Firefox certification problems with all HTTPS google sites

scv5 · 2009-06-07 16:57:51

Every google site (https://reader.google.com https://mail.google.com, etc) says "Secure Connection Failed www.google.com uses an invalid security Certificate. The certificate is only valid for a248.e.akamai.net" If i click to add an exception and "Get Certificate" I get told that Certificate belongs to a different site, which could inidicate identity theft.

Oddly, midori isn't having this problem and neither is offlineimap when syncing my gmail account. This is only firefox and only on my Arch computer.

Any ideas?

SpeedVin · 2009-06-07 17:02:39

What version of Firefox do you have?

scv5 · 2009-06-07 17:06:39

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042809 GranParadiso/3.0.10

SpeedVin · 2009-06-07 17:11:04

Do you were trying another version of Firefox?
When this problem appierd.

Last edited by SpeedVin (2009-06-07 17:11:18)

scv5 · 2009-06-07 17:30:43

nope, i've only had this one instance of firefox install on this system

damjan · 2009-06-07 17:37:26

you should also consider the posibillity that someone is trying to hack you

edit: and by "hack you" I mean playing man in the middle, trying to steal your password

Last edited by damjan (2009-06-07 17:38:14)

SpeedVin · 2009-06-07 17:43:32

You can compile new version from AUR

scv5 · 2009-06-07 19:07:11

damjan wrote:

you should also consider the posibillity that someone is trying to hack you
edit: and by "hack you" I mean playing man in the middle, trying to steal your password

I have, that's why I haven't installed the cert. I find it really odd that my system would be compromised though. For the following reasons:

The only service I run on my machine(we'll called this Box2) that accepts outside connections is ssh, on a non-default port. This port cannot be reached from outside of my home network. My router/firewall for my home (ipCop) doesn't forward a thing to this box. If I want to ssh to my main pc, I must ssh to another box first (we'll call this Box1), then ssh to this one.

The router, only accepts on a non-default port from a single ip address to allow ssh traffic through to Box1. Box1's iptables and tcpwrappers are both set to only accept connections from a single ip for ssh. Denyhosts is setup to block an ip after 3 failed attempts.

Box2's (the box with the problem) iptables firewall setup is incredibly strict. I have blocked by default all outgoing and incoming traffic and whiteless exactly what I need only.

My browser blocks all cookies and javascript by default (noscript and cookiesafe), and my whitelist for both of these are sites that i trust very well.

So while it's possible i've been compromised somehow... and someone's playing a man in the middle attack.. on only one pc in my network (me and my girlfriend are the only ones with physical access and there's no wireless access), I highly doubt it.

here's my iptables rules for the possibly compromised box:

# Generated by iptables-save v1.4.3.2 on Wed May 13 18:53:16 2009
*filter
:INPUT DROP [4:817]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:720]
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP 
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP 
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP 
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 192.168.0.123/32 -p tcp -m tcp --dport 500 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -f -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A OUTPUT -p icmp -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 137 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 138 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 139 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 445 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 5190 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 5190 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 5222:5223 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 5222:5223 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 6667 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 2242 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 59155 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 59155 -j ACCEPT 
COMMIT
# Completed on Wed May 13 18:53:16 2009
# Generated by iptables-save v1.4.3.2 on Wed May 13 18:53:16 2009
*nat
:PREROUTING ACCEPT [4:817]
:POSTROUTING ACCEPT [9:1034]
:OUTPUT ACCEPT [21:1754]
COMMIT

Last edited by scv5 (2009-06-07 19:18:01)

scv5 · 2009-06-07 23:22:55

I just moved my ~/.mozilla folder and tried using FF again. And same results.

Edit:

Also after a pacman -Rns firefox and pacman -Sy firefox, the problem still persists. Apparently the only way around this is to install a certificate that doesn't look legit? What gives?

Last edited by scv5 (2009-06-08 00:19:24)

arunix · 2009-06-09 03:03:50

damjan wrote:

you should also consider the posibillity that someone is trying to hack you
edit: and by "hack you" I mean playing man in the middle, trying to steal your password

is it possible with "linux" ?

