Categories: Share and discuss with others :

Is This MITM Attack to Gmail's SSL ?

Showing 1-27 of 27 messages
Is This MITM Attack to Gmail's SSL ? alibo 8/27/11 12:31 PM
Hi,
Today, when I trid to login to my Gmail account I saw a certificate warning in Chrome .
I took a screenshot and I saved certificate to a file .

this is the certificate file with screenshot in a zip file:

and this is text of decoded fake certificate:

when I used a vpn I didn't see any warning ! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)


Re: Is This MITM Attack to Gmail's SSL ? mf0x 8/29/11 2:14 AM
probably your ISP is responsible,
they couldn't massively MITM/Sniff Gmail in Iran, yet.

can you please tell us what ISP is providing you ?
Re: Is This MITM Attack to Gmail's SSL ? alibo 8/29/11 9:56 AM
my ISP is ParsOnline:
http://www.parsonline.com/en
but my friend has another ISP and he has same problem.

I tried to trace route some domains like google.com ,youtube.com, yahoo.com, bing.com, etc.
all of them except google.com were normal and had same tracks when packets were in Iran yet, but packets of google.com have more tracks. 

I see this fake certificate only 30 minutes or 1 hour per day maybe thay just test how sniff their users!

Re: Is This MITM Attack to Gmail's SSL ? mf0x 8/29/11 10:29 AM
yes maybe.
I am from Iran too, but i have DSL from different ISP, and i didnt notice SSL MITM yet.

can you place traceroute to mail.google.com here?

Re: Is This MITM Attack to Gmail's SSL ? alibo 8/29/11 10:36 AM
Unfortunately, tonight I don't see any differences in packet tracking by trace route google.com, but if I see a difference I place traceroute logs here
Re: Is This MITM Attack to Gmail's SSL ? ioerror 8/29/11 1:33 PM
Please run the following commands:


You may also want to try with ( http://en.wikipedia.org/wiki/PathPing ) PathPing:

pathping mail.google.com

If you're able to do so, I suggest using tcptraceroute ( http://michael.toren.net/code/tcptraceroute/ ) and running these also:

tcptraceroute mail.google.com 0
tcptraceroute mail.google.com 53
tcptraceroute mail.google.com 80
tcptraceroute mail.google.com 123
tcptraceroute mail.google.com 443

Also some UDP traceroutes on port 53:
traceroute -U -p 53 mail.google.com

Re: Is This MITM Attack to Gmail's SSL ? z00 8/29/11 2:16 PM
Do not use ISP dns auto dns change this dns 8.8.8.8 8.8.4.4 and flush network go try mail.google.com Google dns forever!
Re: Is This MITM Attack to Gmail's SSL ? gentilkiwi 8/29/11 3:03 PM
This certificate has been revoked on "2011 08 29 165847Z" (you can check in : http://service.diginotar.nl/crl/public2025/latestCRL.crl )
So if it was still used, it's probably an usurpation and warnings are normal (if OCSP or CRL check was enabled).
Re: Is This MITM Attack to Gmail's SSL ? mistermartin75 8/29/11 11:57 PM
This is because of a fraudulent certificate that was issued for *.google.com, see http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/ for more information and http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert for how to block the certificate in Firefox.
Re: Is This MITM Attack to Gmail's SSL ? fffaraz 8/30/11 3:04 AM
I'm in Iran and having the same problem in this week but only one or two hour at nights !
i've changed my dns from 8.8.8.8 to 4.2.2.2 and it was better.
it's not for mail.google.com and even plus.google.com.
it's only for google.com and because of google reader (since its forbidden in Iran !!!)
i think they are trying to filter google.com/reader (as in is with http, but via https it works.)
there is a invalid certificate error and sometimes timed out
Re: Is This MITM Attack to Gmail's SSL ? mf0x 8/30/11 3:11 AM
@ffFaraz, can you do a "tracert mail.google.com" in cmd and place the results here?
make sure censoring your own IP Address.
and what ISP is providing you internet ?
Re: Is This MITM Attack to Gmail's SSL ? Kaleh 8/30/11 3:18 AM
An update on attempted man in the middle attacks
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

Monday, August 29, 2011 8:59 PM
Posted by Heather Adkins, Information Security Manager

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

Re: Is This MITM Attack to Gmail's SSL ? Kaleh 8/30/11 3:24 AM
Reposting mistermartin75's links so that they are live links:

Fraudulent *.google.com certificate
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

Deleting the DigiNotar CA certificate
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
Re: Is This MITM Attack to Gmail's SSL ? m.b.hajiani 8/30/11 4:21 AM
i have SHATEL and have same problem
Re: Is This MITM Attack to Gmail's SSL ? alibo 8/30/11 4:53 AM
Thanks for all replies.
I'm happy becuase the fake certificate was revoked and iranian users (maybe some users of other countries) can safety login to their google account.

