View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Man in the middle attack
Log in to Ask a Question

Man in the middle attack

networking

This morning, I found what looks to me like a man-in-the-middle attack. I attempted to update a working copy of a subversion repository ("svn up") and was told that:

 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
 - The certificate hostname does not match.
Certificate information:
 - Hostname: localhost.localdomain
 - Valid: from Nov  1 20:27:21 2015 GMT until Oct 31 20:27:21 2016 GMT
 - Issuer: localhost.localdomain, SomeOrganizationalUnit, SomeOrganization, SomeCity, SomeState, --(root@localhost.localdomain)

Subdomains pull the correct cert (a level 2 StartCom). Also, while the same issue happens for https from my home network, if I ssh from home, I have no problem accessing this VPS but if I ssh from a different Linode, it again gives me a warning that the certificate is not trusted. This latter asymmetry seems to me to be evidence of a man-in-the middle attack. Is there any way to find out? How do I check to see if weird DNS records are pointing my site at the wrong IP address?

1 Reply

Perhaps your other Linodes are using a private IP address instead of the public one? Not sure why that would cause a certificate mismatch, though.

The dig or host commands can be used for DNS lookups.

$ host forum.linode.com
forum.linode.com has address 67.18.187.140
forum.linode.com has IPv6 address 2600:3c00::4e
$ dig -t ANY forum.linode.com

; <<>> DiG 9.7.3 <<>> -t ANY forum.linode.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49355
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;forum.linode.com.              IN      ANY

;; ANSWER SECTION:
forum.linode.com.       272     IN      AAAA    2600:3c00::4e
forum.linode.com.       272     IN      A       67.18.187.140

;; AUTHORITY SECTION:
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.

;; Query time: 244 msec
;; SERVER: 64.136.164.146#53(64.136.164.146)
;; WHEN: Sat Jan 16 15:35:00 2016
;; MSG SIZE  rcvd: 302

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct