Eset giving "certificate revoked" message.

[taffy881 0]

I have a client that can't access a website due to it being blocked by Eset.

I've had a look and the site looks to be fine - https://www.ssllabs.com/ssltest/analyze.html?d=metlife.com&s=209.164.208.7

Client needs this working so some help would be appreciated.

[Marcos 5,070]

I'm not getting any warning at metlife.com.

[taffy881 0]

I can't see anything wrong either  yet is seems every machine with ESET is saying different?

Same thing, from 2 different machines.

[Marcos 5,070]

Can the user still reproduce it? Maybe the certificate has been replaced in the mean time.

You can ask the user to enable advanced network protection logging under tools -> diagnostics, reproduce the alert, disable logging and eventually collecting logs with ESET Log Collector for perusal.

[taffy881 0]

Done - where do I sent the logs to?

[itman 1,659]

Appears to be an Eset Banking and Payment Protection issue in ver. 14.2.10.

When I tried to access metlife.com in FireFox, Eset B&PP window opened and asked if I wanted to permanently remember web site. I replied yes. The web site opened w/o issues. Exited Eset B&PP mode.

Next I checked in Eset Web Access protection if the metlife.com cert. was present. It was not. I then tried again to access metlife.com. Eset B&PP window opened with the following:

When I tried to access certificate data via the link provided, the open execution error was shown. Err ..... a .cer file is an executable?

Never have seen anything like this previously when using Eset,

Edited June 25, 2021 by itman

[taffy881 0]

So looks like something up on the server  side rather  than ESET or the local machines then 🙂

Glad I wasn't going mad then.....

[itman 1,659]

1 hour ago, taffy881 said:

So looks like something up on the server  side rather  than ESET or the local machines then

I don't think so. If is was a server issue, the metlife.com web site would have never opened initially in Eset B&PP.

Another possible issue here is Eset has not whitelisted this web site from SSL/TLS protocol scanning. In other words, it's using Eset root CA certificate for web site cert. chain validiation. The issue might lie here.

See next posting.

Edited June 25, 2021 by itman

[itman 1,659]

I disabled Eset SSL/TLS protocol scanning and FireFox notified me the web site certificate was revoked. So access to the site is not an Eset issue.

There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate.

Edited June 25, 2021 by itman

[Marcos 5,070]

16 minutes ago, itman said:

There is a big issue however with Eset B&PP allowing initial access to a web site with a revoked certificate.

A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser.

[itman 1,659]

18 minutes ago, Marcos said:

A website utilizing a revoked certificate should be blocked regardless whether you choose to open it in a secure or normal browser.

It wasn't in B&PP mode and that's the issue!

Also to clarify my initial posting in this thread, there was a strange Let's Encrypt cert. that appeared in Eset 's List of known certs. that I deleted prior to re-accessing metlife.com and Eset's subsequent revoked cert. detection in B&PP mode.

[itman 1,659]

To add to this "mystery." I just rescanned metlife.com using the QUALS SSL Server web site site and received the same results that OP's posting linked. It scanned clean w/o any issues. Of note is the IP's resolved were 209.164.208.7 and 209.164.192.109 with domain, metlife-benefits.com shown.

Note that Firefox shows the following with Eset SSL/TLS protocol scanning disabled:

It appears that some type of Internet backbone DNS hijacking activity is occurring here in regards to metlife.com.

Edited June 25, 2021 by itman

[itman 1,659]

I think we've entered the 'Twilight Zone' here.

Metlife.com now opens in Eset B&PP w/o issue. How is this possible w/o having the web site stored in Eset's List of known certs..? Note that Eset's root CA cert. is being deployed here.

-EDIT- Now metlife.com is blocked again in Eset B&PP. I would saw now that we have entered the 'Outer Limits.'

Edited June 25, 2021 by itman

[Marcos 5,070]

Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup, not on the list of known certificates.

[itman 1,659]

5 minutes ago, Marcos said:

Whether a website opens in a secure browser or not depends on the list of protected websites in the BPP setup,

Oops! . Just deleted metlife.com from there. Now I will attempt to duplicate the initiate access allowing by B&PP.

[itman 1,659]

2 minutes ago, itman said:

Now I will attempt to duplicate the initiate access allowing by B&PP.

Can't duplicate it again.

I also believe I know what happen initially. Based on current 'Outer Limits' behavior, appears that in certain attempted browser accesses to metlife.com, one will actually reach the legit web site.

[itman 1,659]

For what it's worth, Eset Web Access log shows IPv6 address, 2600:9000:203a:fc00:1f:f4ef:96c0:93a1, every time the revoked cert. alert appears. This IP address is associated with "Reach;" whomever that is, and doesn't appear to be legit for Internet routing puroses.

[itman 1,659]

Looks like the metlife.com access issue has been resolved.

Summarizing, there was either hacked or misconfigured Internet DNS relay server being accessed with attempted connection being routed to somewhere other than metlife.com. Depending on where you reside, among other factors, would determine the likelihood of you reaching this server.