Solved SSL hijacking

z3r010 said:

Government controlled news is the last thing anybody should trust.

Click to expand...

CNN and FOX appear to have become State Television.

zebal said:

cnn, the guardian, rt and euronews.

Click to expand...

You can add CGTN, Press TV and lets not forget news from the literal prison colony, the good old Australia's ABC.

windoc said:

Utilizing a protocol like DNSCrypt can mitigate the risk of DNS hijacking. However, it's important to note that it doesn't provide a guarantee. For stronger assurance, DNSSEC should be used concurrently. Due to the lack of comprehensive support for DNSSEC, not all websites can be authenticated using this method.

Click to expand...

There are encrypted DNS servers which support DNSSEC, 1.1.1.1 (cloudflare) supports it.
But I don't know how this is used by Windows 11 when configured in adapter settings in settings app?

In Win10 I was using SimpleDNSCrypt which let me filter DNS servers on DNSSEC support, but how this applies to Windows 11 built-in feature I don't know.
I suppose that's the same thing you're saying?
How could a web site that is not DNS support DNSSEC?

TairikuOkami said:

You can add CGTN, Press TV ... ABC

Click to expand...

Interesting I never visited them before because they seem not so impacting on social life but will take a look out of interest.

zebal said:

There are encrypted DNS servers which support DNSSEC, 1.1.1.1 (cloudflare) supports it.
But I don't know how this is used by Windows 11 when configured in adapter settings in settings app?

In Win10 I was using SimpleDNSCrypt which let me filter DNS servers on DNSSEC support, but how this applies to Windows 11 built-in feature I don't know.
I suppose that's the same thing you're saying?
How could a web site that is not DNS support DNSSEC?


Interesting I never visited them before because they seem not so impacting on social life but will take a look out of interest.

Click to expand...

zebal said:

There are encrypted DNS servers which support DNSSEC, 1.1.1.1 (cloudflare) supports it.
But I don't know how this is used by Windows 11 when configured in adapter settings in settings app?

In Win10 I was using SimpleDNSCrypt which let me filter DNS servers on DN

Click to expand...

zebal said:

There are encrypted DNS servers which support DNSSEC, 1.1.1.1 (cloudflare) supports it.
But I don't know how this is used by Windows 11 when configured in adapter settings in settings app?

In Win10 I was using SimpleDNSCrypt which let me filter DNS servers on DNSSEC support, but how this applies to Windows 11 built-in feature I don't know.
I suppose that's the same thing you're saying?
How could a web site that is not DNS support DNSSEC?

Click to expand...

The problem isn't with the DNS resolver, as I had mentioned earlier; instead, it's the large majority of websites themselves that lack DNSSEC support. Windows lacks a built-in feature to handle DNSSEC, whether to alert you about compliance or provide a filter to reject unsigned names. To mitigate this, a third-party solution such as SimpleDNSCrypt, which you've utilized, or a similar tool would be necessary.

I'm uncertain about your statement, "How could a website that is not DNS support DNSSEC", but here is an overview of how DNSSEC functions.


Here are the key components necessary for DNSSEC to work:

1. DNS Data : This includes the actual records, such as A records (which link a domain to an IP address), MX records (which identify mail servers), etc.

2. Digital Signatures : Digital signatures are created by the private key of the signer and can be verified by anyone who has access to the signer's public key. They're used to verify the authenticity of the DNS data.

3. Keys : In DNSSEC, two types of cryptographic keys are used: the Zone Signing Key (ZSK) and the Key Signing Key (KSK). The ZSK is used to sign individual records within the zone, while the KSK is used to sign the zone's DNSKEY record. The KSK must be kept particularly secure because it's used to verify the authenticity of DNSKEY records.

4. Resource Records : DNSSEC introduces new types of resource records:
- DNSKEY record: Contains the public keys that a DNS resolver uses to verify DNSSEC signatures.
- RRSIG record: Contains the DNSSEC signature for a record set. It's used to store the digital signature of a DNS record set.
- DS record: Delegation Signer, it's placed in the parent zone and used to verify the DNSKEY record in the child zone.
- NSEC record: Used to provide authenticated denial of existence, meaning it can securely indicate that a specific record does not exist.
- NSEC3 record: This is an alternative to NSEC and provides the same functionality, but with additional security.

5. Resolvers : These are clients that query DNS servers. A DNSSEC-aware resolver is capable of validating signatures in response to DNS queries with the associated DNSKEY or DS records.

6. Registrars and Registries : These are important for maintaining the chain of trust in DNSSEC. The registrar is the company where you register your domain name. The registry manages the TLD (Top Level Domain, such as .com, .org, etc.). When you enable DNSSEC, a DS record is created, and this record needs to be inserted into the parent zone by the registrar/registry to maintain the chain of trust.

7. Chain of Trust : DNSSEC works on the basis of a chain of trust which starts from the root zone (.) and goes all the way down to the DNS record being secured. If every link in the chain is intact, the DNS response is authenticated. This chain is created through the interaction of DS and DNSKEY records.

For DNSSEC to work properly, all these components must interact correctly.

The functioning of DNSSEC requires interaction between several parties:

1. Domain Name Registrant : This is the individual or organization that owns or controls the domain name. They are responsible for generating DNSSEC keys and signing the DNS zone records. They also provide the Delegation Signer (DS) record to their domain name registrar.

2. Domain Name Registrar : The company where the domain name is registered. When provided with a DS record from the registrant, the registrar has to put this record into the parent zone.

3. DNS Hosting Provider : This can be the same as the domain name registrar or a different organization. They host the authoritative DNS records for the domain and must support DNSSEC, serving signed records correctly.

4. Domain Name Registry : They manage the Top-Level Domain (TLD). When they receive the DS record from the registrar, they need to put it into the DNS zone for the TLD. This establishes the chain of trust from the root.

5. Internet Service Providers (ISPs) and DNS Resolvers : They operate the DNS resolvers that clients use when making DNS queries. They have to support DNSSEC to validate the DNSSEC signatures and to check the chain of trust.

6. End Users : They use the services and should have a DNSSEC-aware DNS resolver to verify DNSSEC signatures.

7. Root Zone Operators : They manage the root of the DNS hierarchy. Their role in DNSSEC is to digitally sign the root zone's contents, which is critical for maintaining the chain of trust.

All these parties must perform their roles correctly and securely for DNSSEC to function.

Very useful, I'm going to re-read a few times over until I memorize all this.
There are DNSSEC options in secpol but sadly these apply to AD only.

Therefore at a minimum to make it happen we need both a DNSSEC aware resolver and DNSSEC enabled site.
I thought it applies only to DNS servers.

zebal said:

Therefore at a minimum to make it happen we need both a DNSSEC aware resolver and DNSSEC enabled site.

Click to expand...

correct!

zebal said:

I'm interested to hear what news would you recommend?

Click to expand...

OAN is good

zebal said:

Interesting I never visited them before because they seem not so impacting on social life

Click to expand...

In US eyes, Iran is actually more dangerous than Russia. It is the quiet ones that get you first.

imanlien2020 said:

OAN is good

Click to expand...

WION, I like news from countries like India or Africa, they offer raw news with with an unique perspective.
Japan for example is basically US copycat, so there is nothing interesting, except some local news.

TairikuOkami said:

I like news from countries like India or Africa, they offer raw news with with an unique perspective.

Click to expand...

Their worldviews might be unique but I think they're still influenced one way or another, even if just little, ex. by blocks such as BRICS, or traditional vs modernist currents.

There are very few countries in the world which declare them neutral or who act neutrally when asked to align position.
And I doubt people who are owners or in control of independent news don't have their own worldview, the only ones who honestly don't have their worldviews are those not interested in politics at all, I highly doubt this applies to owners of news no matter how they declare themself, neutral, independent or whatever else.

I appreciate all the replies and respect your opinions and I hope you respect mine but perhaps this thread should be closed to avoid talking non computer related things?

My aim was not to bring controversy but this problem with SSL was so longstanding and annoying for me because it was random, but it turns out because I was resetting my adapter which I often do because I use virtual adapter which stucks from time to time.

z3r010 said:

I have no words.

