Google = Compromised = MITM ?

I ran 2 checks with SSLEye https://www.wilderssecurity.com/threads/ssleye.364056 on .com & .uk & got RED alerts for both via my ISP ? Try it with your ISP & see what you get

 

I get similar results as you. I also got the same fingerprint from my ISP as you. I doubt that we are using same ISP so I guess it shouldn't be a problem.

 

I get inconsistent results...

ISP: Verizon
DNS: 77.66.84.233:443 (https://dnscrypt.eu)

also i used www.google.co.uk NOT google.co.uk

 

It looks like your ISP has a different certificate for www.google.co.uk than Firefox and Chrome do. Given that the certificate in Firefox and Chrome was issued on 2014-05-07, your ISP is probably pushing an older one. Does SSL Eye show the date issued?

 

@ hqsec

No but it's strange !

@ SpousalMilk

You too !

@ mirimir

I didn't realise that ISP's check for certs ?

 

@mirimir
SSL Eye does not show certificate date issued. At this point I'm thinking SSL Eye is at fault as Chrome and Firefox and GRC fingerprints tell me that www.google.co.uk true FINGERPRINT IS F1:07:E4:01:14:55:3E:25:A3:46:B8:A5:0B:33:C2:6E:02:0D:BD:BA

https://www.grc.com/fingerprints.htm

The oddball result is from SSL Eye.

@CloneRanger
In your first screen-shot where you test www.google.com. What fingerprint does your browser get?

 

OK, I just stumbled into this thread

So where does SSL Eye get the certs that it lists as "Your Local ISP"? SSL Eye shows the correct cert
for www.google.co.uk for countries Singapore, Netherlands and USA. It's just the "Your Local ISP" one that disagrees with Firefox and Chrome.

 

@ SpousalMilk

I can't go to www.google.com directly from the UK as it redirects to .co.uk

@ mirimir

I don't know where SSLeye gets the Local ISP data from ? & yeah it's only that one that's showing RED

 

@CloneRanger
Alright, what about for https://www.google.co.uk ? I just want to confirm if you're getting the same fingerprint in the screenshot in post #6

@mirimir
The red highlighted cert fingerprint can be examined in firefox if you copy- paste the ip that's in the corresponding host ip column to your firefox address bar, prefixed with https://

So it looks like https://[ip-address-here]

Firefox will throw up the message to add the invalid cert to the exceptions, click the proceed button (something like that, I'm not sure because I'm on mobile device right now), and there you can inspect the certificate, before finally adding an exception, which you don't need to do.

It is a google ip address afaik, spitting out a cert fingerprint that doesn't match what i get on any browser. I don't know why ssl eye wants to go there when none of my browsers do.

Maybe ssl eye is referencing default isp dns servers rather than the custom one i setup like opendns or dnccrypt. Ill do more testing later after i get some sleep. Brb in 12 or so hours.

 

@ SpousalMilk

Going to google.co.uk i get the same fingerprint as in Post#6



Just now i ran SSLEye & also get the same, which is different from my Post #1 ? My ISP is still showing the same as Post #1 ?

 

Testing on Windows XP and IE8.


On the SSL Eye Certificate details panel, when testing www.google.co.uk, it always shows RC4(12 for Connection Encryption. If the connection was made on Chrome or Firefox (still on XP), it always makes an AES or higher connection.

windows XP IE8
https://www.google.co.uk/ ae 8b 6b e5 3e bc 84 0a f0 f8 ea 02 e2 5c 36 70 f5 96 cf f3
https://www.google.com/ 65 cd 83 75 b3 67 e0 7d bb 7b c7 31 cc d8 64 73 45 a9 f0 e1

windows XP Chrome
https://www.google.co.uk/ f1 07 e4 01 14 55 3e 25 a3 46 b8 a5 0b 33 c2 6e 02 0d bd ba
https://www.google.com/ 65 cd 83 75 b3 67 e0 7d bb 7b c7 31 cc d8 64 73 45 a9 f0 e1

@CloneRanger
I thought so, not surprised there.

 

@ SpousalMilk

Hi, I'm still not sure why i see the hashes keep changing, & also why my ISP is always RED ? I'm using FF v3.6.14

I tried several times to add a reply in here https://www.digi77.com/ssl-eye-prism-protection & then a message in their Contact form to ask them to reply in here. For some unknown reason/s after allowing JavaScript etc my FF instantly exited ! Sort of like a ping of death. Interestingly, just after i downloaded SSLEye the same thing happened ?

Could you, or someone else try to ask them to respond in here & explain what we see etc

 

@CloneRanger
I left a comment for the developer which is currently "awaiting moderation."

 

@ SpousalMilk

Thanx for doing that. Let's hope we get a reply

 

I think I may know what is going on. The developer, Warith Al Maawali replied yesterday and I left another comment which is awaiting moderation at https://www.digi77.com/ssl-eye-prism-protection but I'll post it here too.

The reason IE on Windows XP was getting the same certificate fingerprint as SSL Eye from www.google.co.uk was because neither supported Server Name Indication (SNI).

[snippet from wikipedia]
Browsers with support for TLS server name indication
Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8 (because the support of this feature is not browser version dependent, it depends on SChannel system component which introduced the support of TLS SNI extension, starting from Windows Vista, not XP).

http://blog.chrismeller.com/testing-sni-certificates-with-openssl
Openssl must be told to send the necessary SNI request (add the switch -servername www.google.co.uk)

openssl s_client -servername www.google.co.uk -connect www.google.co.uk:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
>9B:4C:03:99:61:82:4F:EC:EA:00:61:7B:87:9B:6B:C7:CE:10:BF:09
^this fingerprint now matches what I'm getting in Firefox and Chrome

edit: adding a bit more info:
Basically, when SSL Eye is doing it's Your Local ISP scan, I think it's running this command behind the scenes

Code:

openssl s_client -connect www.google.co.uk:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

which serves you a different certificate (a wildcard certificate) than you would otherwise receive if you were actually going to www.google.co.uk on a modern browser like Firefox or Chrome. This gives the appearance if a MITM in SSL eye when it's really not.
The site is simply serving you a wildcard certificate which it would not usually do if your browser queried the server with SNI support.

Here's what a wildcard certificate looks like:

 

@ SpousalMilk

Thanx a Lot for the update etc, appreciate it

 

Happy to help and learn a thing or two about SNI.

 

@ CloneRanger

Good news. I got an update from the developer:

I just tested it out in Windows XP on the problematic www.google.co.uk and all is well. The fingerprint now matches what I get in Chrome and Firefox.

I've also included some screenshots showing the new functionality.

 

@ SpousalMilk

Hi, & thanx for the news & your assistance etc. I'll grab the latest version & test it too.

 

@ SpousalMilk

Just installed v1.5 & google.co & uk & my ISP are now all the same, so that's good. Not sure about these though

https://www.wilderssecurity.com/threads/ssleye.364056

Could i ask you to ask them to explain those alerts. TIA