R00KIE · 2009-06-09 10:58:02

I would check the iptables rules on box2, maybe you have a port closed that would be used by the secure connection.

I would start by running a stock firefox, no adblock, no noscript, allow cookies, no iptables and see if it works, if it does then start adding things until it fails.
My guess is that if you are being a firewall you will be safe while doing the test and just trying to open the pages you mentioned (and without accepting any fishy certificates).

damjan · 2009-06-22 01:12:31

arunix wrote:

damjan wrote:
you should also consider the posibillity that someone is trying to hack you
edit: and by "hack you" I mean playing man in the middle, trying to steal your password
is it possible with "linux" ?

Sure, why not ...

The way this works is, you're surfing the net via an unsecure Wifi... it's fairly easy for someone to make all the IP traffic to go through his router. Now, the attacker could do anything, like make all the images on the sites you visit upside-down. A bad thing would be if you do "pacman -Syu" he can see that and substitute different (malicious) packages instead.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

broch · 2009-06-22 15:42:41

damjan wrote:

arunix wrote:
damjan wrote:
you should also consider the posibillity that someone is trying to hack you
edit: and by "hack you" I mean playing man in the middle, trying to steal your password
is it possible with "linux" ?
Sure, why not ...
The way this works is, you're surfing the net via an unsecure Wifi... it's fairly easy for someone to make all the IP traffic to go through his router. Now, the attacker could do anything, like make all the images on the sites you visit upside-down. A bad thing would be if you do "pacman -Syu" he can see that and substitute different (malicious) packages instead.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

what is a point to frigthen users with quite improbable scenarios?

Nobody sane will bother with MITM like this one you just described: if one wants to get to arch users, then he will break into Arch ftp server. Which in fact was done already with well known distros.

Most issues with unsecured WiFi are related to hijacked networks for this one needs network sniffer and this is mostly it.

The original problem comes from probably from misconfigured settings (not only browser, but added local certificate. or firewall and so on).

If someone will hack your machine, this will take more time to realize that your box is compromised.

Last edited by broch (2009-06-22 15:43:26)

cactus · 2009-06-22 15:59:22

broch wrote:

what is a point to frigthen users with quite improbable scenarios?

http://www.ex-parrot.com/~pete/upside-down-ternet.html

broch · 2009-06-22 16:10:49

cactus wrote:

broch wrote:
what is a point to frigthen users with quite improbable scenarios?
http://www.ex-parrot.com/~pete/upside-down-ternet.html

yup most polite way....
+ log connection attempts

But this (network stealing) does not seem to be OP problem

Arch Linux

#1 2009-06-07 16:57:51

Firefox certification problems with all HTTPS google sites

#2 2009-06-07 17:02:39

Re: Firefox certification problems with all HTTPS google sites

#3 2009-06-07 17:06:39

Re: Firefox certification problems with all HTTPS google sites

#4 2009-06-07 17:11:04

Re: Firefox certification problems with all HTTPS google sites

#5 2009-06-07 17:30:43

Re: Firefox certification problems with all HTTPS google sites

#6 2009-06-07 17:37:26

Re: Firefox certification problems with all HTTPS google sites

#7 2009-06-07 17:43:32

Re: Firefox certification problems with all HTTPS google sites

#8 2009-06-07 19:07:11

Re: Firefox certification problems with all HTTPS google sites

#9 2009-06-07 23:22:55

Re: Firefox certification problems with all HTTPS google sites

#10 2009-06-09 03:03:50

Re: Firefox certification problems with all HTTPS google sites

#11 2009-06-09 10:58:02

Re: Firefox certification problems with all HTTPS google sites

#12 2009-06-22 01:12:31

Re: Firefox certification problems with all HTTPS google sites

#13 2009-06-22 15:42:41

Re: Firefox certification problems with all HTTPS google sites

#14 2009-06-22 15:59:22

Re: Firefox certification problems with all HTTPS google sites

#15 2009-06-22 16:10:49

Re: Firefox certification problems with all HTTPS google sites

Board footer