Fake Certifs?

Discussion in 'malware problems & news' started by Brosephine, Feb 26, 2016.

  1. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    What would cause all https sites to have a false or fake certificate?

    The sha-1 fingerprint of all "secure" sites certificates do not match grc.com's authentic fingerprint?

    All of these incorrect certificates are verified by Kaspersky Lab ZAO
     
    Last edited: Feb 26, 2016
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    From what I could gather about grc, I'd say -it- is the problem :p
     
  3. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    I was hoping that was the case! There was a time in the recent past that all my certificates did match their site however? Maybe I was compromised then and not now.

    Where is a trusted reputable source to compare certif fingerprints?
     
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
  5. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Thanks for showing me that. I actually use Https Everywhere but haven't been utilizing the observatory.

    I brought this issue up because I recently was directed to always compare fingerprints to GRC and that if they don't match there's a problem. Would you say it's safe to say I can disregard that info? While you were looking into GRC did you happen to compare any of your certifs to their database?
     
  6. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Here's what grc points to be wikipedia's cert: 87:F5:BA:BB:D8:97:C5:79:B6:6A:F5:2F:D8:63:8B:99:BD:1C:E8:26
    Here's mine: 87:F5:BA:BB:D8:97:C5:79:B6:6A:F5:2F:D8:63:8B:99:BD:1C:E8:26

    Riseup according to grc: D6:63:4E:A9:60:D3:7C:0B:5B:C2:97:EF:E7:FF:AF:03:80:2D:AB:03
    Mine: D6:63:4E:A9:60:D3:7C:0B:5B:C2:97:EF:E7:FF:AF:03:80:2D:AB:03

    So I guess their tool works, @Brosephine
     
    Last edited: Feb 26, 2016
  7. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    @amarildojr


    1. Click on padlock (in FF) while securely connected HTTPS to a site>More information>View certificate>Certificates info should be shown, Sha-1 fingerprint is on the bottom.
    2. GRC.COM>Services>HTTPS Fingerprints>Enter the URL of whatever site you are comparing
     
  8. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    So then I have a problem....None of mine match
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Have you configured Kaspersky to scan https traffic? Because by doing so Kaspersky will locally sign every certificate you have, I think that's why your certs don't match.

    Try disabling https scanning, reboot, and then go to grc again to see if your certificates are back to normal. If they are, then you know your machine hasn't been compromised, and you can (if you want) re-enable Kaspersky to scan https traffic (but your certs are going to be locally sign by Kaspersky and won't match grc's).
     
  10. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Thank you I'm trying now.

    While searching for the HTTPS scanning options I found that I'm currently "allowing active FTP mode." Is this okay or should I change?
     
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    I'm not sure about that option, the last time I used Kaspersky was a long time ago. I do remember that the option for scanning https was pecific - meaning it wasn't tied to ftp.

    I do recommend you to keep the ftp option enabled for now. Remember, we're only disabling the HTTPS option to see if Kaspersky is actually signing all of your https certificates locally :)
     
  12. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    voilà :thumb:! Thank you that was exactly the problem @amarildojr!

    Now that we know that you said to return the settings to scan HTTPS correct? It's more secure that way?
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    You're welcome! :D Glad I could help.

    Just a note: I don't think that's a "problem", per say, but rather a nice feature from Kaspersky and other AV's.

    Yes, I think it is more secure. However, you must do some research to see if there is any privacy implications by using that feature, I'm not the best person to tell anything on the privacy aspect of the https scanning ;)
     
  14. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Good point on the privacy bit. Well thank you again for spending the time to help & educate me. You're appreciated more than you know :D. Ciao
     
  15. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    You're welcome :) And glad to hear that :-*
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    That's crazy! To scan HTTPS traffic, all that needs to be done is to replace the root certificate in the validation chain with the security vendors own root certificate. That is the way Eset and other vendors that scan SSL traffic do it. Kapersky by replacing the web site certificate results in you have no way of verifying the site that you are accessing is indeed the actual web site you intended to use.
     
  17. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    @itman I'm not really sure of how exactly Kaspersky does it. Could you verify that, when going to a website with https, the certificate is also shown as signed by ESET?
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Guess I misspoke. Eset does actually create a new browser cert. for the site with a different thumbprint. I exclude my banking web site from Eset SSL scanning which eliminates this issue.
     
  19. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Sorry @itman but I'm not clear on whether you do see something abnormal that I need to correct or if the situation is all good
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Yes, what Kapersky is doing is what all the vendors who scan SSL traffic are doing. Basically what is going on is Kapersky is performing man-in-the-middle activity to decrypt your incoming SSL traffic. The way that is possible is Kapersky temporarily creates a cert. for the web site signed by Kapersky. It can do this activity since Kapersky installed its own certificate in the system root CA. That will allow Kapersky to intercept the SSL traffic, decrypt it, and then scan it for malware, re-encrypt the traffic, and forward it to the browser..

    The important certs. are the ones stored in your system root CA. Those are the ones that should be periodically verified. The root CA certs are copied into your browser at browser startup time.

    The bottom line is when a security vendor is decrypting SSL traffic, there is no way manually you can verify that the web site's certificate is valid. You have to trust that the security vendor has performed the certificate "pinning" activities correctly. That is, the web site's actually certificate points to the intermediate CA that issued it and that the intermediate CA certificate points to the root CA that issued it.
     
  21. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    @itman Yes that makes sense and I'm guessing that the solution is "to replace the root certificate in the validation chain with the security vendors own root certificate?"
    Sounds easy enough, but I will have to do a bit of research before I can execute it properly.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    In Eset, that is done automatically when SSL protocol scanning is enabled.

    There is a separate option in Eset "to replace the root certificate in the validation chain with the security vendors own root certificate" which by default is set to the "on" status. If that option is set to "off" status, then the vendor's root cert. will never be added to the system root CA. This will result in no SSL traffic being scanned since it can't be unencrypted without the vendor's root cert. present.

    I assume Kapersky works similar to the above. To recap:

    1. Ensure "to replace the root certificate in the validation chain with the security vendors own root certificate" is enabled.
    2. Enable SSL protocol scanning in Kapersky if not enabled by default.

    Finally, Eset and I assume Kapersky, has a method to exclude the use of Eset's root certificate for a specific web site. The process is quite burdensome in my opinion. It entails setting on an exclusion mode for SSL scanning. Then you go the web site you wish to exclude. A prompt will be displayed for each certificate the web site uses and you can select to exclude that specific certificate(and resultant web page content) from SSL scanning. Finally, you disable the exclusion mode for scanning and then enable a mode that will automatically apply all cert. exclusions previously selected.
     
Loading...