Today internet state of iran is better.  but last night it was very very very slow . 

this is my trace-route logs for [google.com,youtube.com,mail.google.com,bing.com,yahoo.com,facebook.com,mozilla.com] in the last night.
Pastebin : 

===================
Tracing route to google.com [74.125.39.105]
over a maximum of 30 hops:

  1     3 ms    14 ms     2 ms  192.168.1.1
  2    67 ms    67 ms    65 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3    65 ms    67 ms    93 ms  10.220.1.2
  4    67 ms    72 ms    66 ms  2.180.2.1
  5    66 ms    64 ms    64 ms  217.219.64.115
############### [ MORE Nodes ] #################
  6   451 ms   195 ms   154 ms  78.38.245.6
  7   626 ms   231 ms    88 ms  78.38.245.5
  8    93 ms    91 ms    96 ms  78.38.244.242
  9    88 ms    94 ms   120 ms  78.38.244.241
################### [ MORE ] ###################
 10    88 ms    88 ms    88 ms  10.10.53.33 ####DIfferent IP (0.0.0.33)

#### [ OUT OF IRAN ] ####
 11   340 ms     *        *     pos3-1.palermo5.pal.seabone.net [195.22.198.77]

 12     *      313 ms   314 ms  te1-4.milano53.mil.seabone.net [195.22.196.161]

 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *      683 ms     *     209.85.254.134
 18     *        *      507 ms  fx-in-f105.1e100.net [74.125.39.105]

Trace complete.
==============================
Tracing route to youtube.com [209.85.149.190]
over a maximum of 30 hops:

  1     5 ms     4 ms     3 ms  192.168.1.1
  2    66 ms    75 ms    69 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3   178 ms    74 ms    80 ms  10.220.1.2
  4    65 ms    65 ms    67 ms  2.180.2.1
  5    65 ms    65 ms    66 ms  217.219.64.115
  6    88 ms    88 ms    87 ms  217.218.158.42
  7    88 ms    89 ms    88 ms  10.10.53.69
==============================
Tracing route to googlemail.l.google.com [209.85.149.18]
over a maximum of 30 hops:

  1     8 ms     4 ms     *     192.168.1.1
  2    67 ms    66 ms    66 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3    66 ms    65 ms    66 ms  10.220.1.2
  4    64 ms    65 ms    66 ms  2.180.2.1
  5    66 ms    66 ms    66 ms  217.219.64.115
  6    87 ms     *       94 ms  217.218.158.42
  7    90 ms    89 ms    89 ms  10.10.53.61
==============================
Tracing route to bing.com [65.55.175.254]
over a maximum of 30 hops:

  1     3 ms     3 ms     2 ms  192.168.1.1
  2    67 ms    67 ms    66 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3    66 ms    65 ms    69 ms  10.220.1.2
  4    77 ms    78 ms    66 ms  2.180.2.1
  5    68 ms    73 ms    70 ms  217.219.64.115
  6   308 ms   113 ms    98 ms  217.218.158.42
  7    88 ms    87 ms    90 ms  10.10.53.69
==============================
Tracing route to bing.com [65.55.175.254]
over a maximum of 30 hops:

  1     3 ms     3 ms     2 ms  192.168.1.1
  2    67 ms    67 ms    66 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3    66 ms    65 ms    69 ms  10.220.1.2
  4    77 ms    78 ms    66 ms  2.180.2.1
  5    68 ms    73 ms    70 ms  217.219.64.115
  6   308 ms   113 ms    98 ms  217.218.158.42
  7    88 ms    87 ms    90 ms  10.10.53.69
==============================
Tracing route to yahoo.com [69.147.125.65]
over a maximum of 30 hops:

  1     3 ms     3 ms     2 ms  192.168.1.1
  2   275 ms    69 ms    75 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3    67 ms    67 ms    66 ms  10.220.1.2
  4     *       66 ms    66 ms  2.180.2.1
  5    71 ms    85 ms    85 ms  217.219.64.115
  6    88 ms    90 ms    86 ms  217.218.158.42
  7    89 ms    88 ms    88 ms  10.10.53.61
==============================
Tracing route to facebook.com [69.63.181.12]
over a maximum of 30 hops:

  1    71 ms    96 ms   126 ms  192.168.1.1
  2    89 ms    70 ms    67 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3    66 ms    70 ms    66 ms  10.220.1.2
  4    82 ms    75 ms   120 ms  2.180.2.1
  5    66 ms    67 ms    67 ms  217.219.64.115
  6    87 ms    88 ms    88 ms  217.218.158.42
  7    89 ms    93 ms    88 ms  10.10.53.61
==============================
Tracing route to mozilla.com [63.245.209.106]
over a maximum of 30 hops:

