Jump to content

Recommended Posts

Posted (edited)

I did this test:

 

https://www.trustprobe.com/fs1/download.php?appname=qmc.zip

The developer writes that the tool:

Quote

Use MITM Checker to determine if your system is currently under a MITM attack. The program will connect to a list of major websites and alert on any unknown or unusual certificates used in the SSL handshake.

It will detect obvious cases (such as interception by a local proxy, your employer's SSL inspection gateways, or a malware infection), as well as more advanced attacks (for instance, if the cert is valid but originates from an unusual organization/country).

The tool is a standalone, browser-independent application.

My result is 14 Handshake failure.

Can I get 0 Handshake failure?

 

Edited by Sampei.Nihira

Posted

Fourteen handshake failures here, as well, but does that matter much?  I would think that "Detections: 0" would be the important thing.

Posted

31 Handshake Failures 

1 Detection (Host: www.tinyurl.com; Root CA: UTN - DATACorp SGC)

Posted

3 handshake failures on Win 7. I'm guessing the tool uses Microsoft's schannel.dll. If so, ProxHTTPSProxyMII would probably reduce the number of handshake failures on XP.

Posted

It is interesting to note that in an XP system with outdated root CA the Handshake failure becomes about 58.

@BTTB

1 Detection (Host: www.tinyurl.com; Root CA: UTN - DATACorp SGC)

The developer writes that it is a false positive.

Posted
20 hours ago, BTTB said:

31 Handshake Failures 

1 Detection (Host: www.tinyurl.com; Root CA: UTN - DATACorp SGC)

Windows 7, same machine. Nothing.

Posted
19 hours ago, Mathwiz said:

3 handshake failures on Win 7. I'm guessing the tool uses Microsoft's schannel.dll. If so, ProxHTTPSProxyMII would probably reduce the number of handshake failures on XP.

That's weird, since on build 7601.24441.amd64fre.win7sp1_ldr.190418-1735 all of the handshakes have succeeded, along with the tinyurl root CA being valid (COMODO ECC Certification Authority). Using version 0.39b of the tool and my schannel.dll file version is 6.1.7601.24441

Posted

I ran it again on Win 7, to see which three failed. But I got zero handshake failures this time, so the failures must've been intermittent and/or server-side.

Posted
On 5/25/2019 at 2:55 PM, Mathwiz said:

I'm guessing the tool uses Microsoft's schannel.dll. If so, ProxHTTPSProxyMII would probably reduce the number of handshake failures on XP.

Zero handshake failures, sure enough; but naturally everything comes up ALERT since ProxHTTPSProxyMII is a MITM by design.

Posted

I made it run but it didn't even start. In task manager i see one process qmc.exe appearing and after 1 second disappearing by itself.

Is it a good sign?

Posted

That's strange; I just re-downloaded it and now it's not working for me either. Did the file get changed in the last few days?

It's not supposed to work that way. Should open a window, query the top 100 web sites, and the status of each should scroll up the window.

Posted
1 hour ago, Vistaboy said:

I made it run but it didn't even start. In task manager i see one process qmc.exe appearing and after 1 second disappearing by itself.

Is it a good sign?

The new version released today does not run on Windows XP.
I have already communicated this to the developer.

Posted
11 hours ago, Sampei.Nihira said:

The new version released today does not run on Windows XP.

... FWIW, v0.41b runs fine under Vista SP2 32-bit ;) ; previous v0.39b checked against 100 hosts, this newer version checks against 200 ! (0 detections in my system :P)

11 hours ago, Sampei.Nihira said:

I have already communicated this to the developer.

... Might be also worth to "communicate" the app's bugged GUI, at least in Vista :angry:: very elongated window, with no-way to resize, minimize and/or maximize...

R9kADZE.jpg

Posted (edited)

Just have rechecked the recently released v0.42b of the app on Windows 7 Enterprise build 7601.24441, and from the (updated) 200 hosts two of them had the ALERT result: Amazon and PayPal. Both of them shared the VeriSign Class 3 Public Primary CA - G5 Root CA with the thumbprint being "4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5".

Can someone recheck this version of the app to see if the same alert results will also be detected, just to be sure it's not a false alarm or something? Many thanks. Picrel below showing the results with the ALERT ones on the top.

image.thumb.png.bca5270738b1f609663ef469ea9b65b5.png

Edited by IntMD

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...