Hacker News new | ask | show | jobs
by thedatamonger 106 days ago
$ dig vivianvoss.net A +short @ns11.infomaniak.ch.

78.46.78.181

$ curl -v https://vivianvoss.net/ 2>&1 | tail -3

* OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number

* Closing connection

curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number

$ curl -v http://vivianvoss.net/ 2>&1 | grep Location

< Location: https://www.safebrowse.io/warn.html?url=http://vivianvoss.ne...

$ whois 78.46.78.181 | grep -i netname

netname: HETZNER-RZ-NBG-NET

$ host 78.46.78.181

181.78.46.78.in-addr.arpa domain name pointer min2max.run.

The domain's authoritative nameserver (Infomaniak) points vivianvoss.net at 78.46.78.181 — a Hetzner box in Germany with rDNS min2max.run. That server redirects HTTP to SafeBrowse.io and responds to TLS handshakes with garbage. Not a local issue, not a DNS hijack — the A record itself is wrong.
1 comments
craftkiller 106 days ago
Hmm so oddly enough this works fine for me:

  $ curl -v https://vivianvoss.net/ 2>&1 | tail -3
        <script src="/assets/scripts/perf.js"></script>
    </body>
    </html>
And the logs show it is going to the same address:

  * Established connection to vivianvoss.net (78.46.78.181 port 443) from 172.16.245.55 port 36208
Any chance you're a comcast xfinity customer? Searching for safebrowse.io shows that xfinity "advanced security" does this whole redirect to safebrowse.io.

--

Unrelated, but the site also returns an AAAA record for an ipv6 address that does not work. So they've misconfigured their server in that regard.

  $ drill vivianvoss.net AAAA  @1.1.1.1
  [...]
  vivianvoss.net. 3600 IN AAAA 2a01:4f8:120:34ad::1
  [...]
  
  $ curl --header 'Host: vivianvoss.net' 'https://[2a01:4f8:120:34ad::1]:443'
  <hangs forever>

  $ curl https://ipv6.google.com
  <works immediately>
link
thedatamonger 106 days ago
Some further digging ...

-------

$ dig vivianvoss.net A +short @8.8.8.8

78.46.78.181

$ curl -v4 https://vivianvoss.net/ 2>&1 | grep -E "Connected|error"

* Connected to vivianvoss.net (78.46.78.181) port 443

* OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number

$ curl -s https://ipinfo.io | grep org

"org": "AS7922 Comcast Cable Communications, LLC",

Same IP you're hitting, same port, but Comcast's xFi Advanced Security seems to be MITMing the connection before TLS completes.

I hate Comcast so much ...

link