联通对 iCloud 服务器进行 SSL 劫持?

2014-10-18 09:30:50 +08:00
 bearice
今天早上打开 www.icloud.com 报证书错误,稍微调查了一下:

https://gist.github.com/bearice/8f87eb1f87bed8b3b4ee
15186 次点击
所在节点    SSL
26 条回复
bearice
2014-10-18 09:40:16 +08:00
艹,影响范围似乎是全国,我在青岛和广西的节点上测试,也发现了同样的问题
bearice
2014-10-18 09:45:15 +08:00
可以使用命令
curl https://23.59.94.46 -vk -H'Host: www.icloud.com' -I
进行测试,如果结果里有

* Server certificate:
* subject: C=cn; O=www.icloud.com; CN=www.icloud.com
* start date: 2014-10-04 10:35:47 GMT
* expire date: 2015-10-04 10:35:47 GMT
* issuer: C=cn; O=www.icloud.com; CN=www.icloud.com
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

说明中招
casparchen
2014-10-18 09:55:21 +08:00
Server certificate:
* subject: 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; businessCategory=Private Organization; serialNumber=C0806592; C=US; postalCode=95014; ST=California; L=Cupertino; street=1 Infinite Loop; O=Apple Inc.; OU=Internet Services for Akamai; CN=www.icloud.com
* start date: 2014-04-16 00:00:00 GMT
* expire date: 2016-04-16 23:59:59 GMT
* issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 EV SSL CA - G3
* SSL certificate verify ok.
Showfom
2014-10-18 10:02:36 +08:00
草 这样岂不是太恶心了 手机里的隐私联通岂不是直接拿去看了
Showfom
2014-10-18 10:03:41 +08:00
移动4G测试没问题 看来以后联通上网的时候要小心了
jasontse
2014-10-18 10:04:40 +08:00
@Showfom
主要还是钓浏览器,客户端不可能没有安全措施的。
qiuai
2014-10-18 10:48:01 +08:00
山东联通正常?
mtglichking
2014-10-18 11:00:20 +08:00
联通 3G 也没问题。

其实苹果应该不会被中间人攻击的……苹果与中国政府关系挺好的,现在比微软都强
binghe
2014-10-18 11:35:49 +08:00
win下有没有命令可以测试?
BinbinWang
2014-10-18 12:43:42 +08:00
* About to connect() to 23.59.94.46 port 443 (#0)
* Trying 23.59.94.46...
* connected
* Connected to 23.59.94.46 (23.59.94.46) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=cn; O=www.icloud.com; CN=www.icloud.com
* start date: 2014-10-04 10:35:47 GMT
* expire date: 2015-10-04 10:35:47 GMT
* issuer: C=cn; O=www.icloud.com; CN=www.icloud.com
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> HEAD / HTTP/1.1
> User-Agent: curl/7.26.0
> Accept: */*
> Host: www.icloud.com
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache
Server: Apache
< Last-Modified: Tue, 16 Sep 2014 16:32:33 GMT
Last-Modified: Tue, 16 Sep 2014 16:32:33 GMT
< ETag: "5d35-503314c5d0a40"
ETag: "5d35-503314c5d0a40"
< Cache-Control: no-cache, no-store, private
Cache-Control: no-cache, no-store, private
< Expires: Sat, 18 Oct 2014 04:42:19 GMT
Expires: Sat, 18 Oct 2014 04:42:19 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-UA-Compatible: IE=Edge
X-UA-Compatible: IE=Edge
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Language: en-us
Content-Language: en-us
< Date: Sat, 18 Oct 2014 04:42:19 GMT
Date: Sat, 18 Oct 2014 04:42:19 GMT
< Connection: keep-alive
Connection: keep-alive
* no chunk, no close, no size. Assume close to signal end

<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
hjc4869
2014-10-18 12:46:55 +08:00
武汉电信打开正常。
virusdefender
2014-10-18 13:08:54 +08:00
青岛联通curl确实有,vpn之后就好了。但是浏览器打开没提示啊。
bearice
2014-10-18 13:12:57 +08:00
@virusdefender 因为你DNS解析出来的不一定是这个地址啊
yfdyh000
2014-10-18 13:36:36 +08:00
直接访问 https://23.59.94.46/ 查看证书是否自签名就知道了。北京联通重现。

不过,根据 http://alibench.com/rp/f5ea0ba25cbe95600d7cfb57aa4d47f2 测试,好像只有:
广东 中山 电信 0ms 23.59.94.46 [ 美国 ] 这一处的DNS会返回这个IP,其他98个都不是。
wyf88
2014-10-18 17:50:49 +08:00
这种问题现在越来越多了...是不是以后国外网站必须得全局挂VPN或者代理呢
siyanmao
2014-10-18 19:27:01 +08:00
深圳电信确认23.59.94.46被中间人

$ mtr -T --port 443 -n 23.59.94.46
My traceroute [v0.85]
siyanmao-k29 (0.0.0.0) Sat Oct 18 19:26:07 2014
Keys: Help Display mode Restart statistics Order of fields
quit Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 192.168.1.1 0.0% 17 0.6 0.7 0.6 0.8 0.0
2. ------------ 0.0% 16 2.8 2.6 1.7 3.3 0.3
3. ------------- 0.0% 16 2.0 2.2 1.4 4.0 0.4
4. ???
5. 119.145.47.78 0.0% 16 6.4 7.7 4.3 27.0 5.2
183.56.65.54
183.56.65.50
119.145.47.74
121.34.242.250
121.34.242.138
6. 23.59.94.46 25.0% 16 168.5 171.4 166.8 201.3 9.4
zola
2014-10-19 09:00:35 +08:00
iCloud.com 的 https://23.48.140.239 和 https://23.13.186.46 这两个 iCloud 服务器上没有被替换证书。

但是直接访问 https://23.59.94.46/ ,在台湾没有被替换证书,换苏州联通的VPN后,证书被替换为自签名的证书。这况味着 iCloud 服务器在中国被人使用SSL中间人劫持,中国苹果用户隐私不保呀。
zola
2014-10-19 09:02:51 +08:00
icylord
2014-10-19 14:21:56 +08:00
curl https://23.59.94.46 -vk -H'Host: www.icloud.com' -I
* Rebuilt URL to: https://23.59.94.46/
* Hostname was NOT found in DNS cache
* Trying 23.59.94.46...

这咋回事? 深圳联通
gfgrgerg
2014-10-19 18:20:08 +08:00
南方电信返回 60.254.134.46 没问题

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/139723

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX