1

Since a few weeks a pop-up window appears (sometimes) after start-up of my Ubuntu 16.4 system, see this picture: image of pop-up window entitled Untrusted certificate

The title in the window bar says: "Untrusted certificate". The 1st line in the window says: "Cannot safely/securely connect to ....". The company to which ...stackstorage.com belongs, says that it does not use this certificate, and that from their perspective everything is okay. They say that my system might be under MITM-attack. I have no idea what to do (and what the danger is). Please help!

(I do'nt use VPN, my ISP is Ziggo (Netherlands), according to my router the IP4 DNS Server is: 89.101.251.228 and 89.101.252.229)

Maarten Fokkinga
  • 91

2 Answers2

1

Checking the hostname on mxtoolbox and ssltools.digicert confirm its down the chain from Chunghwa...

one of its SANs is hntp1.hinet.net / 168.95.192.1dnslytitcs

small extract from 2009 (not mine)

The Hinet.net domain belongs to Chunghwa Telecom Co., Ltd. According to Spamhaus.org (very authoritative), Chungwa a/k/a Hinet is the #4 spammer service company in the world. Like most Asian phone companies, they take nationalistic pride in ignoring complaints from the West. (Mainland China and South Korea are equally imperious, and Viet Nam is even worse.) So lots of email systems in the West are blocking Hinet. It is not to make a political statement. We know Hinet does not care, and does not take protesters seriously. It is a simple mechanical defense against the ongoing spam attack by Hinet's spammers.

I advise you check certificate stores for each browser you have installed these are separate from where you would usually find certs in /etc/ssl/...

Wiper
  • 91
  • Thanks for this information (this encourages me to be careful)! However, I still do not know what to do. – Maarten Fokkinga Apr 15 '20 at 15:25
  • Can you find any certificates on your system containing the domain. https://askubuntu.com/q/1129300/529627 – Wiper Apr 15 '20 at 16:08
  • What service causes this error, maybe you should search the logs for some kind of SSL exception – Wiper Apr 15 '20 at 18:33
  • I did the awk-command from the suggested askubuntu.com/q/1129300/529627 and in its output the following line occurs: subject= /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority

    I did not found any occurrences of hinet in the output, Also, I did not found any occurrences of either Chunghwa nor hinet in /etc/ssl/certs and /usr/share/ca-certificates/mozilla/

     – Maarten Fokkinga Apr 15 '20 at 18:48
  • I have no idea how to "search the logs for some kind of SSL exception". I will try to Google for a suggestion. – Maarten Fokkinga Apr 15 '20 at 18:51
  • In this mozilla.dev.security.policy post you can see 'Chunghwa Telecom eCA Root Inclusion Request' under the hinet.net alias be Denied.

    https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/W4VK1JPgiZA/8pCsp9D-AwAJ

     – Wiper Apr 15 '20 at 19:00
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1532436

    there is on going discussion about 'Chunghwa Telecom' in the Mozilla(bugzilla) forum specifically about the misused certificates and their status as a eCA. Currently they are not in the CA EV list for mozilla.

    If you can find and remove the cert from your system that should be enough. If it re appears you want to block them specifically as a CA from issuing another cert you would need to do so from your own DNS server using CAA lines https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization.

     – Wiper Apr 15 '20 at 19:15
  • I found in my browser Firefox a window with the following title (translated from Dutch): "You have archived certificates that identify the following certificate authorities" and in the list there occurs this one: "Chunghwa Telecom Co., Ltd. (ePKI Root Certification Authority --- Builtin Object Token)". Should I select this item and press Delete? (IF so, should I formulate this action as a/the answer to my question?) – Maarten Fokkinga Apr 15 '20 at 20:42
  • 1
    I'd think deleting the archived cert a good idea, you can consider it an answer if the error doesn't come back ! – Wiper Apr 15 '20 at 21:29
0

Following @Wiper I deleted in Firefox>Preference>Privacy&Security>Certificates>View Certificates...>tab Authoroties the certificate authority ChuChunghwa Telecom Co., Ltd. (ePKI Root Certification Authority --- Builtin Object Token). Also I have reset to factory settings my modem/router, since internet connection in our house was broken several times a day.

These two together seemed sufficient: no problems anymore. (But now I've also done a fresh install of Ubuntu 20.04.)

Maarten Fokkinga
  • 91