Issue metadata
Sign in to add a comment
|
When using non-US based VPN connection Google search links when clicked throw privacy error
Reported by
raincity...@gmail.com,
Aug 1 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Steps to reproduce the problem: 1. Connect to a VPN endpoint outside of the USA 2. go to https://www.google.com 3. search for someting 4. click on links produced by the search What is the expected behavior? the links produced by the search will take you where they should without error. What went wrong? What does happen is a privacy error is thrown saying the connection may be compromised. MITM filters are activated and you cannot continue to the site the link should be taking you to because it appears there is an invalid cert being passed during the handshake process. This does not happen when I choose to connect thru an endpoint with the US. Did this work before? Yes not sure Chrome version: Version 60.0.3112.78 (Official Build) (64-bit) Channel: stable OS Version: 10.0 Flash Version: I have not been able to repro this in Linux, though I had thought I did see this previously occur in Debian. I cannot be sure at this time though. I have seen it in Windows 7 Ultimate and Windows 10 Pro. Also my VPN traffic is running with these settings Data encryption : AES-256 AUTH: SHA-1 Handshake: RSA-2048
,
Aug 1 2017
,
Aug 7 2017
Interesting, VMWare cert? Subject: VMware Issuer: VMware Expires on: Feb 13, 2018 Current date: Aug 7, 2017 PEM encoded chain: -----BEGIN CERTIFICATE----- MIIEEjCCAvqgAwIBAgIJAL2qWk10LlZDMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV BAYTAlVTMRIwEAYDVQQHEwlQYWxvIEFsdG8xDzANBgNVBAsTBlZNd2FyZTEPMA0G A1UEAxMGVk13YXJlMR4wHAYJKoZIhvcNAQkBFg9ub25lQHZtd2FyZS5jb20wHhcN MTcwMjEzMjA1OTMzWhcNMTgwMjEzMjA1OTMzWjBjMQswCQYDVQQGEwJVUzESMBAG A1UEBxMJUGFsbyBBbHRvMQ8wDQYDVQQLEwZWTXdhcmUxDzANBgNVBAMTBlZNd2Fy ZTEeMBwGCSqGSIb3DQEJARYPbm9uZUB2bXdhcmUuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAncuVGEwWWVqEQW9z1EYvY3jJeEc20Bb3a+Fx8YfI C1OZAD41Vv9x0CKz+tOR9We2u2cXbVHcwteLcuDBLmhTBzE7yUYQs1AeJITsA/gh 1qvEee7NTc6CTWCCY4/a9Yo291nD/xktwQ0K4LRYtIOq9t+qLdMPRjmvAqOoHsGs ASUvqcM7bzKXaU8frBEgcS+MgaCUrEyt1jf15/H7gljKXAZyDVbO9TeAtRMlwPVT qPNvOQahkdKI+VW6f1OtCTAidMwBPm2smwvYhZxg4Plw6XCzwtirvBKiGRffLkWW 8gTzqCU2FvfVFLUM1TuFmE6XAnr0luZu/vyYNlHlIGHbTQIDAQABo4HIMIHFMB0G A1UdDgQWBBS6bejXjBuMzIzLicXM5k1XsjWy/DCBlQYDVR0jBIGNMIGKgBS6bejX jBuMzIzLicXM5k1XsjWy/KFnpGUwYzELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCVBh bG8gQWx0bzEPMA0GA1UECxMGVk13YXJlMQ8wDQYDVQQDEwZWTXdhcmUxHjAcBgkq hkiG9w0BCQEWD25vbmVAdm13YXJlLmNvbYIJAL2qWk10LlZDMAwGA1UdEwQFMAMB Af8wDQYJKoZIhvcNAQELBQADggEBAFOBOp0sCpkprfb6miovyFs8OYFkZ17ayhVd r1LUYmfH0R6r6AXxMmRp0Ojr/pKJGu559427HOKeCYbhBpqgs1Vt7MwbWw1aJ4K+ Mqk3ai4dgeg3yIHxw8bUUz//KWzw6AqXTwyGbto4b4dfmeF3NmzFYhHlk4Yk2uNu jsEHQcT6tQG4lwxxskuYzrtdKBu7t6J2ryJ/jjDDcle1h3suTFNw/32aqOiBz6tt ISBT60+ojRP/9d1101HMnu4sm73kvF/c1Ug8r/l6Z0RNX89rtWKB4Ijoh6gPXzuq le52nl0+ibMdTAGapMjn1NQdL/ybUdn1MQEk0WVD8ykLxwNva8I= -----END CERTIFICATE-----
,
Aug 7 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 7 2017
This is working as expected from the browser point-of-view. I'd love to hear more about what VPN product you're using, and what the vendor had to say when you asked why they're performing a MITM attack on your traffic.
