LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 10-05-2019, 06:56 AM   #1
walker
Member
 
Registered: Nov 2003
Distribution: antiX-17.4.1_x64 base Custom
Posts: 193

Rep: Reputation: 38
MITM 24/7 How can get rid of him - Browser ssl security fails


I guys,

due to financial information I do daily to avoid that people could be scammed I'm continuosly under MITM attack i.e. when I try to connect to plurk.com instead of the true certificate

$ openssl s_client -servername *.plurk.com -connect plurk.com:443 | openssl x509 -fingerprint -noout
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.plurk.com
verify return:1
SHA1 Fingerprint=B1:2B:73:69:E9:591:AC:F6:C5:37:5BE:2A:0D:2A:F7:E5:BF:05

checked also with a third party site

B1:2B:73:69:E9:591:AC:F6:C5:37:5BE:2A:0D:2A:F7:E5:BF:05 GRC returned fingerprint

I receive a fake certificate

1B:9D:F5:BA:B58:57:1D:1F:78:8E:EA:48:16:83:24:B3:F5:B3:4F fake fingerprint receveid

Firefox accept to connect to the attacker not considering that certificate is fake also if Query with OCSP responder servers is enabled.

Palemoon instead correctly shows the warning that site is untrusted.

Is there a way to get rid of the man in the middle and connect to the real site?

Many thank to everyone for the support.

Last edited by walker; 10-05-2019 at 07:00 AM.
 
Old 10-06-2019, 01:48 PM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,144

Rep: Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308
I think that's in your firefox preferences. I got the main site with openssl:
Code:
SHA1 Fingerprint=B1:2B:73:69:E9:59:D1:AC:F6:C5:37:5B:DE:2A:0D:2A:F7:E5:BF:05
If you're trying this in firefox, you'd want to say how. But Edit/Preferences/Privacy & Security offers a heap of options you can set up, and you can reject that site.

My guess is that you fell for the MITM attack at least once, and firefox thinks the cert is ok. ~/.cache/mozilla/firefox/… /… / has a directory 'safebrowsing' which might be worth deleting, or deleting files out of. Setting to zero length is probably better than deleting, done by '> somefile'
 
Old 10-06-2019, 02:52 PM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by walker View Post
I guys,
due to financial information I do daily to avoid that people could be scammed I'm continuosly under MITM attack i.e. when I try to connect to plurk.com instead of the true certificate

$ openssl s_client -servername *.plurk.com -connect plurk.com:443 | openssl x509 -fingerprint -noout
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.plurk.com verify return:1
SHA1 Fingerprint=B1:2B:73:69:E9:591:AC:F6:C5:37:5BE:2A:0D:2A:F7:E5:BF:05

checked also with a third party site
B1:2B:73:69:E9:591:AC:F6:C5:37:5BE:2A:0D:2A:F7:E5:BF:05 GRC returned fingerprint

I receive a fake certificate
1B:9D:F5:BA:B58:57:1D:1F:78:8E:EA:48:16:83:24:B3:F5:B3:4F fake fingerprint receveid

Firefox accept to connect to the attacker not considering that certificate is fake also if Query with OCSP responder servers is enabled. Palemoon instead correctly shows the warning that site is untrusted. Is there a way to get rid of the man in the middle and connect to the real site? Many thank to everyone for the support.
Or is it more likely that one time you went there with Firefox, and accepted the expired-certificate, so it cached it and didn't warn you again??? Which is why Palemoon DOES warn you.

How about explaining why you are under '24/7 MITM attacks', and what your evidence is of that?
 
Old 10-09-2019, 02:42 PM   #4
walker
Member
 
Registered: Nov 2003
Distribution: antiX-17.4.1_x64 base Custom
Posts: 193

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by business_kid View Post
I think that's in your firefox preferences. I got the main site with openssl:
Code:
SHA1 Fingerprint=B1:2B:73:69:E9:59:D1:AC:F6:C5:37:5B:DE:2A:0D:2A:F7:E5:BF:05
It's not in my firefox preferences, and the demonstration you got the right certificate is an evidence of the attack.

They spoof an Amazon_Root_CA_1 certificate I don't know why also with OCSP check enabled firefox believes for true a fake certificate.

And at the moment they spoof only plurk and marketwatch.com other sites so as investing.com show a not spoofed certificate.

I'm not so boob to accept a fake certificate.

Quote:
Originally Posted by business_kid View Post
If you're trying this in firefox, you'd want to say how. But Edit/Preferences/Privacy & Security offers a heap of options you can set up, and you can reject that site.
I need that site!
It's the only social where I can post, they kicked me out of Twitter in September 2015 and every time I try to create a new twitter user obviously with another mail and username suddenly at first login the lock me again so I have to stay on plurk.

Quote:
Originally Posted by business_kid View Post
My guess is that you fell for the MITM attack at least once, and firefox thinks the cert is ok. ~/.cache/mozilla/firefox/… /… / has a directory 'safebrowsing' which might be worth deleting, or deleting files out of. Setting to zero length is probably better than deleting, done by '> somefile'
The problem is that they duplicate a real certificate Amazon_Root_CA_1 and Firefox for sure doesn't check the fingerprint.
The weird thing is that also querying OCSP server firefox accepts the certificate with the fake fingerprint, Palemoon instead with OCSP server query enabled correctly shows the warning that site is spoofed.

Mozilla uses binary files in safebrowsing directory also using hexdump is a little bit hard to understand the meaning of the content.
Anyway I tried to empty safebrowsing directory and visit the site again but the fake certificate is always anyway accepted by firefox.
IMHO firefox sucks as security.

