15

One of my friends called me saying every website anyone in her family goes to has untrusted SSL certificates. From any computer in her house, HTTPS is broken and Firefox or Chrome asks to add an exception for the site attempting to be visited.

I suspect the "IT" guy who set up her network, also set up MITM. Once I head over to her house this week I can do more investigating.

My question is this how will I be able to detect MITM? My guess would be to compare certs on a machine that can connect to the same site via different network.

Vilican
  • 2,723
  • 8
  • 22
  • 35
Nitrous
  • 151
  • 1
  • 3
  • It's most likely a maliciously configured (set to use rogue DNS servers) or compromised router. Start by resetting it and see if the problem goes away. – André Borie Nov 22 '15 at 19:27
  • @AndréBorie - Disagree. Do not make drastic changes like resetting the router if there are easier ways which you did not try. – Vilican Nov 22 '15 at 19:47
  • Do you have some local proxy on your network that tries to cache common resources from the internet, or block certain sites or domains? Maybe your admin hasn't installed the proxies' certificates on your computer, and in this case your browser would complain as described... – iHaveacomputer Nov 23 '15 at 03:41
  • 1
    `how will I be able to detect MITM` bring another portable firefox (which uses its own cert store) and see if it can browse HTTPS. – jingyu9575 Nov 23 '15 at 04:22
  • Doe they have a Lenovo? Wasn't it Lenovo the implemented some sort of bloatware that has now been flagged as malware that was basically a straight-up MITM attack? – rubynorails Nov 23 '15 at 05:08
  • They have had numerous weird network problems and they even heard clicking on their landline when talking on the phone. Thanks for all the help. I'll post again after ive checked things out – Nitrous Nov 23 '15 at 05:16
  • Check the system clock is correct.. – AStopher Nov 23 '15 at 16:33

4 Answers4

12

The first check I would do in this circumstance is to see why the browser thinks the certificate is untrusted.

Most likely case (as it's every site you're friend is using) is that the certificates presented in the browser are being issued by an untrusted Certificate Authority.

If you click the error message, it should be possible to see who the issuing CA is. For example on the cert below the issuer is Comodo

Certificate

That should give you a good clue as to what's going on. If it comes up as an known anti-virus provider then it's possible as @vilican says, that it's just misconfigured software and not something malicious.

Once you've checked that, assuming you've not resolved it, my next stop would be proxy settings for the browser and/or the operating system. If there's a proxy set here, unset it, see if that affects the problem.

Assuming you get through those two without a resolution, the next step would be considering the possibility that the router/firewall on the network is intercepting SSL traffic. You could check that by adding a new machine to the network (that you know doesn't have the issue) and see if you start getting SSL certificate warnings. If that turns out to be the issue, you'd need to speak to whoever has the access to configure the router. Again it may be a security feature doing this and not actually malicious...

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • 3
    MITM by AV providers **is malicious**. It undermines your security rather than protecting it. – R.. GitHub STOP HELPING ICE Nov 23 '15 at 16:30
  • 4
    Whilst it's definitely fair to say that there are security concerns with AV providers carrying out SSL interception, I don't think I would go as far as saying it was malicious, which would imply that their intention was to harm your security. – Rory McCune Nov 23 '15 at 18:45
  • 1
    Have your Hanlon's razor if you like, but when you're that incompetent in your own line of business (security) and making money off things that make your customers' security worse, that seems indistinguishable from "malice" to me. – R.. GitHub STOP HELPING ICE Nov 23 '15 at 18:50
  • Isn't Google etc evil in the same line? Making money off things that make their customer's privacy worse? – Leif Willerts Nov 23 '15 at 21:45
  • @R.. I'm curious then how something like an AV, IDS/IPS is supposed to function correctly by protecting you from malicious traffic without being able to inspect said traffic. Maybe they should just have a function "RollDice()" on encrypted traffic and that would be safer for the user than decrypting, inspecting and re-encrypting. –  Nov 24 '15 at 02:32
  • @TechnikEmpire: They're not. You do AV on the endpoint as a feature in the browser and the OS filesystem layer. Intercepting traffic destroys the whole integrity and trust model for the sake of dubious blacklist-based virus checking that could be done more effectively at different layers. – R.. GitHub STOP HELPING ICE Nov 24 '15 at 03:50
  • @R.. Yeah I guess in terms of AV that makes sense, which was the context you were speaking in. –  Nov 24 '15 at 04:14
8

I ran across a similar issue once. The date on the computer was set incorrectly - a year behind the current year and it caused all certs to give such messages.

A simple, easy thing to check first.

Kyle Maw
  • 89
  • 1
6

My question is this how will I be able to detect MITM?

The simpliest way is to query DNS resolver for IP of some site from your network and then write actual IP somewhere. Then do the same query on network of your friend. If the IPs are different, it is time to see what recursive resolver is your friend using. Good start for this is searching in the router (DHCP server), which beside assigning IPs tell computers the DNS servers. The second spot is on every computer in network - static DNS server in the interfaces.

If they are the same, check antivirus software of your friend. I know that Avast have the function of scanning the HTTPS webs. The point is that it replaces HTTPS certificates by its own one, and if you do not install the root as trusted, all HTTPS connections will be untrusted.

Vilican
  • 2,723
  • 8
  • 22
  • 35
  • 5
    In general it's often better to do a DNS lookup on a smaller website. It's quite likely for two computers to get two different ip addresses when they try to connect to google.com – Patrick M Nov 23 '15 at 08:13
  • 9
    Note that this only detects attacks based on DNS redirection. A real MitM attack won't influence the IPs you see. – CodesInChaos Nov 23 '15 at 10:12
1

Rory has the right answer here, but I wanted to add more. I tried to squeeze it into a comment but it's too big for that, so I'm posting an answer.

Checking the issuer is the easiest way to identify a MITM, although as noted also by Rory the MITM might not be an evil man in the middle, security software can be doing this.

About checking the issuer, I'd use Firefox to get the cert information. If Firefox is not accepting the issuer CA, and the CA is installed on the local machine, I'd say its MITM and delete the cert from the OS cert store. Firefox embeds its own store of trusted CAs and does not trust the OS stores. However, it's sadly trivial to transparently modify Firefox's trusted CA store too, so it's not a guaranteed way to check.

On Windows with things like WFP a MITM can be set up without modifying any of the settings on the OS, making it very difficult for a user to clearly identify the source software behind the diversion. WinDivert is an example of such a library, it makes it trivial to set up something like a MITM without changing any observable configuration values. However, hooking into the WFP requires creating a signed driver.

So, to catch these attacks as well, you can check installed/running services and drivers from a console with administrator rights with two queries:

To get installed/running services:

sc query

To get installed/running drivers:

driverquery

Note that this will only help clearly decide if something is intercepting HTTPS traffic locally. Identifying and cleaning up whatever is responsible is a different matter altogether.