Delay in accessing sites - might it be because of a MITM attack?

Discussion in 'privacy problems' started by Ulysses_, Feb 4, 2014.

Thread Status:
Not open for further replies.
  1. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Sometimes I get a particularly long delay with some sites, including this one.

    Might this be evidence or an indication of a possible MITM attack going on?

    If yes, how do you ensure you are visiting the site you want when the site does not use HTTPS, and how when the site uses HTTPS?

    A VPN solution is not acceptable because of this. We'd rather the communication be open to eavesdropping network adversaries, but not modified by them. So how do you stay transparent to them but know you are accessing the right site and reading the right text? Ideally with little or no added delay?
     
    Last edited: Feb 4, 2014
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    For HTTPS and eliminating MITM attacks: Without getting too technical you write a script or use one already created to examine/compare your browser's certificate fingerprint to the actual site's KNOWN full fingerprint. You had mentioned for instance here at Wilder's. I am pasting in the KNOWN and confirmed full SHA fingerprint for Wilder's. You absolutely can NOT fake or derive this full fingerprint using MITM. You MUST have access to the private key and only Wilder's has it, in order to generate this fingerprint.

    Wilder's Fingerprint

    B6 6C B2 E9 9B 88 3F 01 D4 F7 6F 50 46 68 A0 E5 B0 04 FE E4

    If your script or add-on does not see this fingerprint it should POP UP a warning box and you can proceed accordingly. For now, manually look at your browser's cert icon and open it to view the cert fingerprint it is using. It should match the one I pasted above or you are not on Wilder's directly.

    For HTTP you can do a few things but they will never allow you to be certain of where you are. HTTP is not secure and never will be!! That said; many sites make available http and https connections. Why would anyone ever get lazy and not use https? Wilder's offers both, so in my opinion use the better connection handshake. There may be two hundred people connected here now and by using https any snoops on an exit mode have to figure out who is doing what in here, if they were all on https. The ones on http are simply passing plain text and making it too easy!!

    Regarding the thread you linked. I don't buy much of that stuff. I would proceed with a secure connection (I use multiple hops but that is me) and not worry about those items. Even in China where VPN users are subject to strong censoring we have ways to mask the VPN and "wrap" the connection to evade strong Gov't scrutiny. All day long!!
     
  3. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Just went to the HTTPS version of this page here at wilders, and firefox says:

    However, when I click on "Add an exception" and then "View" I see the hex value you gave, labeled as "SHA1 fingerprint". So this is probably ok.

    But what if it was another site where no one was kind enough to post the SHA1 fingerprint in a forum and firefox gave similar warnings? Trust firefox's built-in list of certificate authorities that includes some in rogue mafia states?

    Someone must have come up with a more peer-to-peer sort of authentication.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    The fingerprint is absolutely the best method. The pop up warning you referenced is because the cert here is private. I prefer this approach to cert authorities, but there is nothing wrong with them either. I run into this at many of the "watering holes" I hang out in.

    Any reputable forum type site is going to have their cert fingerprint available. If you ask and an Admin/Mod won't give it out then go somewhere else. There is NO security risk to handing out a sites cert fingerprint. It cannot be duplicated without possession of the private side of the cert key - period!
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Just in support of the above point, each year when I install a new self-signed certificate, I update the FAQ with the new fingerprint.

    https://www.wilderssecurity.com/faq.php?s=&do=search&q=certificate&match=all&titlesonly=0

    I even include an image of it in the specific post about the new cert updated. (This was an idea someone suggested because they thought "on the fly" substitution of a fingerprint in text could be coded into a MITM attack, but, an image would likely be missed. Maybe a bit tin-foil-hatty, but, I figured it couldn't hurt.)

    https://www.wilderssecurity.com/showpost.php?p=2205579

    In about a month, a new certificate will be generated for another year.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @Ulysses: If using Firefox, see extensions Perspectives, Convergence, and Certificate Patrol.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Perhaps when Wilders' website certificate does undergo its next renewal, the fingerprint hash could employ SHA-256 and/or be added to the present MD5 & SHA-1 values so as to update the security a notch.

    Perhaps too, an excellent ratings result of Calomel's v0.67 SSL Validation add-on extension could be considered to "show the way" for other website administrators.

    What might be the pitfalls of redirecting/forcing all our Wilders connections to https?
     
    Last edited: Feb 8, 2014
Loading...
Thread Status:
Not open for further replies.