Hi everyone.
Recently one of my friend been to China for traveling, and China have a so called "Great firewall" that block most connection to other countries.
Most of the time he will use VPN and will be able to connect anywhere, and we often chat online, he also like play with computers and we did some test together over online chat.
Most website are just blocked, after a bit search we know this happens either by a wrong IP answer from DNS hijack, or just blocked by IP address.
But some of them are redirected to a wrong website. At first he thought it's just another DNS poisoning, and if he just use the correct IP address, it's fine. Then we found something weird... There's a few cases even when he just type the correct IP, it still open a wrong site when not using VPN, and we are really confused, how can that happen?
And then the most scary part: he tries to visit "skype.com", and the test follows:
1. He visit with VPN by domain name, it works well, the correct site opened as "https://www.skype.com/"
2. He visit without VPN by domain name, the site opens as "http://skype.gwm.cn/", which is a hijacked/redirected wrong site.
3. He visit with out VPN by correct IP address, the browser reports invalid certificate with:
"The certificate is only valid for the following names: www.skype.com, *.skype.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN"
If he force visit the site, he will still open the wrong "http://skype.gwm.cn/".
At first we think it's because he's using "https everywhere" and the rogue site provided a fake certificate, but after we compare the SN, SHA-1, SHA-256 between the right and wrong site, they are identical, this really makes me feel upset. Because the "Great firewall" can already provide a wrong DNS answer, so imaging if the right domain is sliently redirected to the wrong IP, and the fake site have the same certificate as the correct site, the user may never know whether he is visiting a phishing site or not?
We don't know if we missed anything, and welcome you guys to discuss.
Thanks!
Recently one of my friend been to China for traveling, and China have a so called "Great firewall" that block most connection to other countries.
Most of the time he will use VPN and will be able to connect anywhere, and we often chat online, he also like play with computers and we did some test together over online chat.
Most website are just blocked, after a bit search we know this happens either by a wrong IP answer from DNS hijack, or just blocked by IP address.
But some of them are redirected to a wrong website. At first he thought it's just another DNS poisoning, and if he just use the correct IP address, it's fine. Then we found something weird... There's a few cases even when he just type the correct IP, it still open a wrong site when not using VPN, and we are really confused, how can that happen?
And then the most scary part: he tries to visit "skype.com", and the test follows:
1. He visit with VPN by domain name, it works well, the correct site opened as "https://www.skype.com/"
2. He visit without VPN by domain name, the site opens as "http://skype.gwm.cn/", which is a hijacked/redirected wrong site.
3. He visit with out VPN by correct IP address, the browser reports invalid certificate with:
"The certificate is only valid for the following names: www.skype.com, *.skype.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN"
If he force visit the site, he will still open the wrong "http://skype.gwm.cn/".
At first we think it's because he's using "https everywhere" and the rogue site provided a fake certificate, but after we compare the SN, SHA-1, SHA-256 between the right and wrong site, they are identical, this really makes me feel upset. Because the "Great firewall" can already provide a wrong DNS answer, so imaging if the right domain is sliently redirected to the wrong IP, and the fake site have the same certificate as the correct site, the user may never know whether he is visiting a phishing site or not?
We don't know if we missed anything, and welcome you guys to discuss.
Thanks!