[line breaks disabled intentionally] Am Montag, 19. Oktober 2020, 18:34:17 CEST schrieb Lew Wolfgang:
On 10/19/20 8:32 AM, Mathias Homann wrote:
Is there any chance to take that laptop somewhere where you'll definitely NOT be on a vodafone connection, and see if the problem persists?
And if it does NOT we should definitely talk to a lot of people.
I believe that MITM interference can be detected by looking at a web site's certificate fingerprint. This link explains:
https://www.grc.com/fingerprints.htm
For example, if you visit that site, you can confirm that it's cert fingerprint is 7A:85:1C:F0:F6:9F:D0:CC:EA:EA:9A:88:01:96:BF:79:8C:E1:A8:33
If it's not, you're looking at that site through a MITM.
All tests are done with Firefox 81.0.1 as of TW 20201014. Always check, if the DNS-Name in the certificates match. Note, Firefox is *not* able to save these html certificate pages, you need to use the store links on that page. Vodafone Cable: SHA1 fingerprints for www.grc.com, www.linkedin.com and wordpress.com match, all other deviate: https://www.facebook.com: D9:8F:D8:BB:5D:98:AA:06:03:50:50:AC:07:82:6C:2B:D0:1C:EB:9A https://www.paypal.com: BD:DE:B3:95:6B:86:79:B8:27:86:DA:4D:75:3C:53:AA:04:1E:08:92 https://twitter.com: 86:CD:B1:CB:95:44:0C:F6:81:AB:C8:B2:29:F3:63:F8:9D:F9:11:89 https://www.blogger.com: 34:80:AE:BE:88:F3:37:CC:53:D5:99:F7:9E:F3:8A:A0:E0:A7:CA:28 https://de.yahoo.com: 5A:8F:B8:BA:9B:59:AD:84:72:28:54:70:74:82:A3:32:67:C8:53:FB Yahoo always redirects to de. Now, I repeated these tests with a Telekom Mobile connection: https://www.facebook.com: [same as above] D9:8F:D8:BB:5D:98:AA:06:03:50:50:AC:07:82:6C:2B:D0:1C:EB:9A https://www.paypal.com: [correct now] BC:5C:03:64:3B:FA:1A:5E:A8:51:9B:8E:7E:2D:7D:5E:30:AB:EA:30 https://twitter.com: [same as above] 86:CD:B1:CB:95:44:0C:F6:81:AB:C8:B2:29:F3:63:F8:9D:F9:11:89 https://www.blogger.com: [same as above] 34:80:AE:BE:88:F3:37:CC:53:D5:99:F7:9E:F3:8A:A0:E0:A7:CA:28 https://de.yahoo.com: [same as above] 5A:8F:B8:BA:9B:59:AD:84:72:28:54:70:74:82:A3:32:67:C8:53:FB Excluding the special paypal case, and given, that the two biggest provider in Germany are not totally penetrated, grc.com fingerprints seems wrong in some cases. The inclined reader should perhaps check this h{im,er}self. Here's the cert diff of paypal: --- certs@vodafone/www-paypal-com.txt 2020-10-19 22:05:30.441182094 +0200 +++ certs@telekom/www-paypal-com.txt 2020-10-19 22:05:43.158802852 +0200 @@ -2,44 +2,44 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 07:41:da:c6:19:b9:7b:b7:28:9a:a5:94:ce:26:c0:cd + 0e:c3:4e:77:02:57:00:4f:ad:cc:f4:a2:f5:19:d6:0c Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA Validity - Not Before: Mar 10 00:00:00 2020 GMT - Not After : Mar 15 12:00:00 2022 GMT + Not Before: Jan 9 00:00:00 2020 GMT + Not After : Jan 12 12:00:00 2022 GMT Subject: businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 3014267, C = US, ST = California, L = San Jose, O = "PayPal, Inc.", OU = CDN Support, CN = www.paypal.