Use MITM Checker to determine if your system is currently under a MITM attack. The program will connect to a list of major websites and alert on any unknown or unusual certificates used in the SSL handshake. It will detect obvious cases (such as interception by a local proxy, your employer's SSL inspection gateways, or a malware infection), as well as more advanced attacks (for instance, if the cert is valid but originates from an unusual organization/country). The tool is a standalone, browser-independent application. Wait, how does this differ from RCC? RCC performs a static check on the local certificate store. MITM Checker analyzes the actual certs your machine receives when connecting to popular websites. Usage Just unzip and launch. Any alerts are flagged in red. Feel free to share your results for discussion. This early release is free for use. As it is a beta, bugs and/or false positive detections should be expected. Feedback welcome! Available from https://www.trustprobe.com/fs1/apps.html
Another forensic toolbox winner. Thanks! FYI: I get a handshake failure for www.go.com and ping timeout for that as well. It redirects to just plain ol' go.com in the browser. Fixed with top100.txt edit. I determined one can build one's own list as long as the file is named top100.txt. Future feature requests: window sizing, csv report export.
Got 2 "ALERT" messages, both for Root CA "COMODO ECC Certification Authority", for these domains: * www.creativecommons.org * www.tinyurl.com But what can/should I do with this info?
Likely to be false positives - Could you post the thumbprints for these 2 detections? (Copying text to the clipboard is not possible yet, so I would suggest posting a screenshot)
Same here. Did as you and changed to go.com. Also no alerts here on those two URLs. -EDIT- Do you use Comodo for anything; firewall, etc.? Great tool! Kudos on your work.
The COMODO ECC detections reported above are false positives. This issue should be fixed in the latest build, available now (v0.39b).
That's strange. My won't won't block any incoming stateful traffic unless it was an IDS detection, ping, etc..
Looks like it is hosted on a shared server with several malicious “neighbors”: https://otx.alienvault.com/indicator/ip/213.186.33.17
Hi...I tried MITM Checker on XP and received two alerts (on screenshot) and a lot of "Handshake failure"...why is that?
My best guess is since you're using XP that isn't supported anymore, its root CA store certificates haven't been updated in ages. For example, www.tinyurl.com uses a Comodo; i.e. AddTrust root certificate.
