OK, I've just watched Moxie Marlinspike from 2009:
thoughtcrime.org/software/sslstrip
It was a clean offline install of SL6, as soon as ifup exited the connect script attempted to connect openvpn. I didn't copy the ...messages output unfortunately. Second attempt it connected. Immediately followed with yum update, yum didn't attempt to synchronize with the repos, just went straight to a download of a file named 'java-security...' which was 70% complete when it started (leaving me sitting their wondering what was happening). Yum finished the download and immediately reported something hadn't checked (in future I will religiously log all these errors!), it made a second attempt which started from 0%, didn't take as long as the first attempt, which yum again rejected, yum did this approx. 4 times in total. The second time I ran yum update it behaved normally, as you would expect.
I've had continuous instances of the hacks Moxie describes for over a year now, so I think more or less certainly this is a MITM type hack. I've also had a SSL certificate error from one site (a Verizon cert. I think, the site was the local Police authority crime report form), and that is with the current install. However though with this current install none of the usual hacks have repeated (i.e., since tightening up the connect script). I am at this point anyway not sure what to do! Should I go mobile wireless!?
The main question I have at the moment is where could the data possibly be intercepted? A clean install, in a room with the door bolted behind me. This is a normal household Internet connection, I'm not using wifi (ethernet to the router), though I have a wifi router (could this have been compromised, and if so would it result in this problem?), which is connected to the Internet through a cable provider (Virgin cable). I can inspect the telecoms cable OK to the point it is in the ground.
The website this brought down btw was libraryweb.info (Library Web (UK)), I'm not a Unix admin. so this is all new territory.
---------- Post updated 18-04-11 at 11:08 AM ---------- Previous update was 17-04-11 at 08:42 PM ----------
Regarding the Police website and the rejected certificate. I was testing Konqueror 4.4.3, the same webpage however works fine with Firefox 3.6.3 (the cert. is accepted as valid).
I am though in Konqueror able to open the secure login page on the verisign website validated with a VeriSign certificate. So Konqueror is rejecting the VeriSign cert. on the Police website, but not on the actual verisign website itself.
Note if I accept the rejected certificate, when the page loads it is very sluggish, I find myself typing a few words before they actually appear in the text box (i.e., the display of the text being typed takes a second or two to catch up - this does not happen on any other web page). Also when I submit the page, it briefly (for a half second) reloads and redisplays itself positioned at the top of the page (not at the bottom where the submit button is), before displaying the acknowledgment of receipt page.
Also, I accepted the rejected cert., and submitted a crime report, and I'm confirming this now, but at this point it doesn't look as though the Police actually received the crime report setnt through to them (i.e., it didn't arrive).
merseyside.police.uk/index.aspx?articleid=2812 (page reporting the rejected cert.)
merseyside.police.uk/index.aspx?articleid=1646 (the linking page)
Screenshots of the certificate and chain attached.
Slackware 13 VirtualBox VM (default network interface, not a bridge) with SL6 host (OpenVPN connection to the Internet).
Is it a case of MITM passing most traffic through but listening for crime reports sent using the Police website?