Jump to content

Recommended Posts

5 hours ago, itman said:

The only other thing I can think of at this point is some type of man-in-the-middle is occurring. When this happens, HTTPS traffic is intercepted en-route and decrypted using the attacker's root certificate. In most cases but not always, this breaks "the chain of trust" in the browser resulting in a warning from the browser this activity has taken place.

One possibility is the MITM activity is occurring externally with the Eset root certificate being replaced with the site's original chained root certificate.   Go to this web site which will validate SSL/TLS communication:

https://badssl.com/dashboard/

In FireFox Quantum 68 and EIS 12.1.34, the only tests shown in light red indicating a minor concern are SHA-1 Intermediate and dh1024 Crypto cypher issues. The test area to be noted is the Interception Certificates area.

dh1024 connected NO

 

The odd one out.

Share this post


Link to post
Share on other sites
29 minutes ago, BeanSlappers said:

The odd one out.

There is one last thing you can try for detection of external MITM activity.

There is a small developer, well known at wilderssecurity.com, that has developed a small utility program specifically designed to check for external MITM activity. The product is currently in beta testing but works fine; I just previously ran it.

Go here: https://www.trustprobe.com/fs1/apps.html . Click on the "NoSnoop" link to download the utility. Unzip it. Open the unzipped NoSnoop folder. Double click on nosnoop.exe to run the utility. All the web sites shown on the resulting output from the utility should show OK. Note: Windows SmartScreen will alert on this since it was not a Win Store download. So you will have to override it to run the utility. Also, Eset might immediately submit it to LiveGrid; it did for me. Again to be expected, since it appears Eset has no reputation on the utility.

What this utility does is make external and independent connections to the web sites listed to verify the root CA certificates associated with them. It does this without using a browser; only using the device where run from existing network connections to verify that no MITM certificate interception has occured.

Share this post


Link to post
Share on other sites
1 hour ago, BeanSlappers said:

0 Detections  and scanned 295.  Everything is all good.

OK. We can rule out MITM activity.

I just noticed something. Firefox Quantum 68 is no longer going to FireFox's Authorities root certificate store in regards to Eset's root CA certificate. Appears it is directly accessing it from the Win 10 root CA certificate store. This in spite of the fact that Eset's root certificate is presently stored in Firefox's Authorities store.

Did you verify that Eset's root certificate is present in the Win 10 root CA certificate store? If not, do the following:

1. Enter certmgr.msc in the Win 10 desktop taskbar search area.

2. Open certmgr.msc.

3. Under "Logical Store Name" section, open the "Trusted Root Certificate Authorities" folder.

4. Open the Certificates folder.

5. Navigate down to the beginning of certs. that begin with "E."

6. Verify that a certificate named "Eset SSL Filter CA" exists.

7. Double click on the cert. to open it. Click on the Certificate Path tab. Certificate status should show it is OK.

8. Close certmgr.msc.

Report back on your findings.

Share this post


Link to post
Share on other sites
Posted (edited)

One last check to perform, After this, I am out of ideas on what your issue is with Eset in regards to SSL/TLS filtering capability.

In FireFox using Options -> Privacy & Security -> Certificates -> View Certificates, navigate to the Eset certificate in the Authorities certificate store. Select the certificate and click on "Edit Trust" as shown in the below screen shot. Verify that "This certificate can identify websites" setting is check marked. If it isn't; check mark it, click on "OK" tab, and repeat the AMTSO Desktop web site tests.

Eset_FF_Cert.png.cc18a46badc52187c6cbc7ca8f5f468d.png

 

Edited by itman

Share this post


Link to post
Share on other sites

@BeanSlappers there is another test that needs to be performed.

Using a browser that uses the Win root CA certificate store such IE11 or Edge, go to the AMTSO Desktop test web site. Click on the lock symbol as shown in the below IE11 screen shot and verify that Eset's root certificate is shown.

Eset_IE11.thumb.png.bbf8cc985476f952d01088955b1d84f8.png

 

Share this post


Link to post
Share on other sites

I'm afraid that without logs and possibly a remote session as well we won't be able to help. I'd recommend contacting your local customer care.

Share this post


Link to post
Share on other sites
8 hours ago, itman said:

One last check to perform, After this, I am out of ideas on what your issue is with Eset in regards to SSL/TLS filtering capability.

In FireFox using Options -> Privacy & Security -> Certificates -> View Certificates, navigate to the Eset certificate in the Authorities certificate store. Select the certificate and click on "Edit Trust" as shown in the below screen shot. Verify that "This certificate can identify websites" setting is check marked. If it isn't; check mark it, click on "OK" tab, and repeat the AMTSO Desktop web site tests.

Eset_FF_Cert.png.cc18a46badc52187c6cbc7ca8f5f468d.png

 

Both are ticked.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

I'm afraid that without logs and possibly a remote session as well we won't be able to help. I'd recommend contacting your local customer care.

I gave you logs.

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

@BeanSlappers there is another test that needs to be performed.

Using a browser that uses the Win root CA certificate store such IE11 or Edge, go to the AMTSO Desktop test web site. Click on the lock symbol as shown in the below IE11 screen shot and verify that Eset's root certificate is shown.

Eset_IE11.thumb.png.bbf8cc985476f952d01088955b1d84f8.png

 

Same thing in there too (had to turn off smart filter to test it).

Share this post


Link to post
Share on other sites
2 minutes ago, BeanSlappers said:

Same thing in there too (had to turn off smart filter to test it).

To clarify, are you stating that Eset's root certificate does not show in IE11? Instead GoDaddy's root certificate shows?

Share this post


Link to post
Share on other sites

Ehhh nothing came up even from GoDaddy, and I told you that GoDaddy is in Firefox. 

Share this post


Link to post
Share on other sites
9 minutes ago, Sammo said:

This is nothing to be concerned about is it?

 

Eset-Mozilla.png

I don't get that notification either, just lets me through to the site.

Share this post


Link to post
Share on other sites
43 minutes ago, Sammo said:

This is nothing to be concerned about is it?

This is what I referred to previously as far as Quantum ver. 68 goes. What FireFox is informing you of is Eset is not a recognized root CA certificate issuer which obviously it is not. 

If you were to see this same wording for an Eset non-SSL protocol filtered web site, then that would be cause for concern.

Share this post


Link to post
Share on other sites
1 hour ago, BeanSlappers said:

Ehhh nothing came up even from GoDaddy, and I told you that GoDaddy is in Firefox.

Again using IE11, go to the AMTSO Desktop tests web site: https://www.amtso.org/security-features-check/ . Then left mouse click on the yellow colored padlock symbol shown in IE11's toolbar. A popup should be displayed as shown in my above posted screen shot showing what root certificate is being used.

When the popup is shown, take a screen shot of the web page and post it.

Share this post


Link to post
Share on other sites
Posted (edited)
31 minutes ago, BeanSlappers said:

That is going to that page in IE

Great! That is what we wanted to see.

At this point, the only other thing I can think of is somehow your FireFox profile is messed up. When FireFox is uninstalled, files associated with the existing profile are retained. This way when FireFox is reinstalled, all your settings, add-ons, etc. are automatically reestablished. Being fairly new to FireFox, I can't assist you on how to fully remove all old profile files, registry settings, etc. You will have to search the web for this info yourself. Perhaps there is a full uninstaller provide by Mozilla?

-EDIT- FireFox does have a "refresh" feature which will create a new profile yet retain passwords and the like: https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings . Note: this appears to remove any certificate additions. Since FF 68 is supposed to now use the Windows root CA store for AV certificate resolution, you should not have to go through the procedure to re-add Eset's root cert. to FireFox.

I would also follow @Marcos suggestion and open a support ticket with your local in-country Eset representative. Appears that is Singapore:

ESET Asia Pacific

ESET ASIA PTE LTD
3 Anson Road
#12-01/02 Springleaf Tower
079909
Singapore

Tel: +65 6308 9680 
Fax: +65 6536 8224
Web: www.eset.com

 

Edited by itman

Share this post


Link to post
Share on other sites
37 minutes ago, itman said:

Great! That is what we wanted to see.

At this point, the only other thing I can think of is somehow your FireFox profile is messed up. When FireFox is uninstalled, files associated with the existing profile are retained. This way when FireFox is reinstalled, all your settings, add-ons, etc. are automatically reestablished. Being fairly new to FireFox, I can't assist you on how to fully remove all old profile files, registry settings, etc. You will have to search the web for this info yourself. Perhaps there is a full uninstaller provide by Mozilla?

-EDIT- FireFox does have a "refresh" feature which will create a new profile yet retain passwords and the like: https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings . Note: this appears to remove any certificate additions. Since FF 68 is supposed to now use the Windows root CA store for AV certificate resolution, you should not have to go through the procedure to re-add Eset's root cert. to FireFox.

I would also follow @Marcos suggestion and open a support ticket with your local in-country Eset representative. Appears that is Singapore:

ESET Asia Pacific

ESET ASIA PTE LTD
3 Anson Road
#12-01/02 Springleaf Tower
079909
Singapore

Tel: +65 6308 9680 
Fax: +65 6536 8224
Web: www.eset.com

 

Done and still the same its still says godaddy with going to the pages. on firefox.

Share this post


Link to post
Share on other sites

UPDATE:  Well F me, it works now.  I redid the profile thing again, used cleaner to clean everything, used IP config to flush the DNS stuff, rebooted.  AND BOOM, it works now.  PERFECT!  Thank you guys, I will be totally buying this software in 2 weeks.

 

Untitled.png

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

This is what I referred to previously as far as Quantum ver. 68 goes. What FireFox is informing you of is Eset is not a recognized root CA certificate issuer which obviously it is not. 

If you were to see this same wording for an Eset non-SSL protocol filtered web site, then that would be cause for concern.

Thanks

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...