XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Mon Sep 25, 2017 9:07 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 19 posts ] 
Author Message
PostPosted: Thu Sep 08, 2016 8:52 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5914
Location: NYC
With Little Snitch, I'm seeing an outbound connection on Firefox (ESR 45.3.0) startup to politico.com. When I set a rule in Little Snitch to block that, and I go to politico.com itself I get a prompt (screenshot below) from Little Snitch to allow ocsp.int-x3.letsencrypt.org or not. This is coming from Sophos Web Intelligence, a component of Sophos A-V, which filters connections to possibly malware infected URLs.) The connection would be originating directly from Firefox, if Sophos weren't in the picture.

If I set a Little Snitch rule directly for an ask prompt on connection to that URL, politico.com (regular site) doesn't load at all--only loads when ocsp.int-x3.letsencrypt.org is allowed.

Question: Firefox is phoning home to politico.com on startup, and is blocked if the connection to ocsp.int-x3.letsencrypt.org is also blocked. No idea what the relationship is between politico.com and this ocsp server. Very puzzled. What can they possibly have to do with each other? And WTF is ocsp.int-x3.letsencrypt.org?

Finding this: https://letsencrypt.org/, which doesn't give me a lot to go on for the outbound connection to politico.com.

Image


Image


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 12:03 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14576
Quote:
And WTF is ocsp.int-x3.letsencrypt.org?

To me it looks like they handle Digial Certificates for websites perhaps

https://letsencrypt.org/certificates/


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 12:15 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9444
Location: Caught between the moon and NYC
Yeah, its a new certificate authority (said with much trepidation) and your browser, or Sophos, or both is trying to connect to the CA to verify that the SSL certificate politico.com sent you is the correct certificate.


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 12:55 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5914
Location: NYC
MonkeyBoy wrote:
Yeah, its a new certificate authority (said with much trepidation) and your browser, or Sophos, or both is trying to connect to the CA to verify that the SSL certificate politico.com sent you is the correct certificate.

But this happens on Firefox open, even if I'm not connected or haven't connected to politico (with Firefox cache and cookies completely emptied), which, by the way, is an ordinary non-SSL site. Why would a non-SSL site be using or sending certificates at all, especially when not even connected to that site, and all history (cache) of that connection has been removed?

Image


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 1:44 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14576
Hmmm,looks like a DV Certificate…

http://security.stackexchange.com/quest ... rtificates


I think I'd check Keychain Access & look for that certificate, maybe trash it.


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 1:50 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9444
Location: Caught between the moon and NYC
My rule of thumb for starting to investigate these issues is to try it with a fresh profile - don't trash your existing one, just set firefox to open the profile manager at startup and temporarily use another profile or a new profile. At least then you'll know whether its Firefox or Sophos doing the querying.

Obviously if its Sophos your options are limited to something in Sophos to stop the behavior.

If its your profile then at least you know its something in your profile and you can start looking through it. Custom certificates would be a good place to look, about:config might be a good spot to at least search for politico, the CA name, or similar names. I wouldn't think it's an extension or plugin, but you could try shutting some off and see if it helps (plugins are easier to do than extensions, just write down a list of what the current plugins and settings are and then set them all to never load).

BTW it might not be related to politico.com at all if it's happening at startup. It may just be some behavior that Firefox performs that's whitelisted except for this one new CA because it's new.


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 3:02 pm 
Offline

Joined: Thu Jul 05, 2012 4:02 pm
Posts: 1006
Location: Melbourne
WZZZ; The Little Snitch network monitor is showing the connection made is by the Sophos app, not Firefox so I'd be inclined to think it was the antivirus app.


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 3:25 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9444
Location: Caught between the moon and NYC
That's true, it could be Sophos trying to download some kind of definition file over an ssl connection secured with letsencrypt or otherwise validate any connections you're attempting to make.

This is purely a guess, but I would guess that Sophos is essentially acting as a proxy for website traffic. When you tell Firefox to load a website, that request goes through Sophos. If you block Sophos ability to make connections it may very well block Firefox from making connections as well, rather than allow potentially unsafe connections to go through. If Sophos is connecting to a website that is secured with a letsencrypt certificate to validate your website traffic, blocking Sophos ability to connect to that website then blocks your ability to connect to other websites in Firefox.

If you disable Sophos web proxy functionality this behavior should stop, but then you'll be less protected. As a general rule I prefer to be less protected... those proxies always end up creating headaches for me.


Top
 Profile  
 
PostPosted: Thu Sep 08, 2016 5:31 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9676
Location: North of the State of Jefferson
I'd take a look under Preferences --> Advanced --> Advanced --> Certificates to see if anything odd shows up.

Also, does Firefox open to that silly advertising page? Do you have any other interesting addons installed that might be trying to do something helpful?

- Anonymous


Top
 Profile  
 
PostPosted: Fri Sep 09, 2016 10:35 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9444
Location: Caught between the moon and NYC
I did a fresh install of Firefox a couple days and I had totally forgotten how annoying the default new tab page was. I've been using images I built and update for system recovery for so long that I had managed to push that thing out of my mind.


Top
 Profile  
 
PostPosted: Fri Sep 09, 2016 11:18 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5914
Location: NYC
MonkeyBoy wrote:
I did a fresh install of Firefox a couple days and I had totally forgotten how annoying the default new tab page was. I've been using images I built and update for system recovery for so long that I had managed to push that thing out of my mind.

