Topic: Forum HTTPS problems (Read 1167 times)

Quote from: fenghush on January 11, 2015, 11:44:19 AM

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

The problem was that the ICQ/YIM "user online" images were gotten from unencrypted sources. I've known about this for some time, but seeing your comment reminded me, and I fixed it. That's why it went away.

Jay_Pal

legendary

Activity: 1493

Merit: 1003

Your browser or any other client software which passes the requests via the proxy first tries to resolve the hostname via the DNS specified on your network interface, the DNS requests are NOT passed via the ssh tunnel. A misconfigured VPN server can suffer the same, although the DNS requests are passed via the VPN interface and are encrypted, if the DNS server is run by an untrusted party such as your ISP the resolved IPs cannot be trusted as they may be transparent proxies which log requests.
Another thing to keep in mind when browsing via SSH tunnel is flash, connections made by the flash plugin are NOT passed via the SSH tunnel but the actual direct internet connection which may compromise your anonymity, same applies for JAVA applets and other browser plugins which are able to create remote sockets which bypass the proxy settings in your browser.

Quote from: Jay_Pal on January 11, 2015, 11:29:41 AM

Quote from: Jay_Pal on January 11, 2015, 11:12:07 AM

Quote from: fenghush on January 11, 2015, 10:11:17 AM

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

Oh great... my only hope then, is if they're not that bright!!!
Thank you for the explanation!

fenghush

sr. member

Activity: 658

Merit: 250

Your browser or any other client software which passes the requests via the proxy first tries to resolve the hostname via the DNS specified on your network interface, the DNS requests are NOT passed via the ssh tunnel. A misconfigured VPN server can suffer the same, although the DNS requests are passed via the VPN interface and are encrypted, if the DNS server is run by an untrusted party such as your ISP the resolved IPs cannot be trusted as they may be transparent proxies which log requests.
Another thing to keep in mind when browsing via SSH tunnel is flash, connections made by the flash plugin are NOT passed via the SSH tunnel but the actual direct internet connection which may compromise your anonymity, same applies for JAVA applets and other browser plugins which are able to create remote sockets which bypass the proxy settings in your browser.

Quote from: Jay_Pal on January 11, 2015, 11:29:41 AM

Quote from: Jay_Pal on January 11, 2015, 11:12:07 AM

Quote from: fenghush on January 11, 2015, 10:11:17 AM

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

Jay_Pal

legendary

Activity: 1493

Merit: 1003

Quote from: Hyena on January 11, 2015, 11:34:02 AM

Quote from: Jay_Pal on January 11, 2015, 11:29:41 AM

Quote from: Jay_Pal on January 11, 2015, 11:12:07 AM

Quote from: fenghush on January 11, 2015, 10:11:17 AM

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

There is real threat that your DNS may take place earlier than any tunneling. To be sure, use this test: https://dnsleaktest.com/

Oh great!
I'll test it out tomorrow at my workplace...
Thank you very much for the help!

Hyena

legendary

Activity: 2114

Merit: 1011

Quote from: Jay_Pal on January 11, 2015, 11:29:41 AM

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

There is real threat that your DNS may take place earlier than any tunneling. To be sure, use this test: https://dnsleaktest.com/

edit: I don't know the specifics of SSH tunneling but with VPN it is a threat.

Jay_Pal

legendary

Activity: 1493

Merit: 1003

Quote from: Jay_Pal on January 11, 2015, 11:12:07 AM

Quote from: fenghush on January 11, 2015, 10:11:17 AM

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?

Hyena

legendary

Activity: 2114

Merit: 1011

Quote from: Jay_Pal on January 11, 2015, 11:12:07 AM

Quote from: fenghush on January 11, 2015, 10:11:17 AM

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to https://okcupid.com and it will immediately become http://okcupid.com

I think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.

Jay_Pal

legendary

Activity: 1493

Merit: 1003

Quote from: fenghush on January 11, 2015, 10:11:17 AM

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!

fenghush

sr. member

Activity: 658

Merit: 250

They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.

Quote from: Jay_Pal on January 11, 2015, 09:09:34 AM

Quote from: fenghush on January 11, 2015, 08:55:22 AM

They can still hijack your DNS requests over SSH tunnel though.

Quote from: Jay_Pal on January 11, 2015, 08:52:43 AM

Quote from: Christian1998 on January 11, 2015, 03:37:57 AM

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

Yes, they could, although I can't see how that would affect my personal data.
I might not be seeing the hole problem, I confess.
I just don't want them to be reading my facebook, or my gmail. I don't really care if they know I went to those pages (everybody does). I just don't want them to be able to access my accounts and read my personal and private stuff.
They claim security measures to avoid data stealing like encrypting usb drives (including mobile phone storage!! Hell of a problem to solve, since my phone was unable to access the files...!!) but they never talked about this measure and one day I stumble on it.
They don't realize those who steal data from them are recording DVD disks, printing the data and chatting in real life to other people, not using pen drives or email accounts!!