Last edited by walker; 10-09-2019 at 03:32 PM.
 
Old 10-09-2019, 03:08 PM   #5
walker
Member
 
Registered: Nov 2003
Distribution: antiX-17.4.1_x64 base Custom
Posts: 193

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by TB0ne View Post
Or is it more likely that one time you went there with Firefox, and accepted the expired-certificate, so it cached it and didn't warn you again??? Which is why Palemoon DOES warn you.
I will try to uninstall firefox, delete everything related and reinstall it.
I didn't think a so radical solution but it worths a try.

Quote:
Originally Posted by TB0ne View Post
How about explaining why you are under '24/7 MITM attacks', and what your evidence is of that?
They think I'm a kind of "Rain Main" I foresee daily how they will fake stock market to pluck turkeys and I guess everyday.

I'm not a fortune teller simply they are so unfits that they act since 1907 in the same way to screw boobs.

Stock market is a pump 'n' dump scam if you are not able to read a balance sheet it's better if you stay far away from stock market, analysts are mostly paid liars who help financial elite to pluck turkeys i.e. Jefferies who stated a target price for Tesla shares of 450$ in December last year justifying it with increasing sales. Tesla sales are collapsing ever more since January this year.
And also at actual price around 230$ is fake lifted cause the real value is around 26$/share.

Stock market are a slot machine, the real value of a stock is the Book Value Per Share as of balance sheet all the rest is vanishing float, if turkeys will no longer peck stock market value will sink suddenly.
On stock market never buy after the rose as all the turkeys do, you should already own the stock before and sell at the top of the rose.

[removed]

They started with ddos to my pc to saturate hard disk space due to firewall log file growth, I disabled firewall logging, problem solved.

To avoid privilege escalation I uninstalled sudo and gksu, now to shutdown my machine you should be physically in front of the machine.

I thought to be sure enough but Mitnick is always right, the only computer really safe is a computer turned off stored in a vault.

Even if I've a kernel patched against the latest known vulnerabilities they have found a way to cause an emergency shutdown remotely overloding the CPU, this cause an overheating and pc goes immediately in emergency shutdown but, unfortunately for them, I tested that the trick works only in summer, with a room temperature up to 75.2°F you hear the fan running continuosly at the maximum speed but they are not able to reach their purpose.

Is this enough?

Btw. also Crypto fake coins are a pump 'n' dump elite scam to grab the real money they can no longer print farts covered.

Last edited by walker; 10-09-2019 at 03:28 PM.
 
Old 10-09-2019, 03:12 PM   #6
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by walker View Post
I will try to uninstall firefox, delete everything related and reinstall it.
I didn't think a so radical solution but it worths a try.

They think I'm a kind of "Rain Main" I foresee daily how they will fake stock market to pluck turkeys and I guess everyday. I'm not a fortune teller simply they are so unfits that they act since 1907 in the same way to screw boobs.

Stock market is a pump 'n' dump scam if you are not able to rad a balance sheet it's better if you stay far away from stock market, analysts are mostly paid liars who help financial elite to pluck turkeys i.e. Jefferies who stated a target price for Tesla shares of 450$ in December last year justifying it with increasing sales. Tesla sales are collapsing ever more since January this year.

[removed]

They started with ddos to my pc to saturate hard disk space due to firewall log file growth, I disabled firewall logging, problem solved. To avoid privilege escalation I uninstalle sudo and gksu, now to shutdown my machine you should be physically in front of the machine. I thought to be sure enough but Mitnick is always right, the only computer really safe is a computer turned off stored in a vault.

Even if I've a kernel patched against the latest known vulnerabilities they have found a way to cause an emergency shutdown remotely overloding the CPU, this cause an overheating and pc goes immediately in emergency shutdown but, unfortunately for them, I tested that the trick works only in summer, with a room temperature up to 75.2°F you hear the fan running continuosly at the maximum speed but they are not able to reach their purpose.

Is this enough?

Btw. also Crypto fake coins are a pump 'n' dump elite scam to grab the real money they can no longer print farts covered.
Odd that with you being so prescient about the stock market, that you're not worth millions, and able to hire the best people money can buy, to put in the best hardware money can buy, to keep you safe 24/7. Or even buy a new computer every week, just to be safe from 'them'.

Again: what is your EVIDENCE?? You disable firewall logs, so nothing there. You claim that 'they' can overheat your CPU...what's your evidence that 'they' are doing it, versus a race condition in a program, or just a dirty fan?

Last edited by TB0ne; 10-09-2019 at 03:16 PM.
 
Old 10-10-2019, 03:45 AM   #7
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,144

Rep: Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308Reputation: 2308
How come I'm subscribed to this thread? Oh yeah, I tried to help some 4 or 5 posts back but was ignored.

I'm inclined to read as far as the first curse word. I did that and you hadn't got to linux by then. I'll unsubscribe. You'd have made a fortune in 1929.
 
1 members found this post helpful.
Old 10-10-2019, 09:43 AM   #8
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,597

Rep: Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080
Closing this thread as off-topic. Note that swearing is not permitted at LQ.

--jeremy
 
1 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can subnetting be useful if there is mitm attack in my network shlomo.hovir Linux - Networking 6 12-16-2018 02:56 PM
Fix of SSL/TLS MITM vulnerability (CVE-2014-0224) on Ubuntu 12.10 - quantal mahi_nix Linux - Server 3 03-22-2016 02:21 AM
MITM in SSL/TLS gustavolinux Linux - Security 1 11-17-2008 12:16 PM
im install amule there is more way to open him up its annoying to open him from shel SlackwareMan Linux - Software 1 07-31-2004 08:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration