| Forum Home | ||||
| PC World Chat | ||||
| Thread ID: 100392 | 2009-06-06 01:20:00 | TelstraClear Cable / Certificate Errors | Erayd (23) | PC World Chat |
| Post ID | Timestamp | Content | User | ||
| 779988 | 2009-06-06 01:20:00 | Hi guys, Has anyone else on TelstraClear cable noticed certificate warnings when attempting to connect to SSL websites this morning? From my perspective, this looks like a MITM attack from the TelstraClear network - possibly one of their routers or proxy servers has been compromised. Whatever was using this certificate tried to intercept my connections for around 5 minutes, then my internet service dropped completely for a few seconds. When it came back, the bad certificate had vanished. The certificate in question was issued for localhost / Apache HTTP Server. It was issued 13/02/2009 and expires 13/02/2010. The SHA1 fingerprint is ff:9b:b9:fa:f0:33:15:30:a6:6a:b3:a6:27:dc:35:58:eb :5a:c2:f0. If you did allow connections using this certificate, I *strongly* recommend you change the passwords for any site you used during this period. Cheers, Erayd |
Erayd (23) | ||
| 779989 | 2009-06-06 01:26:00 | Hi guys, Has anyone else on TelstraClear cable noticed certificate warnings when attempting to connect to SSL websites this morning? From my perspective, this looks like a MITM attack from the TelstraClear network - possibly one of their routers or proxy servers has been compromised. Whatever was using this certificate tried to intercept my connections for around 5 minutes, then my internet service dropped completely for a few seconds. When it came back, the bad certificate had vanished. The certificate in question was issued for localhost / Apache HTTP Server. It was issued 13/02/2009 and expires 13/02/2010. The SHA1 fingerprint is ff:9b:b9:fa:f0:33:15:30:a6:6a:b3:a6:27:dc:35:58:eb :5a:c2:f0. If you did allow connections using this certificate, I *strongly* recommend you change the passwords for any site you used during this period. Cheers, Erayd What time did this happen? |
somebody (208) | ||
| 779990 | 2009-06-06 01:30:00 | Around 12:10pm this afternoon. I've called TelstraClear, their guy in Auckland spent 5 mins looking at their routers and decided nothing was wrong, but there's no way you can check every node between me & the rest of the world in 5 minutes, even on a small network, and especially not on a network the size of TelstraClear's. | Erayd (23) | ||
| 779991 | 2009-06-06 08:48:00 | Had a load of customers ringing me with this from Telecom last week or so and also one o Woosh when he tried his Kiwibank account page too. | pctek (84) | ||
| 779992 | 2009-06-06 09:17:00 | I'm with Telecom and had a similar issue last week. AIRI the message related to an expired certificate. |
Sweep (90) | ||
| 779993 | 2009-06-06 09:43:00 | if you see it again the do a trace route to the end point, see what happens. also have a good look at the cert chain. |
robsonde (120) | ||
| 779994 | 2009-06-06 09:46:00 | TraceRoutes wont specifically show you if one of the nodes along the way is doing a MITM attack for SSL websites... All sounds very dodgy to me :-/ |
Chilling_Silence (9) | ||
| 779995 | 2009-06-07 03:30:00 | if you see it again the do a trace route to the end point, see what happens. also have a good look at the cert chain. I did look at the cert chain - there wasn't one, it was self-signed. My guess is they were hoping to get clueless users who just click any old thing to make the problem go away. Edit: Traceroute is a good idea (didn't think of it at the time though) but it's unlikely to reveal much, nothing that this was a MITM attack rather than endpoint replacement. |
Erayd (23) | ||
| 779996 | 2009-06-07 08:02:00 | I did look at the cert chain - there wasn't one, it was self-signed. My guess is they were hoping to get clueless users who just click any old thing to make the problem go away. Edit: Traceroute is a good idea (didn't think of it at the time though) but it's unlikely to reveal much, nothing that this was a MITM attack rather than endpoint replacement. that was kind of my question... is this a MITM or is some doing a sloppy end point re-driect... |
robsonde (120) | ||
| 779997 | 2009-06-07 08:12:00 | Would a compromised DNS server be a possibility here Erayd? I.e. redirecting whatever secure URL to another server? | somebody (208) | ||
| 1 2 | |||||