Jump to content

Eset giving "certificate revoked" message.


Recommended Posts

I have a client that can't access a website due to it being blocked by Eset.

I've had a look and the site looks to be fine - https://www.ssllabs.com/ssltest/analyze.html?d=metlife.com&s=209.164.208.7

Client needs this working so some help would be appreciated.

Link to comment
Share on other sites

I can't see anything wrong either  yet is seems every machine with ESET is saying different?

Same thing, from 2 different machines.

Screenshot 2021-06-25 131049.jpg

Link to comment
Share on other sites

  • Administrators

Can the user still reproduce it? Maybe the certificate has been replaced in the mean time.

You can ask the user to enable advanced network protection logging under tools -> diagnostics, reproduce the alert, disable logging and eventually collecting logs with ESET Log Collector for perusal.

Link to comment
Share on other sites

Appears to be an Eset Banking and Payment Protection issue in ver. 14.2.10.

When I tried to access metlife.com in FireFox, Eset B&PP window opened and asked if I wanted to permanently remember web site. I replied yes. The web site opened w/o issues. Exited Eset B&PP mode.

Next I checked in Eset Web Access protection if the metlife.com cert. was present. It was not. I then tried again to access metlife.com. Eset B&PP window opened with the following:

Eset_MetLife.thumb.png.b83a8507d325a764a6195f149d95d367.png

When I tried to access certificate data via the link provided, the open execution error was shown. Err ..... a .cer file is an executable?

Never have seen anything like this previously when using Eset,

Edited by itman
Link to comment
Share on other sites

So looks like something up on the server  side rather  than ESET or the local machines then 🙂

Glad I wasn't going mad then.....

Link to comment
Share on other sites

1 hour ago, taffy881 said:

So looks like something up on the server  side rather  than ESET or the local machines then

I don't think so. If is was a server issue, the metlife.com web site would have never opened initially in Eset B&PP.

Another possible issue here is Eset has not whitelisted this web site from SSL/TLS protocol scanning. In other words, it's using Eset root CA certificate for web site cert. chain validiation. The issue might lie here.

See next posting.

Edited by itman
Link to comment
Share on other sites

I disabled Eset SSL/TLS protocol scanning and FireFox notified me the web site certificate was revoked. So access to the site is not an Eset issue.

There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate.

Edited by itman
Link to comment
Share on other sites

  • Administrators
16 minutes ago, itman said:

There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate.

A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser.

Link to comment
Share on other sites

18 minutes ago, Marcos said:

A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser.

It wasn't in B&PP mode and that's the issue!

Also to clarify my initial posting in this thread, there was a strange Let's Encrypt cert. that appeared in Eset 's List of known certs. that I deleted prior to re-accessing metlife.com and Eset's subsequent revoked cert. detection in B&PP mode.

Link to comment
Share on other sites

To add to this "mystery." I just rescanned metlife.com using the QUALS SSL Server web site site and received the same results that OP's posting linked. It scanned clean w/o any issues. Of note is the IP's resolved were 209.164.208.7 and 209.164.192.109 with domain, metlife-benefits.com shown.

Note that Firefox shows the following with Eset SSL/TLS protocol scanning disabled:

Eset_Revoked.thumb.png.6088edc2d9567ab4fcb1102310ca453e.png

It appears that some type of Internet backbone DNS hijacking activity is occurring here in regards to metlife.com.

Edited by itman
Link to comment
Share on other sites

I think we've entered the 'Twilight Zone' here.

Metlife.com now opens in Eset B&PP w/o issue. How is this possible w/o having the web site stored in Eset's List of known certs..? Note that Eset's root CA cert. is being deployed here.

-EDIT- Now metlife.com is blocked again in Eset B&PP. I would saw now that we have entered the 'Outer Limits.'

Edited by itman
Link to comment
Share on other sites

  • Administrators

Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup, not on the list of known certificates.

image.png

Link to comment
Share on other sites

5 minutes ago, Marcos said:

Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup,

Oops! :wub:. Just deleted metlife.com from there. Now I will attempt to duplicate the initiate access allowing by B&PP.

Link to comment
Share on other sites

2 minutes ago, itman said:

Now I will attempt to duplicate the initiate access allowing by B&PP.

Can't duplicate it again.

I also believe I know what happen initially. Based on current 'Outer Limits' behavior, appears that in certain attempted browser accesses to metlife.com, one will actually reach the legit web site.

Link to comment
Share on other sites

For what it's worth, Eset Web Access log shows IPv6 address, 2600:9000:203a:fc00:1f:f4ef:96c0:93a1, every time the revoked cert. alert appears. This IP address is associated with "Reach;" whomever that is, and doesn't appear to be legit for Internet routing puroses.

Link to comment
Share on other sites

Looks like the metlife.com access issue has been resolved.

Summarizing, there was either hacked or misconfigured Internet DNS relay server being accessed with attempted connection being routed to somewhere other than metlife.com. Depending on where you reside, among other factors, would determine the likelihood of you reaching this server.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...