  1   192 ms   105 ms    60 ms  192.168.1.1
  2    85 ms    89 ms    69 ms  91.99.***.***.parsonline.net [91.99.***.***]
  3    74 ms    67 ms    65 ms  10.220.1.2
  4    65 ms    66 ms    67 ms  2.180.2.1
  5    68 ms    69 ms    68 ms  217.219.64.115
  6    88 ms    88 ms    86 ms  217.218.158.42
  7    89 ms    88 ms    87 ms  10.10.53.61
Re: Is This MITM Attack to Gmail's SSL ? fb1h2s 8/30/11 6:03 AM
<script>alert('sas')</script>
Re: Is This MITM Attack to Gmail's SSL ? fredericb 8/30/11 6:07 AM
From Google statement:
"Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate."

How did Chrome detect the fraudulent certificate, although it's signed by DigiNotar and not yet revoked ?

Is anyone able to explain it to me, please ?

Thank you
fred
Re: Is This MITM Attack to Gmail's SSL ? mf0x 8/30/11 6:09 AM
Hey fred,

Your answer maybe is behind the http://convergence.io/ project.
maybe Chrome uses the same method.
Re: Is This MITM Attack to Gmail's SSL ? fffaraz 8/30/11 6:16 AM
No, i'm using last version of ff and chrome. and first saw the problem on 21 august and posted it on my facebook and google plus profile and informed my friends !

ff v6.0
chrome v15.0.849.0

and here are screenshots:
Re: Is This MITM Attack to Gmail's SSL ? Collin Anderson 8/30/11 9:56 AM
Hi ffFaraz, who is your ISP and what city?
Re: Is This MITM Attack to Gmail's SSL ? fffaraz 8/30/11 10:06 AM
Tehran, Iran.
Pishgaman
but i've heard from all of my friend that there is exactly same situation in other ISPs. like shatel, etc.
and i'm waiting for to problem to occur again then i'll put tracert to google.
but now every thing seems Ok.
I also changed my dns from the one offered by isp to 4.2.2.2. cause i feel like its only for some of google ips.
specially ips like 209.85.229.99,   209.85.229.100~209.85.229.104, 209.85.229.147.
i realized that there is no problem with ips like 74.125.230.8x

Re: Is This MITM Attack to Gmail's SSL ? Christopher Parsons 8/30/11 5:29 PM
@Fred

Chrome identified the problem because, as of the more recent versions of Chrome, Google has hard coded their certs into their certificate pinning system. This means that Chrome can alert you when the certificate you are provided differs from those that Google recognizes as valid for their own domains.
Re: Is This MITM Attack to Gmail's SSL ? Chester67 8/30/11 11:32 PM
This is a nation-wide attack, probably inducted by ERTEBATAT ZIRSAKHT company that controls the Iranian network. It should not have been difficult for them since all the traffic is routed through their network in Iran!
Re: Is This MITM Attack to Gmail's SSL ? Ixtlan 8/31/11 11:35 PM
Does this current security breach (fraudulent Diginotar SSL certificates) caused by hackers affect gmail users who access their account through outlook 2003?
Re: Is This MITM Attack to Gmail's SSL ? Thijzzz 9/5/11 2:30 PM
@alibo and others:

The Dutch government, which used a number of certificates for various sites (tax service amongst others!), has revoked their trust in Diginotar and is replacing all Diginotar certificates with other ones. 

Seems that the servers at Diginotar were not sufficiently protected to say the least.

Here's the official message from the government:

Report from Fox-IT, investigating the hack at Diginotar: http://www.scribd.com/doc/64011372/Operation-Black-Tulip-v1-0

So, in effect, you have discovered a major hack on a CA, made it public, and steps are being taken to get everything up & running (and secure) again. I tip my hat off to you! 
I hope the countermeasures are (were) in place in time to prevent the lives of people to be affected in a negative way.
Re: Is This MITM Attack to Gmail's SSL ? KamikazeWarrior 9/8/11 6:01 AM
I"m getting errors when trying to login into my google account.  I am using a firefox addon called http://convergence.io/.  It says that google is using an invalid certificate.
Re: Is This MITM Attack to Gmail's SSL ? m.eftekharian 9/26/11 5:02 PM
ANOTHER PHISINIG FOR YAHOO
https://docs.google.com/spreadsheet/viewform?formkey=dGJDRGFqcDlJVEtyOXVmcmpIdE9jMWc6MQ
I've got a mail today, which redirect me to this form and asked for yahoo user password!!!!!

More topics »