Solved SSL hijacking

windoc · Jul 16, 2023

zebal said:
Exactly this,
Any servers based in the US, Germany, Canada and I'm sure even other states influenced by the US cannot be trusted.

This isn't only about DNS but also any kind of server which users frequently use such as email providers are also affected,
According to this site Privacy-Conscious Email Services

And according to this site: PRISM Break

But this is perhaps nothing new except when we face it on our own skin as it is the case now proving that Edward Snowden was correct about all that he said and is still saying.

If a government can tell cloudflare to hijack DNS then they can also tell Microsoft or any other firm or entity what to do if they want.

Both scenarios present differing levels of complexity, practicality, and potential repercussions.

It's conceivable that DNS servers, particularly those operated by Western entities, are receiving systematic orders to interfere with the security certificates of rt.com, and potentially other news websites, whose narratives are seen as discordant.

1. Compelling a DNS server to tamper with DNS queries:

From a technical perspective, this is less complex than compromising an operating system like Windows. A DNS server could, for example, be compelled to redirect traffic from one domain to another or return inaccurate IP addresses. This would be considered a form of DNS spoofing or poisoning.

From a practicality standpoint, this might be easier to achieve on a small scale, but managing this on a larger scale could be challenging due to the distributed nature of DNS, the number of DNS servers globally, and the fact that users can easily change their DNS servers.

In terms of repercussions, this could lead to significant breaches of trust and potential legal issues, especially if the DNS servers are run by reputable companies. It might also encourage more users to use encrypted DNS or DNS over HTTPS (DoH), making it harder for such tampering to occur in the future.

2. Compelling Microsoft to compromise its software:

Technically, this is more complex. Compromising an operating system without it being detected by security researchers would require sophisticated techniques. Moreover, any updates issued by Microsoft would need to maintain this compromise, adding another layer of complexity.

Practically, if a government could compel Microsoft to introduce a backdoor or similar compromise into Windows, it would potentially give them access to a large number of devices globally. However, the logistics and legality of compelling such action on a major corporation would be significantly challenging.

Repercussions would be severe. If discovered, the damage to Microsoft's reputation would be substantial, and the legal implications could be enormous. It would also likely lead to a significant shift in the tech industry, with users and companies looking for more secure alternatives.

In both cases, the feasibility would depend heavily on jurisdiction and the legal frameworks in place to protect companies and individuals from such government demands.

TairikuOkami · Jul 16, 2023

It seems that updating certificates is as easy as running the task, I ran both system/user tasks and it was fixed in a sec.

zebal · Jul 16, 2023

windoc said:
Both scenarios present differing levels of complexity, practicality, and potential repercussions.

1. Compelling a DNS server to tamper with DNS queries:

<snip>

2. Compelling Microsoft to compromise its software:

<snip>

I like your diplomatic and technical answer, and I agree that doing such things on Windows would be more challenging and more serious and damaging for reputation on Microsoft.

Hijacking sites such as rt is not really an issue because nobody was hacked and I was not redirected to malicious site, and my data was not stolen, it's also not issue because I had a chance to close the tab to rt and nothing bad happens to me.

However issue is knowing that if a governments wants to abuse some company to do contrary to it's claims it can do it.
Issue is that those companies which claim to respect user's privacy and to deliver good service are being forced to violate their own claims.
I was trusting cloudflare but after this incident I don't think I'll ever use cloudlfare again and that's what's the issue.

Therefore the issue is that a government forced a reputable service to become no longer trusted and this is not only cloudflares problem but a problem for any service in the US or any other state whose services can be influenced.

@TairikuOkami
Thank you for suggestion, I was sure it's my ISP but it turns out it's cloudflare, but I've added this link to my bookmarks because it's good to know for troubleshooting if needed.

I didn't test if resetting cert store resolves the problem since changing DNS fixed it, but I'll test it out of interest again with cloudflare.

zebal · Jul 16, 2023

@TairikuOkami
I don't know why, but now I set DNS back to cloudflare, cleared the DNS cache and it's working normally

It's odd because @windoc was also able to repro the issue.

windoc · Jul 16, 2023

zebal said:
@windoc
btw. I would like to know which is the DNS software that you're using to create rules?

For security reasons, I prefer not to disclose specific details about my personal network setup, including the DNS software I'm using. However, I'm happy to discuss general topics related to DNS software and its functionality

zebal · Jul 16, 2023

No problem, it's not bad to keep security setup private.
Thank you all for useful replies!

windoc · Jul 16, 2023

zebal said:
@TairikuOkami
I don't know why, but now I set DNS back to cloudflare, cleared the DNS cache and it's working normally
It's odd because @windoc was also able to repro the issue.

I've just conducted another test with Cloudflare, and it appears to be functioning properly for me now.

If recent modifications were made to rt's SSL certificate or DNS records, it might initiate a process known as DNS propagation. This is a period during which servers across the globe update their cached internet location records to reflect these changes. During DNS propagation, some users could experience discrepancies, including certificate errors, which get resolved once the propagation is complete and the new information has been fully updated across all servers.

zebal · Jul 16, 2023

windoc said:
If recent modifications were made to the rt's SSL certificate or DNS records, it might initiate a process known as DNS propagation. This is a period during which servers across the globe update their cached internet location records to reflect these changes. During DNS propagation, some users could experience discrepancies, including certificate errors, which get resolved once the propagation is complete and the new information has been fully updated across all servers.

This is very likely the case because certificate that was reported as invalid said it expires as of today's date.

A new certificate shows that rt is renewing certs likely twice a year:

You're really expert when it comes to DNS, I've learned so much from you, thank you so much for your insights!

windoc · Jul 16, 2023

zebal said:
This is very likely the case because certificate that was reported as invalid said it expires as of today's date.

A new certificate shows that rt is renewing certs likely twice a year:

You're really expert when it comes to DNS, I've learned so much from you, thank you so much for your insights!

Thank you, but I consider myself an enthusiast, rather than an expert in DNS. I've picked up some knowledge along the way and I'm always eager to learn more. I'm glad if I've been able to provide useful information, and I appreciate our discussion as it also helps me understand and explore these topics better.

zebal · Jul 16, 2023

TairikuOkami said:
It seems that updating certificates is as easy as running the task, I ran both system/user tasks and it was fixed in a sec.

Given the insight by windoc of cert propagation, your solution might prove very useful in the future to force renewal of certs.

Again thank you guys for helpful replies!