Delay in accessing sites - might it be because of a MITM attack?

Sometimes I get a particularly long delay with some sites, including this one.

Might this be evidence or an indication of a possible MITM attack going on?

If yes, how do you ensure you are visiting the site you want when the site does not use HTTPS, and how when the site uses HTTPS?

A VPN solution is not acceptable because of this. We'd rather the communication be open to eavesdropping network adversaries, but not modified by them. So how do you stay transparent to them but know you are accessing the right site and reading the right text? Ideally with little or no added delay?

 

For HTTPS and eliminating MITM attacks: Without getting too technical you write a script or use one already created to examine/compare your browser's certificate fingerprint to the actual site's KNOWN full fingerprint. You had mentioned for instance here at Wilder's. I am pasting in the KNOWN and confirmed full SHA fingerprint for Wilder's. You absolutely can NOT fake or derive this full fingerprint using MITM. You MUST have access to the private key and only Wilder's has it, in order to generate this fingerprint.

Wilder's Fingerprint

B6 6C B2 E9 9B 88 3F 01 D4 F7 6F 50 46 68 A0 E5 B0 04 FE E4

If your script or add-on does not see this fingerprint it should POP UP a warning box and you can proceed accordingly. For now, manually look at your browser's cert icon and open it to view the cert fingerprint it is using. It should match the one I pasted above or you are not on Wilder's directly.

For HTTP you can do a few things but they will never allow you to be certain of where you are. HTTP is not secure and never will be!! That said; many sites make available http and https connections. Why would anyone ever get lazy and not use https? Wilder's offers both, so in my opinion use the better connection handshake. There may be two hundred people connected here now and by using https any snoops on an exit mode have to figure out who is doing what in here, if they were all on https. The ones on http are simply passing plain text and making it too easy!!

Regarding the thread you linked. I don't buy much of that stuff. I would proceed with a secure connection (I use multiple hops but that is me) and not worry about those items. Even in China where VPN users are subject to strong censoring we have ways to mask the VPN and "wrap" the connection to evade strong Gov't scrutiny. All day long!!

 

Just went to the HTTPS version of this page here at wilders, and firefox says:

However, when I click on "Add an exception" and then "View" I see the hex value you gave, labeled as "SHA1 fingerprint". So this is probably ok.

But what if it was another site where no one was kind enough to post the SHA1 fingerprint in a forum and firefox gave similar warnings? Trust firefox's built-in list of certificate authorities that includes some in rogue mafia states?

Someone must have come up with a more peer-to-peer sort of authentication.

 

The fingerprint is absolutely the best method. The pop up warning you referenced is because the cert here is private. I prefer this approach to cert authorities, but there is nothing wrong with them either. I run into this at many of the "watering holes" I hang out in.

Any reputable forum type site is going to have their cert fingerprint available. If you ask and an Admin/Mod won't give it out then go somewhere else. There is NO security risk to handing out a sites cert fingerprint. It cannot be duplicated without possession of the private side of the cert key - period!

 

@Ulysses: If using Firefox, see extensions Perspectives, Convergence, and Certificate Patrol.

 

How does the NSA break SSL?
FLYING PIG: The NSA Is Running Man In The Middle Attacks Imitating Google's Servers

 

Perhaps when Wilders' website certificate does undergo its next renewal, the fingerprint hash could employ SHA-256 and/or be added to the present MD5 & SHA-1 values so as to update the security a notch.

Perhaps too, an excellent ratings result of Calomel's v0.67 SSL Validation add-on extension could be considered to "show the way" for other website administrators.

What might be the pitfalls of redirecting/forcing all our Wilders connections to https?