MITM, almost: Redux

Apparently one of my OpenWRT boxes still uses OpenDNS. I was checking my Godaddy account then a Mozilla Firefox security error popped up. Note the https at the end of the host.


I didn't accept the certificate since I was already logged in. Unfortunately it didn't happen again so I was not able to verify. Was it a one time or erratic glitch? I'm not very sure who is at fault here, Godaddy or OpenDNS.

Somebody else experienced this and he asked Godaddy customer support. The CS response:

Thank you for contacting Online Support. We are sorry for any confusion with this process. You should be using the latest version of your web browser, as well as any new patches for these. We cannot control any errors that appear on browsers or any local security settings. However, the latest patches, web browser versions, etc. should rid these errors on your browsing.

Please let us know if we may be of further assistance.
Sincerely,
Ben P.
Online Support

The response was not satisfying to say the least but this is possibly a Mozilla Firefox bug. Replicating it is pretty hard so reporting will be a pain in the ass.

MITM, almost

Yesterday I wanted to check my bank balance. Clicked on the my bank's ebanking interface but I was presented to what looks like a self-signed certificate warning. Not a good sign as this means a possible MITM. For comparison the self-signed certificate is here. A legit certificate from the bank is here.

I proceed to accept the self-signed certificate to see if it's really a MITM. To my disappointment it was not. Actually it's a Squirrelmail installation at 125.212.46.13 which has a self-signed certificate. A bad practice nonetheless.



Must be a typo in one of their nameservers as 125.212.46.18 is the correct host. Normal response should be:



At first I suspected it was a MITM because 125.212.46.13 is an old CentOS 4.x installation with PHP 4.3.9 and Apache 2.0.52. Probably compromised I said to myself, along with an A record it makes a good MITM host. Apparently the mis-configured nameserver is 210.14.7.216.

.

As of today 125.212.46.13 is dropping connections but 210.14.7.216 still is returning it as an A record for ebanking.unionbankph.com.

OpenDNS proxying

An old issue but new to me. Their supposed to be reason for doing this is ridiculous.

$ dig @resolver1.opendns.com www.google.com

; <<>> DiG 9.4.1-P1 <<>> @resolver1.opendns.com www.google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3375
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.   IN A

;; ANSWER SECTION:
www.google.com.  30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.216.230
google.navigation.opendns.com. 30 IN A 208.67.216.231

;; Query time: 336 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Feb 16 17:36:09 2008
;; MSG SIZE  rcvd: 104

No official statement from OpenDNS on why they continue doing this. I wonder what other cnames are they spoofing. I call shenanigans on OpenDNS. Stopped using and recommending them.