Hyena

legendary

Activity: 2114

Merit: 1011

Quote from: fenghush on January 11, 2015, 08:55:22 AM

They can still hijack your DNS requests over SSH tunnel though.

Yeah, I lately discovered (https://dnsleaktest.com/) that my VPN had DNS leak for who knows how long. I had to explicitly define the DNS to use for that VPN connection (luckily my VPN service provider has its own DNS). So, my government probably knows what porn sites I visit Tongue

Jay_Pal

legendary

Activity: 1493

Merit: 1003

Quote from: fenghush on January 11, 2015, 08:55:22 AM

They can still hijack your DNS requests over SSH tunnel though.

Quote from: Jay_Pal on January 11, 2015, 08:52:43 AM

Quote from: Christian1998 on January 11, 2015, 03:37:57 AM

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

Yes, they could, although I can't see how that would affect my personal data.
I might not be seeing the hole problem, I confess.
I just don't want them to be reading my facebook, or my gmail. I don't really care if they know I went to those pages (everybody does). I just don't want them to be able to access my accounts and read my personal and private stuff.
They claim security measures to avoid data stealing like encrypting usb drives (including mobile phone storage!! Hell of a problem to solve, since my phone was unable to access the files...!!) but they never talked about this measure and one day I stumble on it.
They don't realize those who steal data from them are recording DVD disks, printing the data and chatting in real life to other people, not using pen drives or email accounts!!

cr1776

legendary

Activity: 4018

Merit: 1299

Quote from: Hyena on January 11, 2015, 03:23:57 AM

Quote from: Hyena on January 11, 2015, 03:05:30 AM

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S

Can anyone compare this with theirs?

edit:
it seems that *.bitcointalk.org (ip.bitcointalk.org) is sometimes accessed and then it says COMODO CA Limited for issuer organization and the SHA1 fingerprint is 27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26. The strange this is that I don't see that certificate in my list of certificates.

Domain Control Validated - RapidSSL(R)
GeoTrust, Inc.
Serial: 1302870
SHA1: 7B CF 43 CE 3B 6A 9E 78 62 81 76 6F 9A 71 7A DA E2 7C 37 C6
MD5: 9B B9 0C 19 73 32 0A 2D CF 34 08 55 14 7B 59 BC
Pub key:
256 bytes : C8 9D 5F 0E 95 79 AD B9 9F 6E B5 16 C9 BD 12 0E 98 2F 23 08 00 73 3F 71 B2 CE FB 93 8E 5F 2A 12 7D 35 C6 91 F3 F6 EC 3E AB BD 06 08 5B 12 C1 6E 96 71 33 20 BA 93 1A A2 C3 15 56 6D DE 9B 3F 6F F4 06 0A 92 06 96 B7 F8 7F 65 F5 C8 0E AB A2 8B A6 33 11 82 8E EB BA A0 67 48 93 D1 F0 2B 45 68 5F 07 FD 6F 1F 3F 3E 11 58 E7 E3 C9 91 24 8F AA F9 C9 B2 84 1D 13 67 94 63 D4 EF D0 E3 4D 48 4F F8 47 A7 EC 95 72 5A 03 F6 94 4F D5 F7 76 92 ED 55 71 A8 12 14 E7 BE 5E BF 33 9A B2 EA 10 D9 54 93 42 25 60 0C 86 D5 A3 F6 5E D5 EE 0D C9 94 23 F2 D6 CB 24 EE E0 6C 50 37 2A 9D 6E 41 19 3B 9F C0 D7 16 BD AC 1E A8 59 D1 0A 23 E4 E8 61 1F 7E CD DA D5 91 74 65 F1 E0 D8 96 D8 28 2C 0F 5E 94 67 F9 18 B6 D0 4F 2E 39 A4 67 13 51 AA 4B 21 04 8B A8 45 91 E0 8C 25 8D B3 FD 10 D9 61 10 9D 1F

It does appear to match here too.

fenghush

sr. member

Activity: 658

Merit: 250

They can still hijack your DNS requests over SSH tunnel though.

