All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ZenMate now MITMing connections
Source:
For those who use ZenMate: you should be aware that they are now actively MITMing your connections, to show 'offers' (and do who knows what else):
What this means in practice, is that ZenMate is looking at your traffic and processing it in some way. Exactly how they are processing it is unclear and likely always will be, but one thing that is certain is that your traffic isn't private.
This really should not be possible at all, especially for things that use TLS. I'm unsure of the exact implementation, but there are a few ways this can be happening:
- ZenMate is generating fake certificates - either with the help of a Certificate Authority, or by installing a custom certificate on the user's system. Both are bad.
- ZenMate is stripping TLS connections where possible, and the service in question (Steam, apparently) doesn't use HSTS to enforce a TLS connection. I don't know whether this is the case.
Either way, this would be a good moment to stop using ZenMate, or really any kind of VPN or proxy. This post explains why. It's worth nothing that every third-party proxy/VPN could be doing this without you knowing, it's just that there's now hard evidence for ZenMate doing so.
EDIT: Judging from the address bar on the screenshot, they are indeed stripping TLS. Very, very bad idea.
EDIT2: It seems Steam isn't enforcing TLS at all? I'm unclear on exactly how ZenMate deals with TLS when it's present, but given that almost every ecommerce place uses TLS, I can't imagine it doesn't try to circumvent it in some way... or the entire concept wouldn't work.
Comments
Is steam not using HSTS?
Seems not. I don't really know why.
To support the people using IE6..? :P
IE6 would just ignore the HSTS header, though, so you don't need to disable HSTS for that. It's an opt-in header, meaning that if it's not present, it will not be applied.
That's also why there's a "HSTS preload list" - normally, you'd have to be able to trust the first request to a service (over HTTP) to send you a HSTS header (since by default there won't be HSTS), and then your browser will remember that setting for the specified domain and duration.
As a site operator, you can add your domain to a HSTS preload list, and that list is included in most of the major browsers, so that the browser knows to always use TLS even before it has ever talked to the server.
Well, another fucking shitty money-making, privacy invasive piece of crap.
Are you sure this is not a plugin in the browser?
what kind of measures should be taken by a VPN company to provide its users with security.. In other words how can a VPN company assure its users about the safety of their info on its servers. What measures can a company take ?
Needs some introduction as to what the actual fuck is "Zen Mate"
Popular chrome VPN/Proxy extension....used by many
If it's an extension, then it could be injecting these elements itself, and there is no need for tls magic. The same as how adblockers work.
But, the image seems to be IE?
You get what you pay for.
Firefox
I thought IE too
I'm a Blink guy, what can I say...
It's just like @yomero says. Extensions run at the document level, whatever has happened during transport is well over by that time. Very surprised @joepie mixed that - I read his post and took it at face value.
HSTS is a pain unless the info on the site is actually private. Python.org has HSTS enabled even though it's a completely innocuous informational site about a programming language. It also uses a StartSSL or maybe WoSign certificate which is bogus these days. I took WoSign and StartSSL out of my browser trust list and that makes it impossible to view Python.org through the browser (maybe I'll figure out some hacky workaround).
I prefer the system where the browser pops an alert saying the cert is untrusted, giving the user the option of accepting what amounts to an insecure connection. Given that plenty of web sites are unencrypted http, it seems ok to decide to browse an https site without trusting the security.
@willie - MITM yourself
Francisco
python.org use's a DigiCert EV cert not WoSign or StartSSL.
I see a startcom cert:
Removing that means you now also cannot access any website of over 1million Gandi (French ISP, also hosts Python.org) customers anymore - They used Startcom as primary. They are also one of the largest hosting providers in Europe...
Why would it? This would IMMEDIATELY break most of Steam in Kazakhstan, Saudi Arabia (not anymore? seems SSL mostly works now) and multiple other countries that enforce MITM or block SSL entirely.
Profit wise it makes far more sense to NOT do this, you might not like it but Steam/Valve is a business, not a privacy protection company.
Lol. You don't need to go farther than their website to figure out it's a scam.
https://zenmate.com/ loads content from 5 different hosts, including google and the page is full of dirty javascript.
Privacy for sure.
Here is what we use my own vpn server we made off my 2012r2 server it runs Microsoft ssl vpn implementation and it works great
Your right, i was looking at www.python.org funny www and python.org got two different ssl cert.