Click to expand...

Nor do I. If the reporting agency has an agenda in any part of its reporting, IMO they can not be trusted to speak the truth with anything they report. I do not consider it "fun" to attempt to separate truth from lies. Is there any outlet that is 100% unbiased and who speaks the truth any more? I do not think so. I think the closest one might be AP.

I would like to report that today my government implemented a method to somehow redirect encrypted DNS traffic.

I again got this certificate related privacy error and then looked into network settings to make sure my DNS isn't set to default router DNS,
instead it was set to cloudflare 1.1.1.1 (encrypted) in Windows settings app.
Therefore I'm now sure they are capable to redirect DNS even if it's set to encrypted in network settings.
Perhaps they got a shady deal with couldflare?

What's also new is that they now instead inject rt.com domain certificate with today's expiration date instead of their own fake cert.

I was able to get around their attack by installing simplednscrypt and choosing a new DNS server from Switzerland.

It could be they've read my thread here and were working hard to hide their tax administration domain by obtaining fake rt cert, if that's the case, I would like to see what they do now...

zebal said:

I would like to report that today my government implemented a method to somehow redirect encrypted DNS traffic.

I again got this certificate related privacy error and then looked into network settings to make sure my DNS isn't set to default router DNS,
instead it was set to cloudflare 1.1.1.1 (encrypted) in Windows settings app.
Therefore I'm now sure they are capable to redirect DNS even if it's set to encrypted in network settings.
Perhaps they got a shady deal with couldflare?

What's also new is that they now instead inject rt.com domain certificate with today's expiration date instead of their own fake cert.

I was able to get around their attack by installing simplednscrypt and choosing a new DNS server from Switzerland.

It could be they've read my thread here and were working hard to hide their tax administration domain by obtaining fake rt cert, if that's the case, I would like to see what they do now...

Click to expand...

rt.com is currently experiencing intermittent issues with its security certificate. It wouldn't be surprising if these disruptions are the result of actions by an external entity. rt.com has not implemented DNSSEC, a crucial security measure, and I find this lack of action puzzling.

It seems that the issue is only impacting certain DNS servers. Similarly to simplednscrypt, I utilize a program that facilitates the creation of a pool of DNS servers, with anonymous relays. For each query, a DNS server and an anonymous relay are selected at random. Nonetheless, I have been intermittently experiencing the certificate error throughout the day.

windoc said:

rt.com is currently experiencing intermittent issues with its security certificate. It wouldn't be surprising if these disruptions are the result of actions by an external entity. rt.com has not implemented DNSSEC, a crucial security measure, and I find this lack of action puzzling.

It seems that the issue is only impacting certain DNS servers. Similarly to simplednscrypt, I utilize a program that facilitates the creation of a pool of DNS servers, with anonymous relays. For each query, a DNS server and an anonymous relay are selected at random. Nonetheless, I have been intermittently experiencing the certificate error throughout the day.

Click to expand...

Hi windoc, thank you for comment,
I'm sure this is not a problem of rt's certificate because I have been testing the connection with psiphon3 and connecting from US server and rt's certificate was just fine with that approach.
The problem persists only if connecting without proxy which let's the ISP to be intermediate between me and the end domain.

Perhaps you can test setting your DNS to couldflare 1.1.1.1 and see if you have same issues?

windoc said:

It seems that the issue is only impacting certain DNS servers.

Click to expand...

Well it's possible that rt is being banned world wide or in the process of doing so, but I'm not sure about that since it works in the US.
I think it's just my government because of their previous exposure.

zebal said:

Hi windoc, thank you for comment,
I'm sure this is not a problem of rt's certificate because I have been testing the connection with psiphon3 and connecting from US server and rt's certificate was just fine with that approach.
The problem persists only if connecting without proxy which let's the ISP to be intermediate between me and the end domain.

Perhaps you can test setting your DNS to couldflare 1.1.1.1 and see if you have same issues?


Well it's possible that rt is being banned world wide or in the process of doing so, but I'm not sure about that since it works in the US.
I think it's just my government because of their previous exposure.

Click to expand...