Quote from: Jay_Pal on January 11, 2015, 08:52:43 AM

Quote from: Christian1998 on January 11, 2015, 03:37:57 AM

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

Jay_Pal

legendary

Activity: 1493

Merit: 1003

Quote from: Christian1998 on January 11, 2015, 03:37:57 AM

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

That's the same fingerprint I have.
At my job, I've circumvented their privacy abuse by tunneling my traffic over an ssh tunnel.

Hyena

legendary

Activity: 2114

Merit: 1011

Quote from: Christian1998 on January 11, 2015, 03:37:57 AM

@Hyena
I have the same SHA1-Fingerprint:
...
Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Thank you! No MITM then I guess. Also, I found this nice command line that you can use to retrieve and print the fingerprint of the domain:

Code:

openssl s_client -connect bitcointalk.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

In my case, it prints: SHA1 Fingerprint=7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

This is an important discovery because I can establish a trusted SSH connection to another domain that is less likely compromised. I can execute the above command in multiple independent systems and compare the fingerprints. Nice!

Christian1998

sr. member

Activity: 474

Merit: 500

@Hyena
I have the same SHA1-Fingerprint:

Iam using Windows 8 Enterprise & Google Chrome (Version 39.0.2171.95 m).
Best regards

Hyena

legendary

Activity: 2114

Merit: 1011

Quote from: Hyena on January 11, 2015, 03:05:30 AM

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S

Can anyone compare this with theirs?

edit:
it seems that *.bitcointalk.org (ip.bitcointalk.org) is sometimes accessed and then it says COMODO CA Limited for issuer organization and the SHA1 fingerprint is 27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26. The strange this is that I don't see that certificate in my list of certificates.

Hyena

legendary

Activity: 2114

Merit: 1011

Quote from: cr1776 on January 10, 2015, 09:47:54 PM

Quote from: Hyena on January 10, 2015, 06:25:53 PM

Quote from: Jay_Pal on January 10, 2015, 05:58:13 PM

Quote from: Hyena on January 10, 2015, 06:25:53 PM

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

Mine shows GeoTrust -> RapidSSL

You can use browser plugins, eg certpatrol type to monitor the certs for example.

You can also check the ssl fingerprint, like shown here:
http://www.reddit.com/r/Bitcoin/comments/1rvrrn/bitcointalkorg_man_in_the_middle_attack_change/

(Of course if you are mitm'd they could, in theory replace that. )

Thanks, I like the certpatrol idea, it's exactly the kind of plugin I had in mind. However, what concerns me now is that when I entered this page and the certpatrol message appeared, it showed this fingerprint when I chose to see the details:
7B:CF:43:CE:3B:6A:9E:78:62:81:76:6F:9A:71:7A:DA:E2:7C:37:C6

However, the reddit topic you linked shows this fingerprint:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Any ideas why they're different?

edit: after a while I made refersh to this page and it accepted another certificate with this fingerprint:
27:D3:D3:5F:3D:4C:D9:0D:60:8B:B7:0C:5B:5E:5C:F3:01:BD:4E:26
and it's different again :S

cr1776

legendary

Activity: 4018

Merit: 1299

Quote from: Jay_Pal on January 10, 2015, 05:58:13 PM

Quote from: Jay_Pal on January 10, 2015, 05:58:13 PM

This topic is weird because it seems to have some SSL problem. I logged in to the forums from this link and later discovered that it didn't actually use https although it should have used it. Is it a security threat? Other bitcointalk topics seem to be OK but this one is different. Is it some bug in Firefox?

I'm on firefox and it is showing all right.
How's google ssl? or other pages?
Found out months ago my employer deliberately broke ssl on almost every sensitive page (including netbanking) so they could monitor us...
The behavior was exactly that.

Other pages seem to be OK right now but some time ago I saw problems in other pages too. The paranoia lies in the fact that this is my home PC. However, the security police of my country might be trying to snoop on me these days due to the work I do. Anyway, let's suppose the government agency has somehow broken my SSL and is doing the man in the middle attack even though I use VPN all the time. How can I disrupt that attack or check if the attack is indeed going on?

edit:
now I no longer see that old message. now it shows "Verified by: GeoTrust, Inc." so something has changed. the strange thing a couple of days ago was that I was developing a website and at some point firefox crashed. after starting it again I was logged out from all the pages where I normally would remain signed in.

Mine shows GeoTrust -> RapidSSL

You can use browser plugins, eg certpatrol type to monitor the certs for example.

You can also check the ssl fingerprint, like shown here:
http://www.reddit.com/r/Bitcoin/comments/1rvrrn/bitcointalkorg_man_in_the_middle_attack_change/

(Of course if you are mitm'd they could, in theory replace that. )

Hyena

legendary

Activity: 2114

Merit: 1011