我先获取 GitHub 的 ip:
> nslookup github.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Name: github.com
Address: 13.229.188.59
这个 ip 是没问题的,位于新加坡的 Amazon,应该是个 CDN
然后测试证书:
$ openssl s_client -showcerts -servername github.com -connect 13.229.188.59:443
CONNECTED(00000005)
depth=1 C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = CA, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = SERVER, emailAddress = [email protected]
i:C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = CA, emailAddress = [email protected]
省略……
就是那个诡异的 QQ 号证书。
我再找个 cloudflare 的 ip 试试( GitHub 没有使用 cloudflare 的 CDN )
$ host v2ex.com
v2ex.com has address 104.20.9.218
v2ex.com has address 104.20.10.218
v2ex.com has IPv6 address 2606:4700:10::6814:ada
v2ex.com has IPv6 address 2606:4700:10::6814:9da
同样测试证书,SNI 为 github.com ,没有被劫持:
$ openssl s_client -showcerts -servername github.com -connect 104.20.9.218:443
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 CN = ssl509603.cloudflaressl.com
verify return:1
---
Certificate chain
0 s:CN = ssl509603.cloudflaressl.com
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
-----BEGIN CERTIFICATE-----
省略……
各位怎么看?
1
TrustTheBoy 2020-03-27 11:12:40 +08:00
此事必有蹊跷
|
2
westjt 2020-03-27 11:17:32 +08:00
嗯, 看来就是针对固定目标 ip 的一个固定的劫持.
|
3
7654 2020-03-27 11:19:29 +08:00 1
我在想 V2+TLS+WS 还安全吗,毕竟拿 GitHub 做文章
|
4
fuchunliu 2020-03-27 11:28:42 +08:00 via Android
为啥访问速度变快了
|
5
pdfgo 2020-03-27 11:32:06 +08:00 1
哎 被迫学习网络知识 心累
|
7
MeteorCat 2020-03-27 11:35:46 +08:00 via Android
现在访问 github 显示超时
|
8
ZRS 2020-03-27 11:37:12 +08:00 via iPhone
@imn1 托管在 github pages 上的都被攻击了 包括 cython.org 等
|
9
AoTmmy 2020-03-27 11:41:48 +08:00 via Android
你普通走 53 到 8.8.8.8 的 dns 应该是被劫持的,起码找个 doh 的测试吧
|
12
Hpp19 2020-03-27 11:45:27 +08:00
clone 感觉快了
|
13
villivateur OP @AoTmmy 不是啊,IP 是没问题的
|
15
yason 2020-03-27 13:01:18 +08:00
IP 没问题,返回结果却是另一台服务上的假数据。这貌似是 BGP 劫持吧?
|
17
AoTmmy 2020-03-27 13:30:06 +08:00 via Android
@villivateur 但是你试过国外解析出来的 IP 吗,你这虽然用的是 8.8.8.8,但这是国内劫持出来的 ip,控制变量法🐶
|
18
mason961125 2020-03-27 13:32:00 +08:00
RFC 5575 - Dissemination of Flow Specification Rules https://tools.ietf.org/pdf/rfc5575.pdf
|
19
shansing 2020-03-27 13:44:41 +08:00
说不定只是对特定 IP 的七层劫持呢?你应该用 13.229.188.59:443 发送非 github SNI 排除一下。
|
20
villivateur OP @shansing 确实。但是现在恢复了,测不了了
|
21
Andy00 2020-03-27 14:51:15 +08:00
@villivateur 8.8.8.8 在好多地方已经被劫持了,直接省一级节点抢答 DNS 查询
|