After establishing a rule to route only rt.com traffic via Cloudflare's 1.1.1.1, I've consistently encountered privacy errors. This suggests that some interference is occurring at the DNS level. It's plausible that the U.S. isn't favorable towards the content on rt.com due to its growing viewership, and they might be attempting to limit its influence on U.S. users. The suggestion could be that the authorities would prefer viewers to engage with domestic mainstream media outlets like CNN or Fox News, instead.

windoc said:

After establishing a rule to route only rt.com traffic via Cloudflare's 1.1.1.1, I've consistently encountered privacy errors. This suggests that some interference is occurring at the DNS level.

Click to expand...

Well if that's the case then cloudflare is influenced by somebody.

windoc said:

It's plausible that the U.S. isn't favorable towards the content on rt.com due to its growing viewership, and they might be attempting to limit its influence on U.S. users. The suggestion could be that the authorities would prefer viewers to engage with domestic mainstream media outlets like CNN or Fox News, instead.

Click to expand...

Makes sense, since cloudfare is based in California it's possible that the US government has it's fingers there.

I'm glad to learn that encrypted DNS is not secure, but at least Switzerland is free of foreign influence, so I'll continue to use their servers.
Thenks for testing!

zebal said:

Well if that's the case then cloudflare is influenced by somebody.


Makes sense, since cloudfare is based in California it's possible that the US government has it's fingers there.

I'm glad to learn that encrypted DNS is not secure, but at least Switzerland is free of foreign influence, so I'll continue to use their servers.
Thenks for testing!

Click to expand...

DNSSEC (Domain Name System Security Extensions) and DNS encryption are two different security measures, and they serve different purposes.

DNSSEC is used to protect against DNS spoofing and cache poisoning attacks. It ensures that the DNS responses a client receives are authentic and haven't been tampered with, by signing DNS data with digital signatures. DNSSEC, however, does not encrypt DNS data, so while it guarantees the authenticity of the data, it does not protect the privacy of the data in transit.


DNS over HTTPS (DoH) or DNS over TLS (DoT) are protocols that encrypt DNS queries, protecting them from eavesdropping and tampering. They make it significantly harder (but not impossible) for third parties to manipulate or redirect DNS traffic.

Even when DNSSEC isn't in use, encrypted DNS protocols can still provide a good level of security against redirection or tampering. However, they aren't foolproof. If a malicious entity controls a router, a network, or a DNS server, they could potentially redirect or tamper with DNS queries, even if they're encrypted. But this would be a highly complex and targeted attack, and it would be difficult to carry out on a large scale.

Also, it's worth mentioning that encrypted DNS protocols won't be effective if the DNS server itself is not trustworthy. Therefore, it's important to use a reputable DNS provider.

windoc said:

Also, it's worth mentioning that encrypted DNS protocols won't be effective if the DNS server itself is not trustworthy. Therefore, it's important to use a reputable DNS provider.

Click to expand...

Exactly this,
Any servers based in the US, Germany, Canada and I'm sure even other states influenced by the US cannot be trusted.

This isn't only about DNS but also any kind of server which users frequently use such as email providers are also affected,
According to this site Privacy-Conscious Email Services

• Be wary of services with servers hosted in:
  • the United States (yes, even Riseup)
  • Canada
  • Germany

Click to expand...

And according to this site: PRISM Break

Warning: Microsoft Windows is affected by PRISM. Even using the software tools we recommend here, your privacy may be compromised by Windows.

Click to expand...

But this is perhaps nothing new except when we face it on our own skin as it is the case now proving that Edward Snowden was correct about all that he said and is still saying.

If a government can tell cloudflare to hijack DNS then they can also tell Microsoft or any other firm or entity what to do if they want.

@windoc
btw. I would like to know which is the DNS software that you're using to create rules?

zebal said:

The problem persists only if connecting without proxy which let's the ISP to be intermediate between me and the end domain.

Click to expand...

Most browsers use Windows certificate store, Firefox based browsers use a different one.
You could force Windows to reset certificates to get the latest versions or wait till it updates.
Either way this will keep reoccurring because they are not allowed to buy "normal" certificates.