Ok, I've got a scenario that I'd like to run by you guys to further my understanding of compromised hardware/software located specifically on a home router.
First, I am asking that you (specifically you, rufwoof) to please not go into long, arcane replies about anything else that might be related to what this thread talks about. Please. No long, multi-paragraph expositions on setups, desktops, OSes, etc, etc.
What's being asked here is simple (and, yes, its obvious replies may not be, but, still, try....and provide an explanation why). This is a question I hear repeatedly, and is in fact brought in one form or another in many of the Murga Security threads over the past few years.
Here it is:
1) Assume you are leaving home to visit a friend or family-relative, who have graciously said you can connect via their home internet connection.
2) Assume you are bringing your own hardware that you believe is more than reasonably secure, and that you are booting a frugal-install fully in RAM of a Puppy OS and/or Fatdog on your hardware
3) When at your friend's or family-relative's, you completely unplug (and turn off) every device they own in their house . Only your hardware is the only device plugged straight (no wifi) into their home router.
4) So, you are the only device connected straight to that possibly 'compromised' home router, and next you are going to head to your online bank's https website (and you VERIFY, via your online bank's Certificate Fingerprint (see Wognath's recent thread here)
Here thus is the question: IS IT STILL POSSIBLE to use your gear to securely to access your online banking website despite your friend's and/or relative's home router being compromised?
Remember, you fired up your safe, secure as possible hardware, with a fully loaded RAM PUP/Fatdog, you verified your online bank's Security/Fingerprint once you reached it in your browser, thus are you safe doing your https online banking despite things? Is https encrypting your connection thus rendering a compromised router ineffective since you verified you are actually connected to your online bank's secure server? Or...??
If so, why?
If not, is there a way to be (VPN, or ???)
Thanks for reading and/or replying
Secure Banking with a Compromised Router
Irony (around 10 paragraphs to ask a simple question).
A) (Likely) Yes
A) (Likely) Yes
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
About a year ago, a Vivaldi developer wrote what was for me a very informative article about VPNs. I asked in the comments whether a VPN increases data security if I am already using https. His answer:
Based on that answer, I assume my data is safe if I'm using https and I seldom fire up the VPN. I hope I'm not fooling myself.
Hotel wifi seems similar to your scenario.[if you are using https with verified certificate], the VPN-as-a-proxy or secure web proxy would not really offer you much in terms of privacy. Yes, without it, other hotel guests (and the hotel, and governments) could see that your IP is connecting to the bank website, and they could therefore assume (correctly) that you have a bank account there. But maybe you choose not to care, so in such cases, HTTPS is enough.
Based on that answer, I assume my data is safe if I'm using https and I seldom fire up the VPN. I hope I'm not fooling myself.
Wognath wrote:About a year ago, a Vivaldi developer wrote what was for me a very informative article about VPNs. I asked in the comments whether a VPN increases data security if I am already using https. His answer:Hotel wifi seems similar to your scenario.[if you are using https with verified certificate], the VPN-as-a-proxy or secure web proxy would not really offer you much in terms of privacy. Yes, without it, other hotel guests (and the hotel, and governments) could see that your IP is connecting to the bank website, and they could therefore assume (correctly) that you have a bank account there. But maybe you choose not to care, so in such cases, HTTPS is enough.
Based on that answer, I assume my data is safe if I'm using https and I seldom fire up the VPN. I hope I'm not fooling myself.
Hi Wognath,
Yes, hotel wifi is same scenario.
What confuses the heck out of me is when I read different sites. The supposed gurus on those sites, I find some of them saying as long as we have secure hardware & OS on our end (like a secure laptop with a PUP/Fadog OS on it), and we verify our online bank's site Certificate Fingerprint (again, much thanks for the GRC link in other thread), then it does not matter one bit how compromised any hardware (i.e. a router) is between us and the bank's web page. That when doing that all that, and using https, it should protect us.
Then I read other malware/hacking news sites, and those gurus say, no, it's the opposite, a compromised router (or gateway or a backbone node) can and will get you.
Who do we believe??
I think from now on I am going to do like you, and believe that with my secure-as-possible laptop & OS, using https, and verifying the bank's Certificate Fingerprint, things should be ok and I can forget about everything else.
Hope though I am not becoming the proverbial ostrich with this posture/approach
. It is so dang hard to keep up with everything regarding this stuff......This all is exhausting and enervating, especially when you add-in the fact that a lot of banks (and other sensitive sites) still refuse to offer any form of secure 2FA.
People have to travel out of their homes, we cannot stay at home locked-up forever. Mostly, people are out in public places and/or at family-relative places, so we must try to do all we can, I guess.
rufwoof wrote:Irony (around 10 paragraphs to ask a simple question).
A) (Likely) Yes
LOL!
Anyway, that has been your best post yet on Murga! I didn't have to pour thru paragraphs, getting lost in what you're talking about, trying to Google about it all & getting even more lost and confused.
Thus, if YOU say "YES, Likely", then I feel much better. I am thus not going to worry about what I cannot control. Like when I'm using other people's (or family's) routers and/or when I am at a place like a business place (like Wognath says, in hotels and such).
