Discussion in 'privacy technology' started by ComputerSaysNo, Oct 30, 2012.
Countermail your users are being attacked with fake Certificates
Source, further info etc. ?
Coming up, friend is sending pictures
there you go, fake certificate
real one below
Solid proof of MITM attacks against Countermail users.
Those pictures really do not prove anything. I went and tested the certificate on file from what was on file several weeks ago no change, and its trusted. I took it a step further and tested it both from U.S, South America and Europe locations, again no issues. Its a Rapid SSL certificate with the root CA GeoTrust. Both login and general site surfing show no discrepencies.
There are several reasons your friend may have recieved the error, they may not have the root CA in their trusted path, they themselves could be on a compromised network etc.
Personally, if I thought there was a problem, I'd contact CM (They're even a member here), provide them with the info, and see what they say. If you hear nothing after a week or two, then post it. Just my opinion.
EncryptedBytes, school me up: Even if someone *was* in the middle, doesn't CM encrypt/decrypt happen locally? Wouldn't they just get random data?
First I must say it's better if you send us an email, because we don't check Wilders every day.
We always have all hashsums and certificate fingerprints on this page:
Some checks you can do:
-Check the website SSL fingerprint in SHA1, in your web browser, under certificate details. SHA1 fingerprint
-Download and save the applet JAR-file: https://countermail.com/CounterMailEngine145.txt and check the SHA hashsum on the file.
There are many ways to check hashsums on files, on Mac and Windows you can use: http://www.implbits.com/hashtab.aspx
-Check the details on the code signing cert, SHA1 fingerprint:
If you already accepted the code signing cert, you can find it inside your Java control panel/preferences
Below are some common problems that may create certificate problems:
-The date on your local computer is wrong
-You have activated "online certificate validation" in your Java settings, and the OCSP-server is temporarily down
-Bug in Java7: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7197652
-You have activated OCSP in your web browser settings, and the OCSP is temporarily down
If you are talking about their actual email service that may be a question for CM, I personally do not have an active account with them nor have I looked at their service in depth.
I am probably one of the few Wilders members that actively uses Gmail
Separate names with a comma.