
(this is considering Sparrow doesn't have bugs that will lead to the attacker to intercept the private key in another way, so keep it air-gap)

The warnings about it's unsafe to access your air-gap machine (PC) in an online environment is because that will defeat its purpose.
It may or may still be safe depending on the online device's security but it's not "air-gap" anymore once connected to the internet even after disconnection.

stackyoursats

newbie

Activity: 5

Merit: 1

Quote from: satscraper on February 13, 2024, 05:36:57 AM

Quote from: stackyoursats on February 12, 2024, 02:39:15 PM

When I open Sparrow, I receive a popup titled "SSL Handshake Failed". The message says "The certificate provided by the server at electrum.diynodes.com appears to have changed. This may be simply due to a certificate renewal, or it may indicate a man-in-the-middle attack. Do you still want to proceed?".

Has anyone else gotten this? Is it safe to click Yes and proceed? Is it safe to connect my cold storage to my computer and/or conduct a transaction? Thank you in advance

You can check electrum.diynodes.com certificate on sslchecker. It flags Missing Root certificate for given server and it would be a red flag for me.

I never connect my Sparrow to any public server as I use my own Bitcoin Core node.

Thus, I encourage you to act in the same way.

" Better safe than sorry"

Thank you so much for sharing that link. I've checked every public server so far on SSL Checker, and of the ones that return results, they all show a missing root certificate. I will definitely migrate to my own Bitcoin Core node.

Is my sparrow wallet at all compromised for having connected to public servers in the past? If so, is there anything I can do to ensure my funds don't get stolen via man in the middle attack once I set up my own node? (i.e. delete and reinstall Sparrow) Currently I have the most air gapped solution where my cold storage hasn't once been connected to my laptop at any point. Thank you for the help!

stackyoursats

newbie

Activity: 5

Merit: 1

Quote from: ABCbits on February 13, 2024, 05:14:37 AM

I tried accessing the website from browser and got different error.

Quote

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for electrum.diynodes.com. The certificate is only valid for api.testnet.diynodes.com.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

It looks like owner of that domain doesn't configure SSL certificate properly. And after i choose to proceed, it shows 504 Gateway timeout. I don't think it's dangerous to click yes, but you better use properly configured Electrum server.

Got it, thank you for checking with Firefox. Is there a rule of thumb for which public servers are safe to go with? If I run my own bitcoin node, will my sparrow wallet still be compromised from connecting to public servers in the past?

Thank you!

stackyoursats

newbie

Activity: 5

Merit: 1

Quote from: Yamane_Keto on February 12, 2024, 08:48:21 PM

When you connect to a new server, the wallet creates the server certificate and keeps it, and when any change occurs, this error appears. Therefore, if you do not change the server or do not trust electrum.diynodes.com, click on No and go to file, Preferences, Server tab

That server is managed by https://twitter.com/openoms, and I don't think there will be a problem by clicking Yes.

Thank you for clarifying. I likely did receive the popup due to connecting to a new server as you mentioned.

A few questions for you:

How were you able to verify this server is managed by openoms?
How do you know it's still safe to connect to? I ask because after checking this server on sslchecker.com it appears this server's root certificate is missing which was flagged as a red flag by others who responded to my post.

Thank you for all the help!

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: stackyoursats on February 13, 2024, 03:26:14 PM

I do not own electrum.diynodes.com and have never heard of it until the popup that I received.

Then there is no reason that you have to stick with that electrum.diynodes server that is causing those Sparrow error messages. Go into the settings menu and pick a different one. If you have plans to run your own Bitcoin Node, you don't have to worry about Electrum servers anymore, as you are going to be using the Bitcoin Core client.

stackyoursats

newbie

Activity: 5

Merit: 1

Quote from: BitMaxz on February 12, 2024, 06:18:52 PM

I don't know what caused this issue but are you using a VPN while using Sparrow? It won't be safe if you proceed better report this issue since I never heard someone had the same issue.