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: - 00:cd:5f:3d:cd:ba:01:94:28:80:a0:e6:2f:22:ec: - 4d:a3:31:e9:41:81:91:ac:a2:36:7f:72:47:b8:92: - f8:c1:67:3e:bf:cd:22:d6:3b:d6:82:59:90:9c:8e: - e0:06:b0:3d:7a:80:79:a9:23:07:53:7f:9f:de:e6: - d7:ab:03:b9:b5:e4:a7:e5:46:1a:b1:e9:99:c3:8c: - 0f:a5:f5:39:c3:98:af:89:29:fb:c6:e0:ca:ef:8f: - 31:f4:84:57:bb:a9:32:08:c4:ff:36:72:cb:00:4f: - f0:b9:56:8d:9d:32:bc:3d:91:b9:d1:42:8d:89:c3: - 77:47:58:ba:9e:80:16:a6:13:49:7b:df:2c:b4:ee: - 02:8c:3d:58:5f:aa:94:90:22:03:d9:04:4d:69:ec: - 11:fe:ad:c6:3d:97:17:c9:81:a9:a2:f6:9b:c7:82: - 41:08:07:e8:ca:bc:17:ec:c3:12:6a:c8:57:fc:77: - 1a:a5:93:b7:c1:bb:05:fa:d3:b7:18:4d:59:22:e4: - f1:9b:74:07:60:3b:c3:4e:45:1b:3e:d7:ed:ed:2e: - 60:82:fe:56:b7:d5:14:60:2d:cf:89:e2:ed:24:50: - 44:0f:7c:c2:88:58:d6:36:ff:7b:1f:fa:33:65:d9: - 56:0b:6e:c6:1d:29:df:87:83:85:a8:dc:a7:3a:d6: - b8:93 + 00:ab:9a:c4:47:e6:4f:4b:f0:7a:29:6f:9a:1d:6b: + 4e:d5:04:0e:b2:02:ed:8d:d1:a9:ae:d5:da:20:8c: + 7e:8a:49:1a:3c:09:13:f7:72:ee:2e:40:e0:29:41: + 02:78:97:55:f8:06:0d:7b:2a:e3:e0:b3:e5:64:f2: + de:b8:b8:35:e1:c5:7c:eb:12:e3:68:47:74:6c:bc: + 04:25:33:09:17:28:e0:c9:3a:b2:4e:65:50:d0:4a: + e4:3b:b2:e1:2e:82:45:cb:52:05:3b:a4:b7:37:eb: + c8:29:fc:43:67:cc:66:a9:e5:9f:22:1b:1b:f7:86: + 36:35:9b:45:f5:0f:6c:3d:1d:15:55:5d:fe:ca:7d: + 5c:ef:1d:76:b7:f0:59:85:89:1a:c9:d2:bf:58:bc: + 26:9c:11:75:60:cb:59:e6:74:18:ee:0e:06:bc:54: + a1:47:f9:f5:b5:c0:be:ad:6d:ee:dd:99:b6:50:ed: + 85:33:f5:bd:93:4b:66:a9:08:f0:67:c7:bd:42:24: + c2:3b:e3:7f:f1:e2:51:62:b5:51:ae:21:a8:24:d9: + c9:ed:d3:b4:60:17:6a:0c:78:69:c1:96:ad:62:1d: + 18:11:a6:ea:f4:83:eb:2d:ae:b0:be:2e:56:9d:cf: + 9d:2c:70:5a:df:b2:1e:3a:c7:e4:23:e3:3b:58:e1: + fd:9d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F X509v3 Subject Key Identifier: - A7:47:98:D1:12:78:DB:51:32:FA:8D:BF:1D:2E:6E:C3:0E:CD:CC:ED + F0:1E:F5:E3:EE:33:53:69:54:6A:27:40:E0:CE:84:B6:69:68:4B:9E X509v3 Subject Alternative Name: - DNS:www.paypal.com, DNS:www-st.paypal.com, DNS:history.paypal.com + DNS:www.paypal.com, DNS:login.paypal.com, DNS:history.paypal.com, DNS:www.paypalobjects.com, DNS:pics.paypal.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: @@ -66,95 +66,96 @@ Certificate: CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) - Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66: - A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB - Timestamp : Mar 10 17:16:18.044 2020 GMT + Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A: + 3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10 + Timestamp : Jan 9 00:41:33.309 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 - 30:46:02:21:00:F0:BB:36:25:D8:23:AE:01:8E:8E:84: - E4:0E:90:A1:C5:C3:27:41:CC:01:EA:D2:77:EA:FA:C8: - F1:E2:93:12:86:02:21:00:CB:A9:16:94:FA:DC:F9:97: - 25:17:FD:C9:89:80:6B:01:C5:61:F2:46:E3:60:26:D4: - B2:88:7E:37:31:39:D4:50 + 30:46:02:21:00:F6:D8:70:6F:DE:F3:A1:DF:10:DF:94: + 78:E6:27:98:A9:7C:60:D1:C2:09:7D:39:DE:18:E6:4B: + D4:79:F7:FB:00:02:21:00:A5:B9:13:F3:F6:69:AB:70: + DC:D0:F3:AD:1F:EF:FA:4F:57:0E:38:00:6C:48:A8:78: + 99:9C:8C:32:94:97:21:24 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7: 46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD - Timestamp : Mar 10 17:16:18.078 2020 GMT + Timestamp : Jan 9 00:41:33.535 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 - 30:46:02:21:00:F6:C2:EA:CE:80:A5:3A:2A:ED:06:9D: - 07:8B:61:1B:14:F3:28:36:C6:A0:67:92:89:D6:53:66: - D4:56:6B:01:D7:02:21:00:DB:5E:24:47:FE:41:4E:A8: - D9:9A:B3:33:58:FC:25:42:79:96:9E:CC:7C:96:AC:38: - F7:A6:2A:EE:09:CE:15:10 + 30:45:02:21:00:FF:91:95:F6:47:8B:41:58:C0:BD:19: + 73:8B:9F:98:A0:5C:F2:9A:24:22:2A:F2:64:0F:48:B7: + DE:40:22:8D:DC:02:20:4B:9A:A9:F1:79:A3:01:65:10: + CA:BC:FC:24:F5:0A:9D:9A:1A:05:10:F0:2E:0C:EF:CC: + A9:AF:24:84:13:29:A0 Signed Certificate Timestamp: Version : v1 (0x0) - Log ID : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47: - 38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85 - Timestamp : Mar 10 17:16:17.984 2020 GMT + Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66: + A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB + Timestamp : Jan 9 00:41:33.381 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 - 30:45:02:20:30:08:34:13:7D:35:8D:A3:EE:B3:C8:D1: - 1C:40:B1:DC:40:78:76:6C:7D:8B:D6:06:9A:99:BF:7B: - 09:63:14:1A:02:21:00:ED:76:8A:E0:EC:80:23:E7:C6: - 4E:50:DB:5A:B2:C9:D8:16:3E:1C:B2:11:CF:F0:7A:80: - C7:47:6C:27:39:E0:CC + 30:44:02:20:08:FE:99:AB:2F:BE:95:36:08:E0:23:F7: + FA:0D:EE:50:A2:46:00:51:D3:F4:8A:75:8C:74:62:02: + A4:53:5C:8A:02:20:13:8A:4C:E6:E2:C7:0D:38:39:EB: + 49:29:D4:23:43:4C:FA:4B:01:8C:D2:DB:CB:7F:39:4C: + 84:14:E4:A4:DD:24 Signature Algorithm: sha256WithRSAEncryption - 2d:ec:38:8d:c0:a9:e7:95:69:72:73:e1:4b:31:d0:4a:93:95: - de:81:c2:bb:50:57:79:18:2f:1c:b9:36:b2:01:6c:f8:31:47: - 8f:24:e7:84:f9:68:cd:28:4a:86:f8:24:b0:f3:0e:dc:18:4d: - 18:2b:d8:a9:73:6e:6e:21:43:20:94:a7:33:d9:7c:a7:87:7c: - 25:8d:09:4d:5f:e4:b7:91:91:e5:2d:21:fb:3c:87:60:da:5f: - 0f:0f:b3:04:24:bc:4e:32:5f:e3:39:86:35:8d:55:ba:52:72: - f4:91:22:90:95:ce:aa:fc:c0:9f:eb:b2:ec:a2:97:66:78:d8: - 1e:83:cc:26:44:89:f2:21:fc:14:5e:42:de:cf:26:6d:f9:85: - 8d:83:35:45:64:92:e3:8a:5d:7b:34:df:24:9f:e6:9a:3a:52: - 33:27:25:8a:10:57:2b:5b:e6:15:3c:43:41:ac:6d:2e:18:ac: - 61:b3:5d:e6:1c:71:0f:0d:a8:65:36:22:6e:bb:9c:e0:42:c1: - 98:96:41:6e:bc:a2:71:a0:52:6e:60:78:a5:51:42:0b:92:5f: - ca:42:36:74:ff:d3:c9:30:b1:57:e5:b2:fb:e7:23:8c:05:1e: - 86:ad:7d:7b:f2:dd:43:6a:2b:82:87:ea:a4:01:4a:8e:a4:f5: - 9d:29:2d:78 + 95:06:8c:5c:1c:39:aa:19:33:0c:70:58:7f:94:2b:a4:71:be: + f7:13:4e:23:73:f0:a8:7c:35:16:0e:e2:be:59:56:3d:8c:5d: + fa:8c:fb:dd:de:8e:34:a3:6a:b3:86:5b:29:52:4a:5f:f7:cb: + 1f:33:b8:c8:60:3b:30:72:94:fc:61:df:5d:80:2f:f9:8f:ad: + f3:85:98:2a:e8:ed:6c:02:e1:3e:d0:cc:ef:68:36:4e:ae:51: + 6d:ca:2e:7b:ae:a3:79:3d:27:67:74:15:4d:cf:c9:1d:a1:f9: + 43:69:ce:66:b2:eb:ec:c4:31:48:27:d9:2d:e2:eb:f4:72:0a: + 73:23:d1:9c:5d:8e:34:b2:95:a3:a8:09:16:ce:2f:bf:d1:f8: + 47:bd:c1:6d:36:7e:3a:9c:58:c1:47:40:92:8e:b6:32:97:89: + 5e:fb:46:c3:3d:2c:06:46:23:86:2a:6c:d2:3a:18:3e:3a:2b: + fc:c3:3a:c0:17:6a:4c:32:f5:d2:a8:a9:a3:5f:2a:53:c9:bf: + 88:9f:0f:c6:74:63:7d:83:17:49:60:72:d2:cb:c9:b8:02:58: + f7:d9:f0:3c:fe:1f:4d:fb:eb:43:a0:fa:58:9e:19:1c:b7:6c: + 45:ec:0c:b9:0d:4a:09:be:76:68:35:48:62:5c:82:3c:80:e4: + e7:7b:66:f7 Obviously, both certificates appear valid, the major deviation is in the X509v3 Subject Alternative Names. Why their CDN delivers two different certificates from January and March this year escapes me. Claiming the same serial number in the Subject is even more suspicious, although the real serial numbers differ (I would be even more alarmed otherwise). The whole case stinks, but it's unclear, where the stink comes from. What do you guys think? Cheers, Pete -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org