Using a common dedicated service such as that link is prone to having exceptions applied (not man-in-middled, but other connections attacked). As a alternative to using the web site that Wognath referenced - running something like ...(and you VERIFY, via your online bank's Certificate Fingerprint (see Wognath's recent thread here)
Code: Select all
echo | openssl s_client -connect ${1}:443 |& openssl x509 -fingerprint -noout[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
Rufwoof,rufwoof wrote:Using a common dedicated service such as that link is prone to having exceptions applied (not man-in-middled, but other connections attacked). As a alternative to using the web site that Wognath referenced - running something like ...(and you VERIFY, via your online bank's Certificate Fingerprint (see Wognath's recent thread here)
[/size]Code: Select all
[color=green]echo | openssl s_client -connect ${1}:443 |& openssl x509 -fingerprint -noout[/color]
should return the sha1 fingerprint for whatever parameter (web link) is passed to that. If you have access to a ssh server (I use hashbang.sh) with pre-defined keys to login i.e. is a safe/trusted connection (man in middle can't crack/spoof that without knowing your private key), and the above script when run on that remote server returns the same SHA1 fingerprint as when run locally, then that's reasonable enough to assume that certificates/web-host isn't being spoofed.
Is there a chance you can provide an example of the line above (what is highlighted in green)?
Off & on, I've tried for two days to get it to work, for any website, but running it in a terminal returns nothing except errors & also the fact it is 'expecting ' a trusted certificate' somewhere. I was assuming I replaced the "1" inside the {...} with any website I wanted to see the SHA-1 for.
Was this correct? If not....
Could you show how it would be done for the murga-site here (as an example), and exactly how it would be entered into the terminal? I get the fact it would be better for us to do this on our machines rather than relying on a link (Wognath's GRC link) but I am too stupid to figure out what you wrote.
Gracias.
Edited to remove (was too long (multiple-paragraphs))
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
@belham2, rufwoof's syntax works for me:Good luck awking out the fingerprint 
EDIT: the example was supposed to be z=nsa.gov Was it a typo or did THEY change it?
Code: Select all
z=nsa.org
openssl s_client -connect $z:443 < /dev/null |& openssl x509 -fingerprint -noout
wget -O - https://grc.com/fingerprints.htm?domain=$z | grep $zEDIT: the example was supposed to be z=nsa.gov Was it a typo or did THEY change it?
Last edited by Wognath on Fri 31 May 2019, 15:36, edited 1 time in total.
Hi Wognath!Wognath wrote:@belham2, rufwoof's syntax works for me:Good luck awking out the fingerprintCode: Select all
z=nsa.org openssl s_client -connect $z:443 < /dev/null |& openssl x509 -fingerprint -noout wget -O - https://grc.com/fingerprints.htm?domain=$z | grep $z
Thank you!!
Yesterday I had copied rufwoof's previous message before he deleted it (why??), and had been going thru it last night, trying to understand it...got really lost with setting up the shebang.sh server and all that. Was going to try again wih it today, but then came to murga & saw your message. Gave it a try, and doggone it works a charm!!
Simple, straight to the point, and works great. You know, I wish I could understand more the stuff rufwoof writes, but sometimes--despite diligently trying, not only here but in other threads--I get more than wholeheartedly lost as my brain enters into 'bugger up" territory & refuses to come back out.
Anyhow, thank you so much, Wognath!! Between the GRC link (in your other thread) and explaining/showing a simple example like above, these two things have been fantastic for increased ("browser-in-reaching-a-specific-site confidence) that I've seen come across this forum in the past year. At least in a form a normal person could understand.
I honestly believe the common internet-using person doesn't understand the devastating redirects, mitm & spoofed website problem on the web, and why they should be much MUCH more worried about them than other stuff currently going on the web. Everything else pales by comparison, and even the malware attackers acknowledge that it is Holy Trinity since penetrating existing systems is getting harder for them as each week passes.
Because I'd temporarily overlooked (forgot) that you specifically asked to avoid multi-paragraphs in this thread (and particularly by me) in the OP.Why
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
@belham2 Glad the commands worked in spite of the typo in the url.
"Bugger up territory" is a useful term. Everyone has a TMI threshold; mine is rather low.
"Bugger up territory" is a useful term. Everyone has a TMI threshold; mine is rather low.
I know I don't. I keep eyes open but have no illusion of keeping up. I'm glad I was able to share something useful from someone who knows what he's talking about.belham2 wrote:I honestly believe the common internet-using person doesn't understand ...
Wognath wrote:@belham2 Glad the commands worked in spite of the typo in the url.
"Bugger up territory" is a useful term. Everyone has a TMI threshold; mine is rather low.I know I don't. I keep eyes open but have no illusion of keeping up. I'm glad I was able to share something useful from someone who knows what he's talking about.belham2 wrote:I honestly believe the common internet-using person doesn't understand ...
Hi Wognath,
I all excitedly showed my wife how to use the GRC Fingerprint as an extra precaution to make sure she is on the "real" site she is shopping at.
Wouldn't ya know it, right off the bat, she comes downstairs to my office and says: The GRC Fingerprint site doesn't work".
Now , mind you, this is after I had previous days got all the fingerprints for sites I use, keep them handy where I can quickly check them when opening a browser, so I looked at my wife & rolled my eyes.
But, lol, wouldn't ya know the first one she checks (a large, online, worldwide thrift shop she frequents & buys a lot from, https://www.thredup.com, the GRC Fingerprint fails to produce a fingerprint and kicks up all kind of red-warnings.
I'm not sure why and/or how, if it has something to do with Cloudfare and/or whatever, it's just I can't believe first one she checks fails. She absolutely now will never use it again and/or listen to me about doing a site's quick "fingerprint" check. I had one chance, and blew it