Encrypted network traffic. Untrusted certificate.

[Hijin25 12]

Sorry for the inconvenience, about 3 days to the date this message is appearing to me, usually when visiting microsoft sites.

 

 

This happens to me both with version 10 of ESS and Kaspersky. But it does not happen with other antivirus and version 8 of ESET Smart.

 

It happens in Chrome and occasionally with Internet explorer 9.

 

Please, I am very worried about this behavior, which had never been presented to me before.

[itman 1,659]

Web site cert. OK per QUALS SSL Server test; see below. Also server used is rated "A" - the highest rating.

 

Suspect this is a Chrome issue. Chrome uses its own internal root CA cert. store. Suspect something amiss with the way they have the certs. in the validation path pinned.

 

As far as Eset ver. 8 goes, you would not have an issue there if SSL protocol scanning is disabled; it is by default. Appears Kaspersky also is doing SSL protocol scanning, hence the issue there. As far as other AVs, many don't do SSL protocol scanning; hence no issue with them. When a product does SSL protocol scanning, it is responsible for performing cert. chain pinning validation. Both FireFox and Chrome use their own root CA cert. store versus the Windows one. Anything amiss there will cause Eset to throw these types of cert. alerts.

 

Certificate #1: RSA 2048 bits (SHA256withRSA)

Server Key and Certificate #1

 

Subject

*.vortex.data.microsoft.com
Fingerprint SHA1: 99b532a23e6f1ddd57cf25a2f80b527262a86c21
Pin SHA256: MDX8rQO5/mtWO5SRNvCK84RD5H+11KQdU4i4eKtVkwY=

Common names

*.vortex.data.microsoft.com

Alternative names

vortex.data.microsoft.com *.vortex.data.microsoft.com

Valid from

Wed, 27 May 2015 20:09:42 UTC

Valid until

Fri, 26 May 2017 20:09:42 UTC (expires in 5 months and 18 days)

Key

RSA 2048 bits (e 65537)

Weak key (Debian)

No

Issuer

Microsoft IT SSL SHA2
AIA: hxxp://www.microsoft.com/pki/mscorp/msitwww2.crt

Signature algorithm

SHA256withRSA

Extended Validation

No

Certificate Transparency

No

OCSP Must Staple

No

Revocation information

CRL, OCSP
CRL: hxxp://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl
CRL: hxxp://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl
OCSP: hxxp://ocsp.msocsp.com

Revocation status

Good (not revoked) 

Trusted

Yes

Additional Certificates (if supplied)

 

Certificates provided

2 (3374 bytes)

Chain issues

None

#2

Subject

Microsoft IT SSL SHA2
Fingerprint SHA1: 97eff3028677894bdd4f9ac53f789bee5df4ad86
Pin SHA256: CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=

Valid until

Mon, 07 May 2018 17:03:30 UTC (expires in 1 year and 4 months)

Key

RSA 4096 bits (e 65537)

Issuer

Baltimore CyberTrust Root

Signature algorithm

SHA256withRSA

 

Certification Paths

Path #1: Trusted

 

1

Sent by server

*.vortex.data.microsoft.com
Fingerprint SHA1: 99b532a23e6f1ddd57cf25a2f80b527262a86c21
Pin SHA256: MDX8rQO5/mtWO5SRNvCK84RD5H+11KQdU4i4eKtVkwY=
RSA 2048 bits (e 65537) / SHA256withRSA 

2

Sent by server

Microsoft IT SSL SHA2
Fingerprint SHA1: 97eff3028677894bdd4f9ac53f789bee5df4ad86
Pin SHA256: CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=
RSA 4096 bits (e 65537) / SHA256withRSA 

3

In trust store

Baltimore CyberTrust Root   Self-signed
Fingerprint SHA1: d4de20d05e66fc53fe1a50882c78db2852cae474
Pin SHA256: Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate

Edited December 8, 2016 by itman

[Hijin25 12]

Thank you for your attention. 

 

Excuse me, English is not my native language.

 

I didn't quite understand his answer.

Edited December 8, 2016 by Hijin25

[itman 1,659]

Here's what I wrote translated to Spanish per Google Translate:

 

Cert del Web site. Aceptar por QUALS SSL Server test; vea abajo. También el servidor utilizado tiene la calificación "A", la clasificación más alta.

Sospecha que se trata de un problema de Chrome. Chrome utiliza su propio certificado CA raíz interno. almacenar. Sospechar algo mal con la forma en que tienen los certs. En la ruta de validación fijada.

En cuanto a Eset ver. 8 va, usted no tendría un problema allí si la exploración del protocolo SSL está deshabilitada; Es por defecto. Aparece Kaspersky también está haciendo escaneo de protocolo SSL, de ahí el problema. En cuanto a otros AVs, muchos no hacen escaneo de protocolo SSL; Por lo tanto ningún problema con ellos. Cuando un producto realiza el escaneo de protocolo SSL, es responsable de realizar cert. Cadena de validación. Tanto FireFox como Chrome utilizan su propio certificado CA raíz. Tienda frente a Windows. Cualquier cosa que no esté bien hará que Eset lance estos tipos de cert. Alertas

[Hijin25 12]

I did the test on another PC with Windows 10, and it's the same problem, jump alerts on the same sites.

Both on Google and on internet explorer

[itman 1,659]

What is needed is the actual URL you are connecting to when you receive these alerts. Neither of the URLs shown in your alerts can be accessed directly.

[Hijin25 12]

Thanks again for your attention.

 

The first thing that appeared to me this message was when entering these addresses:

 

 

hxxp://sysdev.microsoft.com/support/default.aspx

 

hxxp://support.microsoft.com/select/?target=hub

 

 

It was supposed to be the information of a windows update.

 

Subsequently I left sporadically when doing searches in bing.

 

This one just appeared to me when entering the microsoft help forum.

 

 

And this when entering the page

 

https://prodigy.msn.com/es-mx?inst=3&AR=10

 

 

 

In the images it says eset is the test version, because it is the one installed to confirm if you pass the same thing on my pc with windows 7, where I have my licensed version paid.

Edited December 9, 2016 by Hijin25

[Hijin25 12]

Another question, why in the window appears that was detected a week ago, when I appeared just on December 5.

[itman 1,659]

I can access all the links you posted in IE11 running on Win 10 w/o any cert. alerts appearing.

 

Only thing I can think of is there has been an update to Chrome recently and Eset's SSL protocol scanning cert. processing is no longer compatible with it. So I will let Eset take it from here.

 

Your current options are live with the alerts; disable SSL protocol scanning for Chrome which will eliminate the alerts but decrease your security level on HTTPS web sites; or use IE.

[Hijin25 12]

Thanks for your help, although as I commented, it also happens to me with IE. I hope Eset tells me at least why the alert says "detected a week ago" and I only started to appear on Monday.

[itman 1,659]

The "light just came on in my head" so to speak.

 

Below is a screen shot of an URL from the screen shot you posted: https://answers.microsoft.com/es-es/windows . Note the following:

 

1. Eset has whitelisted this site from SSL protocol scanning.

2. This conclusion made based on the fact that the root CA certificate shown is Baltimore Trust; not Eset's root CA certificate.

 

In other words, Eset would not be doing SSL scanning on this web site under normal circumstances.

 

Appears to me that you are a victim of some type of man-in-the-middle activity that is occurring somewhere on the external network you are using. That is what Eset and also Kaspersky are detecting. This also explains why you receiving alerts on both Chrome and IE.

 

-EDIT- It is also possible and more likely something installed a local host proxy server on your PC and is intercepting HTTPS traffic using their own root CA certificate.

 

Edited December 10, 2016 by itman

[Hijin25 12]

Thanks for your help, in fact, seems to be my network problem, I tried with that of a family member who has a different provider and alert messages do not appear.

[Hijin25 12]

Is it then that my internet provider has problems with Microsoft certificates, since it is only on those pages that the alert skips?

[itman 1,659]

One commonality in your issue is all the MS web sites where you are receiving alerts on use the below certificate chaining path:

 

 

Since you are receiving the same alerts from multiple browsers and AV products, it points to the strong possibility of some type of Windows certificate store corruption.

 

Using certmgr.msc, you need to verify that:

 

1. The Digicert Baltimore Root certificate exists in the Root CA certificate store. The cert. thumbprint should being with "d4 de 20 5e 66 fc 53 .............."

2. The Microsoft IT SSL SHA2 exist in the Intermediate CA certificate store. The cert. thumbprint should begin with "97 ef f3 02 86 77 89 .................... "

 

Next open both IE and Chrome and verify that the above two certificates are shown in the browser as noted above. That is the Digicert Baltimore Root certificate exists in the browser Root CA certificate store and the Microsoft IT SSL SHA2 exists in the browser Intermediate CA certificate store.

 

Note that Chrome's issues with certificates are notorious. There is a current issue with Symantec certificates noted here: hxxp://www.pcworld.com/article/3146718/security/chrome-bug-triggered-errors-on-websites-using-symantec-ssl-certificates.html . There also have been past Chrome issues with reissued SHA2 certificates which it appears Microsoft did with their intermediate certificate as noted here: https://sslmate.com/blog/post/chrome_cached_sha1_chains . However, these issues don't address the fact that you are getting the same alerts in IE. Hence, the strong suspicion that there is an issue with your Windows CA certificate stores.

Edited December 10, 2016 by itman

[itman 1,659]

Thanks for your help, in fact, seems to be my network problem, I tried with that of a family member who has a different provider and alert messages do not appear.

Did you connect your PC to the family member's Internet connection when you performed this test?

[Hijin25 12]

In effect, I connect to my network and as soon as I open any Microsoft page, either MSN or Hotmail, alert messages are displayed. If I connect to my sister's network, I can open the same pages without any problem.

[itman 1,659]

In effect, I connect to my network and as soon as I open any Microsoft page, either MSN or Hotmail, alert messages are displayed. If I connect to my sister's network, I can open the same pages without any problem.

The likelihood of an external man-in-the-middle on your ISP network is low. It can happen but it isn't likely. I would say that your router/modem is probably infected with some type of hijacking malware.

[Hijin25 12]

thanks for your help. For the moment I will switch from internet provider. But as for what he mentions of malware in the modem, why it only affected specific pages and not all browsing?

[itman 1,659]

But as for what he mentions of malware in the modem, why it only affected specific pages and not all browsing?

 

It probably is affecting more than just the Microsoft web sites. You became aware of the issue because those are HTTPS web sites and Eset's SSL protocol scanning alerted to a cert. issue. If HTTP web sites are being hijacked at the router, you might not be able to detect it.

 

Best way to test this issue is to temporarily swap your router with another and see if the Microsoft web sites alerts disappear. I would also strongly advise not using your PC for financial activity until this issue is resolved. 

 

-EDIT- Here is software that will test for the presence of an external man-in-the-middle: hxxp://www.ghacks.net/2015/08/06/ssl-eye-check-if-you-are-the-victim-of-a-man-in-the-middle-attack/ . Note: When I tried to use this a while back, Eset flagged the Singapore server used as a threat and wouldn't allow the software to run. You might have better luck with it.

Edited December 11, 2016 by itman

[Hijin25 12]

Thanks again.

At the moment I will not be able to try another model of my provider since I have changed companies.

 

But in case that with my new proovedor this behavior does not appear, does it mean that I am safe?

 

What problem was in the router or network of my old proovedor in not in my PC?

 

Since I have run antivirus, malwarebytes and other disinfection tools and have come out clean.

 

Try to use the tool that recommends me, but I do not find download link on the descriptive page of it.

[itman 1,659]

You can download SSL Eye here: https://www.digi77.com/ssl-eye-prism-protection/

 

If the previous behavior does not appear with your new ISP provider, I would say it is safe to assume the old provider was the issue. If the behavior persists, I would say the issue is your router is infected. You asked how can that happen? Did you assign a strong password to your router's admin logon page? Many routers have no password assigned or use the default one of "Admin."

 

The fact that the behavior did not manifest when using your sister's network is a strong indicator that this activity was not originating from your PC.

Edited December 11, 2016 by itman

[itman 1,659]

FYI - Here's a current vulnerability in certain Netgear router models: https://www.kb.cert.org/vuls/id/582384

[Hijin25 12]

My router was ARRIS, I do not know the specific model.

 

As for the password to access it, I have always changed the one that comes by default, I also change the name and password of the wifi network. I also use DNS of opnenDNS or Norton, I keep my antivirus updated and I do periodic security exams with several tools, so it is a true mystery to me that could have happened.