Do you own this electrum.diynodes.com or this is what you paste under private electrum?
It seems you need to enable SSL on the settings or provide the server certificate.

Check their GitHub page below and make a report issue.

- https://github.com/sparrowwallet/sparrow/issues

Sometimes I have VPN turned on. I do not own electrum.diynodes.com and have never heard of it until the popup that I received. I am currently not running my own instance of an Electrum server but am planning on running my own Bitcoin Core node after this incident. When you say I need to enable SSL on the settings or provide server certificate, this is relevant if I run my own private Electrum server but does not apply if I'm running my own Bitcoin Core node, right? Thank you for sharing the GitHub page. I will report the issue.

Pmalek

legendary

Activity: 2730

Merit: 7065

I would suggest going to the server settings and finding a different server to connect to. If you don't see the same error message, it's safe to say that there is an error message with that electrum.diynodes.com server. If you can change the server and there is no reason which you aren't telling us about that makes you use that particular one, just pick a different one.

Quote from: stackyoursats on February 12, 2024, 02:39:15 PM

Is it safe to connect my cold storage to my computer and/or conduct a transaction?

That depends on what you mean with cold storage? Are we talking about a hardware wallet or some airgapped machine you intend to bring online? It stops being cold storage if the private keys touch an internet-connected computer. So, please pay attention to what you are doing to not reduce the security of your setup.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: stackyoursats on February 12, 2024, 02:39:15 PM

When I open Sparrow, I receive a popup titled "SSL Handshake Failed". The message says "The certificate provided by the server at electrum.diynodes.com appears to have changed. This may be simply due to a certificate renewal, or it may indicate a man-in-the-middle attack. Do you still want to proceed?".

Has anyone else gotten this? Is it safe to click Yes and proceed? Is it safe to connect my cold storage to my computer and/or conduct a transaction? Thank you in advance

You can check electrum.diynodes.com certificate on sslchecker. It flags Missing Root certificate for given server and it would be a red flag for me.

I never connect my Sparrow to any public server as I use my own Bitcoin Core node.

Thus, I encourage you to act in the same way.

" Better safe than sorry"

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

I tried accessing the website from browser and got different error.

Quote

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for electrum.diynodes.com. The certificate is only valid for api.testnet.diynodes.com.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

It looks like owner of that domain doesn't configure SSL certificate properly. And after i choose to proceed, it shows 504 Gateway timeout. I don't think it's dangerous to click yes, but you better use properly configured Electrum server.

Yamane_Keto

hero member

Activity: 406

Merit: 443

When you connect to a new server, the wallet creates the server certificate and keeps it, and when any change occurs, this error appears. Therefore, if you do not change the server or do not trust electrum.diynodes.com, click on No and go to file, Preferences, Server tab

That server is managed by https://twitter.com/openoms, and I don't think there will be a problem by clicking Yes.

BitMaxz

legendary

Activity: 3374

Merit: 3095

Playbet.io - Crypto Casino and Sportsbook

I don't know what caused this issue but are you using a VPN while using Sparrow? It won't be safe if you proceed better report this issue since I never heard someone had the same issue.

Do you own this electrum.diynodes.com or this is what you paste under private electrum?
It seems you need to enable SSL on the settings or provide the server certificate.

Check their GitHub page below and make a report issue.

- https://github.com/sparrowwallet/sparrow/issues

stackyoursats

newbie

Activity: 5

Merit: 1

When I open Sparrow, I receive a popup titled "SSL Handshake Failed". The message says "The certificate provided by the server at electrum.diynodes.com appears to have changed. This may be simply due to a certificate renewal, or it may indicate a man-in-the-middle attack. Do you still want to proceed?".

Has anyone else gotten this? Is it safe to click Yes and proceed? Is it safe to connect my cold storage to my computer and/or conduct a transaction? Thank you in advance

Topic: Certificate Renewal or Man-in-the-middle attack? (Read 198 times)