Products > Computers

To the Linux Gurus - Problems with HSTS in Firefox

(1/5) > >>

Black Phoenix:
Well, I already talked with my VPN provider (the dared NordVPN) but their own solution is to test somethings that I especially tested already and shown in the original mail  :palm:.

The problem is the following:

Since the October crackdown on server from China, all IPs from the NordVPN servers were blocked. After two weeks they got a solution using the OpenVPN app instead of their own app. It always happen with the OpenVPN on Linux but I remember having the same problem sometimes after 20:00 in China with the NordVPN app before the crackdown, where the speed to the servers located outside of Mainland China gets really trottled (we are talking from using my full bandwidth to less that 800kps. For what I know is a problem of the links outside in the 3 exit points in China - Shanghai, Beijing and Shenzhen not had been upgraded for years).

Sometimes when connecting via Windows and constantly when connected via Linux I get the following message on Firefox:



Other times I get this:



It's the Google address but under it it shows that Facebook detected a problem (?????).

That only happens in websites that use specifically HSTS as authentication, or HTTP Strict Transport Security. Websites as google.com, youtube.com and amazon.com to say some.

On Windows the problem mostly never happens because my Antivirus suite, Kaspersky Small Office Security signs the certificate authenticity:



But the problem is persistent on Linux, it always fail during the TLS handshake. I tried changing the following parameters on the Firefox about:config without success in the end result:

security.tls.version.max from 4 to 2 or even 1, nothing
network.proxy.proxy_over_tls from true to false same thing, nothing

The OpenVPN files were edited to add the option block-outside-dns, but that option is a Windows only, in Linux the OpenVPN app as soon as it catches that like it stops loading the file with a Fatal Error message.

The reality is that when checking for DNS Leak, the Windows perform a lot better than the Linux one:

Windows 10 1903


Fedora 30 Workstation 5.3.7-200.fc30.X86_64


How can I solve this problem on Linux using the OpenVPN app? If more info is needed please ask for it.

I wanted a rude username:
Hope I'm wrong, but it looks like something is MITMing your connection, and Kaspersky is hiding this from you. But maybe that is just the nature of the OpenVPN app.

Personally I would never trust a certificate authority other than those on Mozilla's list. Including especially those of corporate firewalls.

The Great Firewall of China does traffic analysis based on machine learning algorithms. It can't see into your TLS sessions, but it can see the data flows, and stochastically matches them to known VPN data flows. VPN connections work for some time, but then it throttles them.

The surest way around the problem (other than, of course, leaving the country) is to use an obfuscating algorithm, such as TorBrowser's obfs4. This distorts the data flows to fool the traffic analysis. Not guaranteed, but the best tool you have.

Edit: The forum software is broken and can't handle the correct link. This one should work, after a redirect.

Black Phoenix:

--- Quote from: I wanted a rude username on October 30, 2019, 06:47:50 am ---Hope I'm wrong, but it looks like something is MITMing your connection, and Kaspersky is hiding this from you. But maybe that is just the nature of the OpenVPN app.

Personally I would never trust a certificate authority other than those on Mozilla's list. Including especially those of corporate firewalls.

The Great Firewall of China does traffic analysis based on machine learning algorithms. It can't see into your TLS sessions, but it can see the data flows, and stochastically matches them to known VPN data flows. VPN connections work for some time, but then it throttles them.

--- End quote ---

It doesn't surprise me that this is the cause but in reality in Windows it's running better than using the app from NordVPN when it worked. Even at night I'm able to have reasonable speeds, slow but not as slow as I said in the second paragraph. So the servers are from the same provider, but the apps to access are different, and from what I see, if I'm able to configure it better It doesn't look like I will keep using the NordVPN app in the future since I don't have to constantly shutdown the connection and reconnect to the same server to get a increase of speed or when the app simply makes my traffic crawl without any reason whatsoever.


--- Quote from: I wanted a rude username on October 30, 2019, 06:47:50 am ---The surest way around the problem (other than, of course, leaving the country) is to use an obfuscating algorithm, such as TorBrowser's obfs4. This distorts the data flows to fool the traffic analysis. Not guaranteed, but the best tool you have.

Edit: The forum software is broken and can't handle the correct link. This one should work, after a redirect.

--- End quote ---

The TorBrowser is just for web browsing, it doesn't include other kinds of traffic that I use, it doesn't create a virtual network adapter. Nor without installing a pfSense or similar machine to control all my traffic outside via the onion. It solves part of the problem but then other kind of access in terms of traffic that I may need stops working as it is working now.


--- Quote from: blueskull on October 30, 2019, 07:53:30 am ---Use ExpressVPN instead. It's been working for me consistently, including around the two meetings, and around June 4th.

--- End quote ---

Probably what I had should have done instead of buying 3 years of NordVPN last December in preparation to come here. Sorry but since I have a signature with still 2 years remaining, I prefer to keep using it and not waste the money spend. I prefer to try to understand what I have misconfigured on the Linux part. Specially when both DNS leaking tests report something different.

Again as I told, when before September the NordVPN app was connecting to the servers in question I never had this problem with the TLS handshakes. So definitely something regarding the DNS Spoofing/Poisoning/highjacking done by the GFW analysis of traffic.

https://www.crowdstrike.com/blog/cyber-kung-fu-great-firewall-art-dns-poisoning/
https://en.greatfire.org/faq/what-does-dns-poisoning-mean

A note from the last link:

--- Quote ---TLS (SSL) certificate filtering

This time GFW knows you are using encryption to evade censorship and has decided to censor your certificate which is sent in plain text before an encryption tunnel is established. Two counter measures as before: 1. Because your certificate is completely free and assigned automatically by robots, there's nothing stopping you from changing it constantly as the filtering list of TLS (SSL) certificates updates rarely 2. Use CloudFlare's SSL option. CloudFlare replied to me that multiple sites may use the same certificate. Each site needs to have its own subject alternate name (SAN) and  the common name can be a variation of SSL#.cloudflare.com. So as in the case of IP addresses, GFW can't filter your certificates without blocking a bunch of innocent sites. (Again that didn't stop them before. They could block SSL connections of a bunch of sites and then filter only your domain. With this method other sites could be reached via http only.)
--- End quote ---

OwO:
If you have a VPS you can try SSH port forwarding. After you SSH into the server run "top" to keep the connection from becoming idle (long running idle connections get killed). Other than that openvpn on a VPS also seems to work well. I wouldn't touch commercial VPN services because these are under constant watch by the CCP since laymen can easily access them. Remember the purpose of the GFW isn't to keep everyone out, it's to keep the average joe from reading random fake news/populist propaganda. Tools with higher barrier of entry or only accessible to the technically inclined will not get targeted. SSH is safe for now until commercial VPN services start using it too.

OwO:
As to speed, it usually isn't throttling but just congestion. All websites outside of china are slow after 5-6pm (and often in the afternoon too) even on plain HTTP. There *are* ways around it that I'm sure the commercial services/proprietary protocols do, which is to simply use UDP with aggressive retransmit/congestion control. TCP is very "polite" on the network and will back off the transmit rate as soon as there is any packet loss, and you can easily get a "bigger slice of the pie" by simply not backing off your transmit rate as easily and dealing with the packet loss. That may be one of the reasons they are blocking these VPN services but not targeting openvpn as much.

EDIT: when I say slow I'm talking 20-30KByte/s (150-200Kbit/s).

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version