,
Aug 8 2017
Interesting, I do see this using Firefox but it is reported as coming from Googleadservices. I ran a Wireshark capture and unless I am missing something it is a Googleadservices cert. I am using Private Internet Access, I am not yet seeing anything suspicious from them. The only interface that is hitting the internet at all is the TAP interface as it should. Within that traffic the only cert traffic I see is coming from and going to Googleadservices. Maybe I missed something Message from Firefox: -------------------------- https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwjSxdKUhsjVAhVIjRsKHeYHC4sYABAAGgJ3bA&ohost=www.google.co.uk&cid=CAASEuRogOL4DkymFnY3Md8e_0Jrgw&sig=AOD64_2SMW20mdGhCjx2AKjtzM4gZYZuyA&q=&ved=0ahUKEwjNlM-UhsjVAhWDOhQKHWY2DX44ChDRDAhj&adurl= Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: true Certificate chain: -----BEGIN CERTIFICATE----- MIIEEjCCAvqgAwIBAgIJAL2qWk10LlZDMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV BAYTAlVTMRIwEAYDVQQHEwlQYWxvIEFsdG8xDzANBgNVBAsTBlZNd2FyZTEPMA0G A1UEAxMGVk13YXJlMR4wHAYJKoZIhvcNAQkBFg9ub25lQHZtd2FyZS5jb20wHhcN MTcwMjEzMjA1OTMzWhcNMTgwMjEzMjA1OTMzWjBjMQswCQYDVQQGEwJVUzESMBAG A1UEBxMJUGFsbyBBbHRvMQ8wDQYDVQQLEwZWTXdhcmUxDzANBgNVBAMTBlZNd2Fy ZTEeMBwGCSqGSIb3DQEJARYPbm9uZUB2bXdhcmUuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAncuVGEwWWVqEQW9z1EYvY3jJeEc20Bb3a+Fx8YfI C1OZAD41Vv9x0CKz+tOR9We2u2cXbVHcwteLcuDBLmhTBzE7yUYQs1AeJITsA/gh 1qvEee7NTc6CTWCCY4/a9Yo291nD/xktwQ0K4LRYtIOq9t+qLdMPRjmvAqOoHsGs ASUvqcM7bzKXaU8frBEgcS+MgaCUrEyt1jf15/H7gljKXAZyDVbO9TeAtRMlwPVT qPNvOQahkdKI+VW6f1OtCTAidMwBPm2smwvYhZxg4Plw6XCzwtirvBKiGRffLkWW 8gTzqCU2FvfVFLUM1TuFmE6XAnr0luZu/vyYNlHlIGHbTQIDAQABo4HIMIHFMB0G A1UdDgQWBBS6bejXjBuMzIzLicXM5k1XsjWy/DCBlQYDVR0jBIGNMIGKgBS6bejX jBuMzIzLicXM5k1XsjWy/KFnpGUwYzELMAkGA1UEBhMCVVMxEjAQBgNVBAcTCVBh bG8gQWx0bzEPMA0GA1UECxMGVk13YXJlMQ8wDQYDVQQDEwZWTXdhcmUxHjAcBgkq hkiG9w0BCQEWD25vbmVAdm13YXJlLmNvbYIJAL2qWk10LlZDMAwGA1UdEwQFMAMB Af8wDQYJKoZIhvcNAQELBQADggEBAFOBOp0sCpkprfb6miovyFs8OYFkZ17ayhVd r1LUYmfH0R6r6AXxMmRp0Ojr/pKJGu559427HOKeCYbhBpqgs1Vt7MwbWw1aJ4K+ Mqk3ai4dgeg3yIHxw8bUUz//KWzw6AqXTwyGbto4b4dfmeF3NmzFYhHlk4Yk2uNu jsEHQcT6tQG4lwxxskuYzrtdKBu7t6J2ryJ/jjDDcle1h3suTFNw/32aqOiBz6tt ISBT60+ojRP/9d1101HMnu4sm73kvF/c1Ug8r/l6Z0RNX89rtWKB4Ijoh6gPXzuq le52nl0+ibMdTAGapMjn1NQdL/ybUdn1MQEk0WVD8ykLxwNva8I= -----END CERTIFICATE-----
,
Aug 8 2017
> it is reported as coming from Googleadservices. I ran > a Wireshark capture and unless I am missing something > it is a Googleadservices cert. I'm not sure I understand what you mean by that. The certificate shown is a self-signed "dummy" certificate purportedly generated by some VMWare device. If your traffic is routed through a VPN, and that dummy certificate is what you're getting when you attempt to connect to a HTTPS site through that VPN, that strongly suggests that the VPN is attempting to execute a Man-in-the-Middle attack against that secure connection. Because the certificate it uses is faked, the browser rejects the connection.
,
Aug 8 2017
This article https://www.privateinternetaccess.com/forum/discussion/21865/private-internet-access-mace-technical-explanation implies that PIA may be returning phony DNS records for some hostnames, which would cause this problem if the HTTPS traffic were being routed to a server without a valid certificate.
,
Aug 8 2017
That makes sense, thanks. I did see the googleadservices coming up in the DNS requests and that is where the failure was. I hadn't tried it yet but my next attempt to test I was planning was to switch my DNS servers to google DNS 8.8.8.8 and 8.8.4.4 It does seem like that might do it though.
,
Aug 9 2017
Thx for checking that out btw
,
Nov 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Aug 1 2017