Google = Compromised = MITM ?

Discussion in 'privacy problems' started by CloneRanger, May 19, 2014.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    I get similar results as you. I also got the same fingerprint from my ISP as you. I doubt that we are using same ISP so I guess it shouldn't be a problem.
     
  3. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    I get inconsistent results...

    ISP: Verizon
    DNS: 77.66.84.233:443 (https://dnscrypt.eu)

    also i used www.google.co.uk NOT google.co.uk
    com.PNG uk.PNG
     
    Last edited: May 20, 2014
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It looks like your ISP has a different certificate for www.google.co.uk than Firefox and Chrome do. Given that the certificate in Firefox and Chrome was issued on 2014-05-07, your ISP is probably pushing an older one. Does SSL Eye show the date issued?
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ hqsec

    No but it's strange !

    @ SpousalMilk

    You too !

    @ mirimir

    I didn't realise that ISP's check for certs ?
     
  6. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    @mirimir
    SSL Eye does not show certificate date issued. At this point I'm thinking SSL Eye is at fault as Chrome and Firefox and GRC fingerprints tell me that www.google.co.uk true FINGERPRINT IS F1:07:E4:01:14:55:3E:25:A3:46:B8:A5:0B:33:C2:6E:02:0D:BD:BA

    https://www.grc.com/fingerprints.htm
    grc fingerprint of google.co.uk.PNG
    The oddball result is from SSL Eye.

    @CloneRanger
    In your first screen-shot where you test www.google.com. What fingerprint does your browser get?
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    OK, I just stumbled into this thread ;)

    So where does SSL Eye get the certs that it lists as "Your Local ISP"? SSL Eye shows the correct cert
    for www.google.co.uk for countries Singapore, Netherlands and USA. It's just the "Your Local ISP" one that disagrees with Firefox and Chrome.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SpousalMilk

    I can't go to www.google.com directly from the UK as it redirects to .co.uk

    @ mirimir

    I don't know where SSLeye gets the Local ISP data from ? & yeah it's only that one that's showing RED
     
  9. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    @CloneRanger
    Alright, what about for https://www.google.co.uk ? I just want to confirm if you're getting the same fingerprint in the screenshot in post #6

    @mirimir
    The red highlighted cert fingerprint can be examined in firefox if you copy- paste the ip that's in the corresponding host ip column to your firefox address bar, prefixed with https://

    So it looks like https://[ip-address-here]

    Firefox will throw up the message to add the invalid cert to the exceptions, click the proceed button (something like that, I'm not sure because I'm on mobile device right now), and there you can inspect the certificate, before finally adding an exception, which you don't need to do.

    It is a google ip address afaik, spitting out a cert fingerprint that doesn't match what i get on any browser. I don't know why ssl eye wants to go there when none of my browsers do.

    Maybe ssl eye is referencing default isp dns servers rather than the custom one i setup like opendns or dnccrypt. Ill do more testing later after i get some sleep. Brb in 12 or so hours.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SpousalMilk

    Going to google.co.uk i get the same fingerprint as in Post#6

    goog-fing.png

    Just now i ran SSLEye & also get the same, which is different from my Post #1 ? My ISP is still showing the same as Post #1 ?

    ssleye-a.png
     
  11. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    Testing on Windows XP and IE8.

    Clone of Windows XP Professional-2014-05-21-06-05-48.png Clone of Windows XP Professional-2014-05-21-06-42-28.png Clone of Windows XP Professional-2014-05-21-06-53-43.png
    On the SSL Eye Certificate details panel, when testing www.google.co.uk, it always shows RC4(12:cool: for Connection Encryption. If the connection was made on Chrome or Firefox (still on XP), it always makes an AES or higher connection.

    windows XP IE8
    https://www.google.co.uk/ ae 8b 6b e5 3e bc 84 0a f0 f8 ea 02 e2 5c 36 70 f5 96 cf f3
    https://www.google.com/ 65 cd 83 75 b3 67 e0 7d bb 7b c7 31 cc d8 64 73 45 a9 f0 e1

    windows XP Chrome
    https://www.google.co.uk/ f1 07 e4 01 14 55 3e 25 a3 46 b8 a5 0b 33 c2 6e 02 0d bd ba
    https://www.google.com/ 65 cd 83 75 b3 67 e0 7d bb 7b c7 31 cc d8 64 73 45 a9 f0 e1

    @CloneRanger
    I thought so, not surprised there.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SpousalMilk

    Hi, I'm still not sure why i see the hashes keep changing, & also why my ISP is always RED ? I'm using FF v3.6.14

    I tried several times to add a reply in here https://www.digi77.com/ssl-eye-prism-protection & then a message in their Contact form to ask them to reply in here. For some unknown reason/s after allowing JavaScript etc my FF instantly exited ! Sort of like a ping of death. Interestingly, just after i downloaded SSLEye the same thing happened ?

    Could you, or someone else try to ask them to respond in here & explain what we see etc :thumb:
     
  13. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    @CloneRanger
    I left a comment for the developer which is currently "awaiting moderation."
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SpousalMilk

    Thanx for doing that. Let's hope we get a reply
     
  15. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    I think I may know what is going on. The developer, Warith Al Maawali replied yesterday and I left another comment which is awaiting moderation at https://www.digi77.com/ssl-eye-prism-protection but I'll post it here too.

    The reason IE on Windows XP was getting the same certificate fingerprint as SSL Eye from www.google.co.uk was because neither supported Server Name Indication (SNI).

    [snippet from wikipedia]
    Browsers with support for TLS server name indication
    Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8 (because the support of this feature is not browser version dependent, it depends on SChannel system component which introduced the support of TLS SNI extension, starting from Windows Vista, not XP).

    http://blog.chrismeller.com/testing-sni-certificates-with-openssl
    Openssl must be told to send the necessary SNI request (add the switch -servername www.google.co.uk)

    openssl s_client -servername www.google.co.uk -connect www.google.co.uk:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
    >9B:4C:03:99:61:82:4F:EC:EA:00:61:7B:87:9B:6B:C7:CE:10:BF:09
    ^this fingerprint now matches what I'm getting in Firefox and Chrome

    edit: adding a bit more info:
    Basically, when SSL Eye is doing it's Your Local ISP scan, I think it's running this command behind the scenes
    Code:
    openssl s_client -connect www.google.co.uk:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
    
    which serves you a different certificate (a wildcard certificate) than you would otherwise receive if you were actually going to www.google.co.uk on a modern browser like Firefox or Chrome. This gives the appearance if a MITM in SSL eye when it's really not.
    The site is simply serving you a wildcard certificate which it would not usually do if your browser queried the server with SNI support.

    Here's what a wildcard certificate looks like:
    sni.PNG
     
    Last edited: May 30, 2014
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SpousalMilk

    Thanx a Lot for the update etc, appreciate it :thumb:
     
  17. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    Happy to help and learn a thing or two about SNI.
     
  18. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    @ CloneRanger

    Good news. I got an update from the developer:
    I just tested it out in Windows XP on the problematic www.google.co.uk and all is well. The fingerprint now matches what I get in Chrome and Firefox.

    I've also included some screenshots showing the new functionality.
     

    Attached Files:

  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SpousalMilk

    Hi, & thanx for the news & your assistance etc. I'll grab the latest version & test it too.
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
Loading...
Thread Status:
Not open for further replies.