dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1774
Rojo31
join:2009-04-14
New York, NY

Rojo31

Member

Legit OpenDNS Cert?

Been on OpenDNS for years. Tried going to Chase bank as usual, same direct https way, nothing different. Safari and all browsers are now throwing a warning that the cert is not valid (see pic).

Is *.opendns.com legitimate? Seems weird beginning with an asterisk (?)

This is a first time occurrence. Should I be alarmed? Unsure whether to proceed...
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

What is "wip-chase.chase.com"? That is weird looking. I tried to go there and got a domain does not exist error. I never go to chase.com directly though. I always go to chase online banking login site »chaseonline.chase.com/Logon.aspx and avoid the main site. I wouldn't trust such a weird looking address.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

2 edits

1 recommendation

NetFixer

Premium Member

said by Mele20:

What is "wip-chase.chase.com"? That is weird looking. I tried to go there and got a domain does not exist error. I never go to chase.com directly though. I always go to chase online banking login site »chaseonline.chase.com/Logon.aspx and avoid the main site. I wouldn't trust such a weird looking address.

I also get an NXDOMAIN error for wip-chase.chase.com even when I used OpenDNS for the DNS server (just in case OpenDNS was for some reason returning a value when nobody else did).

Also the SSL cert I see for the url you posted, and for https://www.chase.com is from Versign It would be unusual for a bank (or any site) to use multiple vendors for SSL certs for different hostnames (although there is certainly no requirement for a company to use the same vendor for all of their sites).

I think that the OP is either being phished, or OpenDNS had some serious problems when the OP tried to go to the Chase site, or the OP has some serious malware or network config problem.

I guess it is possible that if the OP is using some of OpenDNS's site blocking features, this man in the middle attack approach might now be business as usual for OpenDNS. If so, they are going to quickly lose a lot of customers (or at least they should).
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Click for full size
Click for full size
I stopped logging into Chase online banking from their main site years ago when they first decided to put login on a NONsecure page. Yes, I know it is transmitted securely but I wish to login ONLY on what is a secure page to begin with! So, I spent one-half hour on their site finding the secure login page which Chase hid back then after they decided to have everyone login from the main Chase site which was not secure. After I found it (the url I posted), I called Chase online services to chew them out for hiding the secure login page. The tech said "we've been looking for that secure login page all day. Where did you find it"? That disgusted me even more.

I see now though by going to "www.chase.com" that Chase has seen the light finally and put their entire site behind SSL using a Verisign cert. So, I no longer need to use the Chase online banking url for login.

Ooooh! On second thought, I won't use the main Chase site for login. Look at Qualys reports! I'll continue to use the online banking login url which gets an A from Qualys while the main site page with login gets a C from Qualys.

Kryukova
@reserver.ru

Kryukova

Anon

Why do business with big evil banks? Choose a credit union.
Rojo31
join:2009-04-14
New York, NY

Rojo31 to Mele20

Member

to Mele20
This is the URL I always use to go to the Chase login page:
»chaseonline.chase.com/Lo ··· RBGLogon
Never a problem until yesterday.

Just now I changed DNS settings from OpenDNS to what my ISP auto-configures. Got a new IP address in the process.

Got the same warning as yesterday using my usual https login URL.

So now I tried the "A" rated URL in Mele20's post in my browser address window to get to Chase, and get this new cert warning (pic).

dandelion
MVM
join:2003-04-29
Germantown, TN

dandelion to Rojo31

MVM

to Rojo31
Not sure.. but this may have something to do with MS's certificate policy change as posted here: »Windows to stop trusting #SSL with keys less than 1024 bit

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer to Rojo31

Premium Member

to Rojo31
I suspect that you either have a malware problem or a network config problem on your PC. There should have been no reason for an invalid hostname or an opendns.com cert to show up when you were using OpenDNS, or for the Chase site to open up using an IP address instead of a hostname when using your ISP DNS servers.

I would suggest booting from a Linux ISO (pick your own flavor), and then see what happens when you try to access the Chase site. If you still have SSL certificate and or obvious DNS problems, then I suggest connecting your PC directly to your modem (if possible) instead of going through a router, and testing again with the Linux ISO boot.
Frodo
join:2006-05-05

1 edit

Frodo to Rojo31

Member

to Rojo31
Doing some resolving, I find that using opendsn server 208.67.222.222

c:\>nslookup wip-chase.chase.com 208.67.222.222
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
Name: wip-chase.chase.com
Address: 67.215.65.132

If I use dns server 4.2.2.1, wip-chase.chase.com doesn't resolve.

So, I stuck the following entry in my hosts file
67.215.65.132 wip-chase.chase.com

When accessing wip-chase.chase.com, I get the same certificate as in the original post. Once allowed, I wound up on an openDNS guide page that displayed the following message: "You tried to visit wip-chase.chase.com, which is not loading."

So, I can replicate the first certificate issue.

As far as the second certificate error is concerned, the op accessed the site by IP address, 159.53.64.54 instead of by name. The mismatch is that the browser thinks the site name is "159.53.64.54" which is not specified in the certificate. The site needs to be accessed by the hostname. Also replicated.

OpenDNS returns an ip address for invalid domains. That's the problem. Don't see any evil-doing here.

-- Edit:
Why the op attempted to connect to wip-chase.chase.com in the first place, well, I can't help with that.
Rojo31
join:2009-04-14
New York, NY

Rojo31

Member

Click for full size
This is who "wip-chase" appears to be (pic).
Opinions greatly appreciated.

Couple of things...
1. I'm on a Mac (OSX 10.6.8), not a PC.
2. My browser always redirects to wip-chase, I don't choose to go there.
3. For months I've been on DNSCrypt/SSL for all browsing. Switching on and off it since yesterday has made no difference re Chase warnings (see prior posts).
4. Can't do the Linux thing but thanks for the suggestion.
5. Note I inputted "wip-chase.com" but search returns chase.com.
Thanks to all who are trying to help me figure this out.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

I did a Google search for "wip-chase.chase.com". I found a few entries so I tried to go to one of them on Fx. I got an error that Fx could not find the server. I did not get a domain does not exist error as I do if try to go there directly not using a Google link.

What happens if you type in the link that I use? Does it also redirect you to "wip-chase"?

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

NetFixer to Rojo31

Premium Member

to Rojo31
A whois only looks at the domain (in this case, chase.com). It does not look at the hostname at all. You can use a DNS lookup tool (such as nslookup) to validate specific hostnames and IP addresses.

Here is a sample of me looking up your wip-chase.chase.com hostname using first a Comcast DNS server, then an OpenDNS server (through my Comcast connection which is registered with OpenDNS and will produce a proper NXDOMAIN response). Then I go through my AT&T 3G connection using the OpenDNS server (which produces a bogus NXDOMAIN response to simulate what you probably saw). Then I show that the IP address returned by OpenDNS for their bogus NXDOMAIN response is in fact their bogus NXDOMAIN site.

C:\>nslookup wip.chase.chase.com 75.75.75.75
Server:  cdns01.comcast.net
Address:  75.75.75.75
 
*** cdns01.comcast.net can't find wip.chase.chase.com: Non-existent domain
 
C:\>nslookup wip.chase.chase.com 208.67.222.222
Server:  resolver1.opendns.com
Address:  208.67.222.222
 
*** resolver1.opendns.com can't find wip.chase.chase.com: Non-existent domain
 
C:\>use-att
 
C:\>nslookup wip.chase.chase.com 208.67.222.222
Server:  resolver1.opendns.com
Address:  208.67.222.222
 
Non-authoritative answer:
Name:    wip.chase.chase.com.dcs-net
Address:  67.215.65.132
 
C:\>nslookup 67.215.65.132
*** Can't find server name for address 192.168.9.10: Non-existent domain
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 172.18.145.103: Timed out
*** Default servers are not available
Server:  UnKnown
Address:  192.168.9.10
 
Name:    hit-nxdomain.opendns.com
Address:  67.215.65.132
 
 
Rojo31
join:2009-04-14
New York, NY

Rojo31

Member

Click for full size
1.
Click for full size
2.
Click for full size
3.
Click for full size
4.
Click for full size
5.
Here is the sequence. See browser URLs.
1. Usual secure login page. Enter ID/pw
2. Instead of account info it goes here. Gotten this in the past.
3. After clicking on "Learn more" up pops the alert
4. Clicked Show Certificate
5. Back to #2 and click next. Wants to email or call me with code (has my correct info).

Note: None of this is new to me. Chase seems to want to periodically reverify me. What is new are the questionable certs. They are the only reason I'm not proceeding as I've done in the past.

Mele, tried your suggestion. It takes me to the usual OpenDNS query page when it can't resolve a domain.