Yeah, I dread seeing what FF is going to look like when so many of my add-ons, Classic Theme Restorer possibly, among many others I've grown to depend on, are extinguished when the new Web Extensions API arrives. Not only that, but most likely a hideous UI. I'll find out when the 45 ESR is EOL sometime next year. Not only the add-ons, but my CSS scripts which use Stylish, which will probably get nuked as well-- most likely with quite a few of my about:config tweaks.

Re. the strange outbound connections: disabling the Web Intelligence feature in Sophos, which is where they were coming from (especially ocsp.int-x3.letsencrypt.org) seems to have put an end to those. Also discovered that the Sophos thing was connecting to play.google.com and some junk sub-domain of slate.com. Now that everything is going directly through Firefox, still need to closely inspect all the Firefox on-open connections, but they appear at first glance to look mostly kosher.

Found this interesting add-on, which replaces the quite hard to discern connection history in Little Snitch Network Monitor. https://addons.mozilla.org/en-US/firefox/addon/httpfox/

Still no idea why Sophos Web Int. was connecting to that certificate server, and why it was conflated with politico. Didn't find any evidence of that certificate in Firefox Prefs. or in Keychain.

I don't think I'll be missing that Sophos Web Int. feature: the only time I ever got a warning or a block was when I deliberately went to several known malware sites, and even then, Sophos protected only against a few.

And not sure what real world protection the "Block malicious downloads...." actually offers.

Attachment:
Screen Shot 2016-09-09 at 3.09.12 PM.png
Screen Shot 2016-09-09 at 3.09.12 PM.png [ 86.62 KiB | Viewed 1447 times ]


Top
 Profile  
 
PostPosted: Fri Sep 09, 2016 11:48 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5914
Location: NYC
Uh oh, spoke to soon. Not seeing it in the Little Snitch Network Monitor any longer, but ocsp.int-x3.letsencrypt.org is there, on Firefox open, in HttpFox. No idea what to think now.

Attachment:
Screen Shot 2016-09-09 at 3.33.13 PM.png [196.42 KiB]
Not downloaded yet


And missed it the first time I looked in Firefox Certificates, but there it is after all in Certificates>Authorities. Didn't recognize it as simply "Let's Encrypt...."

Attachment:
Screen Shot 2016-09-09 at 4.24.15 PM.png [26.49 KiB]
Not downloaded yet


Guessing now that it's kosher, if it's some kind of default certificate that Firefox uses, but still don't understand how it gets conflated with non-SSL politico.com.


Top
 Profile  
 
PostPosted: Fri Sep 09, 2016 12:54 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14576
I wonder if it's something to do with that "keep-alive" ?


Top
 Profile  
 
PostPosted: Fri Sep 09, 2016 2:39 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9444
Location: Caught between the moon and NYC
I'm guessing its part of OCSP which connects to CAs and verifies certificates, although why its tied to politico is a bit of a mystery.

Perhaps politico is running servers off the same IP as some other service and little snitch is reverse-dnsing the host name to politico instead of the other name.

I've seen little snitch reverse dns host names wrong - well, not wrong, but when there's more than one name for an IP it just picks one since there isn't any way of really determining which one is accurate. I see this all the time with akamai and similar services, typically the akamai name comes up instead of the "correct" domain name.


Top
 Profile  
 
PostPosted: Fri Sep 09, 2016 3:43 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14576
http://pressf1.pcworld.co.nz/archive/in ... 33444.html


Top
 Profile  
 
PostPosted: Sat Sep 10, 2016 5:09 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5914
Location: NYC
Update: I reenabled Sophos Web Intelligence, and with HttpFox everything on Firefox-open looks normal. Just the usual addon version checks, OCSPs, etc. I'm now thinking that the Little Snitch Network Monitor connection history can sometimes be just plain screwy. Edit:or so it seems, can no longer reproduce this.


Top
 Profile  
 
PostPosted: Thu Sep 15, 2016 5:32 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5914
Location: NYC
Just did some more investigation on the politico/ocsp.int-x3.letsencrypt.org relationship: Definitely blocked ocsp.int-x3.letsencrypt.org, saw in HttpFox that the connection was being blocked. Then went to the LS Network Monitor (Sophos Web Intelligence) and politico.com was highlighted in red, meaning a blocked connection to that server. Wasn't blocked until ocsp.int-x3.letsencrypt.org was blocked.

Not only that, with the LS Network Monitor open, Adobe Reader (11.0.17, with all connections allowed) also connects to politico.com. Guessing that it also connects independently to ocsp.int-x3.letsencrypt.org, and for some weird reason, it's also tied up with politico.

Never see politico in HttpFox unless I actually go to the real site. And never see ocsp.int-x3.letsencrypt.org in Little Snitch. Seems LS sees ocsp.int-x3.letsencrypt.org as politico. Some strange mix up there.


Top
 Profile  
 
PostPosted: Thu Sep 15, 2016 8:10 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9444
Location: Caught between the moon and NYC
I would bet good money that they share hosting space with the same provider(s), meaning the server IPs are shared between politico and other organizations. Little Snitch's IP to DNS lookups work so long as only a single DNS is available for that IP. With multiple DNS entries it has no way of knowing which one is the correct one for that IP and chooses according to some built-in logic.


Top
 Profile  
 
PostPosted: Thu Sep 15, 2016 11:07 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5914
Location: NYC
Thanks MB, sounds right. But right or not, definitely won't be spending any more time on this.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group