Jump to content

Recommended Posts

Posted
visit https://rumourskaraokecafe.com/order

image.png.4453dafbdf34d37bd81aacaef1a5da6c.png

Looks like a TLS filtering bug due to expired cert ESET has, ESET is updated as of this post 

Tested in Vivaldi & Edge

  • Administrators
Posted

One of the servers uses an expired SSL certificate:

https://www.ssllabs.com/ssltest/analyze.html?d=rumourskaraokecafe.com&s=174.138.124.187&latest

Valid until:     Sun, 07 Jul 2024 15:13:43 UTC (expired 4 months and 22 days ago)   EXPIRED

The other server uses a valid one:

https://www.ssllabs.com/ssltest/analyze.html?d=rumourskaraokecafe.com&s=162.120.94.90

Posted
3 hours ago, Marcos said:

One of the servers uses an expired SSL certificate:

https://www.ssllabs.com/ssltest/analyze.html?d=rumourskaraokecafe.com&s=174.138.124.187&latest

Valid until:     Sun, 07 Jul 2024 15:13:43 UTC (expired 4 months and 22 days ago)   EXPIRED

The other server uses a valid one:

https://www.ssllabs.com/ssltest/analyze.html?d=rumourskaraokecafe.com&s=162.120.94.90

Is it not the ESET one since it has ESET as who it was issued by?

Posted (edited)

Checked on macOS

image.thumb.png.551241f67300f3f5852aa8fb2a1a18f4.png

 

Looks like the new cert is 4 days ago

 

Edited by Chas4
Posted

No problem here on my Win 10 ESSP 18.0.12 installation;

Eset_Cert.thumb.png.3bd274df75aa84c07ba8cc6ce54440b9.png

Posted (edited)

Review above ssllabs.com output for the two certs.. Notice that the IP addresses are different. For some reason, you are being redirected to the web site server using an expired cert.. Also, your browser should be warning and blocking this connection;

Eset_Cert.thumb.png.4a833af8ae342225264954f760816e72.png

Edited by itman
Posted

Something has changed for me overnight, 10 minutes after the OP posted last night I was getting the same result as @itman just posted with the double Cert header at the top, but not anymore. Firefox for me is now flagging the Cert as bad and I have to add an exception to get to the website. All I get now for the Cert is this:

 

 

rumourskaraokecafe.jpg

Posted

On my Firefox, uBlock Origin is blocking;

amplitude.com
sentry.io

Suspect the redirect activity is originating from one of those domains.

Posted (edited)

Confirmed is Sucuri is also picking up the redirect which appears to be originating from a JavaScript;

Quote

Eset_Cert.thumb.png.ed54d6af2c16c22de0ec94cf18c0a2a1.png

Quote

Expiration date: 7 Jul 2024 Issuer: R3 Please update your TLS certificate. Redirects to https://rumourskaraokecafe.com/.git/HEAD

Edited by itman
Posted

Their webmaster/host needs to look into to it.

This website is not configured correctly or something, it's running 2 Certs, a good one and a bad one, and going back and forth between the 2??

Now Firefox, 2 hours later, is telling me the Cert is OK again, I didn't do anything different.

It's also protected by CloudFlare.

It won't scan for me on Sucuri as it did for @itman (Scan failed  403 Forbidden) but says the TLS Cert is bad,

and other URL scanners can't reach it. CloudFlare?

Quttera found nothing bad.

It gets flagged as malicious by 1 on VirusTotal (BforeAI)

 

 

Good cert.jpg

Posted (edited)
5 hours ago, Swamp Yankee said:

It's also protected by CloudFlare.

Same here if I try to access https://rumourskaraokecafe.com/.git/HEAD which had an expired cert..

Appears to me whatever the issue was, it has been resolved.

-EDIT- Well, I guess it isn't resolved. Accessing: https://rumourskaraokecafe.com/order again throwing Firefox Potential Security Risk warning - expired cert..

I would just stay away from the web site.

Edited by itman
Posted
15 hours ago, Chas4 said:

Is it not the ESET one since it has ESET as who it was issued by?

You need to read how some Anti Virus programs scan / decrypt TLS / SSL traffic for Malware, they do it, and act like, a MitM (Man-In-The-Middle) and there is a school of thought that they should not be doing that, though the article is almost 10 years old.....I'm just saying that's why you see ESET Certs listed for a lot of the sites you visit....ESET is 'Injecting' their Cert, it's not the actual Cert issued for the website.......and ESET Certs are not recognized by Mozilla (Firefox). Now if you look at the Cert for eBay or the Cert for the 'school of thought' link above (SecurityWeek) ESET does not 'Inject' on either of those websites and you'll see the actual Certs issued for those websites.....complicated stuff.......I'm no expert, just a little info.

 

ESET Cert not recognized by Mozilla.jpg

Posted (edited)

Refer to the below screen shot.

The confusion by some when reviewing  web site cert. details where Eset is monitoring HTTPS traffic centers on Issuer Name details. Since Eset's SSL Filter root CA cert. data is shown, some are assuming the details shown in the Validity section apply to Eset's certificate. They do not. What is shown in the Validity section applies to cert. being used by the web site.

Eset_SSL.thumb.png.548d3b67ee120733e1733bb8dd14887c.png

Edited by itman

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...