Remix.run Logo
jmclnx a day ago

Well the site does not present Texas in a good light. Their .gov site presents me with this. Looks like they need to worry about their own site instead of worrying about out of state sites.

>Warning: Potential Security Risk Ahead

> Firefox detected a potential security threat and did not continue to www.texasattorneygeneral.gov. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

Bender 18 hours ago | parent | next [-]

If you add this [1] function to your shell and do

    fp www.texasattorneygeneral.gov
What do you see? Do you get the same fingerprint? I get:

    Testing via IPv4:
    texasattorneygeneral.gov.
    104.18.152.79
    104.18.94.91
    sha1 Fingerprint=D7:6B:D1:D8:58:5B:16:4A:0B:D8:41:5F:FF:4E:DA:2F:FA:90:4F:4D
    sha256 Fingerprint=94:4F:66:36:A5:AA:AF:17:3A:FD:9C:B6:F0:79:95:17:62:1C:8A:B8:B3:44:61:DD:61:BB:C1:26:C6:77:4F:0F
    notBefore=Jul  4 12:45:24 2026 GMT
    notAfter=Oct  2 13:45:15 2026 GMT

    Testing via IPv6:
    texasattorneygeneral.gov.
    # ( no IPv6 here )
Are you by chance somehow going to the APEX of the domain? The cert is only signed for www, not alt names.

[1] - https://nochan.net/b/Text-Crap/function_fingerprint.sh

7 hours ago | parent | next [-]
[deleted]
jmclnx 16 hours ago | parent | prev [-]

This is what I get:

    Testing via IPv4:
    SHA1 Fingerprint=A3:27:99:AA:0A:21:D8:11:B1:86:6E:CC:3A:12:CA:EC:2E:ED:F6:DA
    SHA256 Fingerprint=0B:77:CB:2F:80:87:98:6B:A8:C3:75:E7:4B:BF:04:4E:C5:5A:CD:00:7A:78:E9:FD:32:2A:72:24:4D:B1:79:EF
    notBefore=Jul 17 03:19:04 2026 GMT
    notAfter=Oct 15 03:19:03 2026 GMT

    Testing via IPv6:
But the distro I am using is still on openssl v2, patched with recent updates
Bender 12 hours ago | parent | next [-]

The dates should be the same if we are looking at the same cert regardless of openssl version. Your output does not contain IP addresses. I suspect mjmas may be correct in that someone or something is performing a man in the middle attack.

Do you have a security proxy or a corporate VPN? Some corporate IT setups will route people through a stack of security devices that may or may not decrypt your traffic. In the past there have also be anti-virus applications that have acted as a man in the middle proxy.

Or worst case there could be malware on your machine. Either way you should figure that out before putting anything sensitive on that machine or logging into anything sensitive. Make a physical note of all the sites you have logged into and find a clean secure machine to change all the passwords starting with your email provider(s) as attackers can prevent password changes if your email access is locked out. If this is a corporate laptop call your security operations center.

The certificate transparency site keeps timing out for me but maybe it will eventually respond for you or your team. [1]

[1] - https://crt.sh/?q=www.texasattorneygeneral.gov

harshreality 7 hours ago | parent | prev [-]

try adding -issuer after -dates

the real one is issuer=C=US, O=Google Trust Services, CN=WE1

I hope you meant 1.0.2 or 3.2. There was never an openssl v2 release, so if that's what it's reporting, you have problems.

The program (unitary gigantic bash script) testssl.sh (github) can give you a thorough rundown on the ssl properties of whatever's MITMing you. The other possibility is that cloudflare is unusually serving you an alternate certificate and your ancient openssl and browser are both unable to handle whatever the presented cert algos/extensions are.

harshreality a day ago | parent | prev | next [-]

It's being served by cloudflare and gets A+ from ssllabs. Maybe there's something going on with your network or your browser's TLS support.

inigyou 19 hours ago | parent [-]

> served by cloudflare

Maybe that's the security threat. Cloudflare MITMs all traffic.

mjmas a day ago | parent | prev [-]

Perhaps you could take it up with your ISP or whoever is doing mitm?