Private DNS has been around for a little bit on newer devices. However, finding a service that provides both the Private DNS side (TLS) and ad-blocking, filtration of bad domains, etc., has been another whole mess.
I've launched a donation-backed Private DNS service which provides an internet-side option. Think pi-hole style blocking without needing a VPN or only working from your LAN.
What's this entail?
1. Running Android Pie (or anything with the feature ported to it)
2. Using a custom Private DNS Server address that I will provide.
What happens?
1. Your DNS requests are routed via DNS-over-TLS to my CDN virtual machines.
2. Your DNS requests are then locally processed through several internal systems including the infamous Pi-Hole.
3. Final data requests from the local resolver are forwarded via DNS-over-HTTPS to root DNS servers such as 1.1.1.1 and others that are found to support HTTPS protocol.
4. No personal data is stored. Only data with respect to filtration is stored such as blocked versus permitted domains, hit/misses, and caching statistics to continue to develop a more fluid system.
What do I do?
Put "DNS.DEREKGORDON.COM in your Private DNS settings for Android.
Use IP address 35.243.170.151 for other applications to include your home network router, ChromeOS, etc.
Like it? CONSIDER DONATING. This system is kicking out almost one million responses a day for users.
More information is at http://www.derekgordon.com/dns/.
Always provide THANKS no matter what folks. It's the nice thing to do....
So we are looking at a encrypted dns with ad blocking? I would be into trying that.
I'm using dns.agduard.com at the moment on my Huawei P20 pro running Android pie.
Have a number of people using it without issue now....
Check it out here:
https://www.derekgordon.com/dns
crypted said:
Have a number of people using it without issue now....
Check it out here:
https://www.derekgordon.com/dns
Click to expand...
Click to collapse
I'm gonna check it out
Cool. Give it a go. My only concern now rests with the attack prevention stuff I've added. It rate limits and bans those who are hitting the server or servers if expanded quite hard. Basically it's to ward off attackers. Anyway no bad reports from it but it's the only factor I'm not totally sure of.
Gonna give it a shot and give you my results in 24hrs.
Cool. I have zero issues on our family's Pixel 2s and 3s. No one said much bad except someone who had login issues on an Xbox when they used the system for their network's DNS. I solved that for them.
Note I'm not filtering Google ads domain as a few people complained since they click the first couple links on Google. I haven't felt intruded upon by ads with this change since making it a couple weeks back.
hi,
sometime i can use this dns, sometime cannot.
my mi 8 using baskalos rom stated coudlnt connect.
issit because of my isp?
Very strange. No one has reported that issue. Is it the same result on WiFi vs mobile data? Want to give me your IP to search logs?
I've used the server in four countries on various WiFi and mobile netwiens without issue on Pixel 3.
How did you get the Private DNS in android Pie to recognize your dns server? I've got my own pi-hole server, yet when I put in my FQDN, I lose internet access on my phone.
First, I don't use Pi-Hole only. I made a custom Debian image and deployed it into the world of CDN. Pi-Hole's opensource software was incorporated as one of my mechanisms for blacklists.
To your point on connection, you need two things: 1) a TLS server to establish the connection and 2) signed certificates for the domain you are using installed on your server. Android will connect via TLS and will verify that your certificate is valid against its root certificates on the device.
Happy note - my server is providing over 250,000 queries daily now and over 90% connect via TLS so that indicates lots of happy Android users.
I'm check yours out and see how well it compares to the VPN connection I currently use to my pihole.
Been loving your Private DNS so far. Great job on it. Question though, do you have a form or something for people to submit domains that are blocked and shouldn't be?
Hey. Feel free to tell me these domains. There is such high usage and hardly any feedback so I haven't even thought about it. I could make a Google Form later.
Actually, I had a spare moment at lunch. Try this: https://forms.gle/oGtAFKAc7yJPmmEZ6
crypted said:
Actually, I had a spare moment at lunch. Try this: https://forms.gle/oGtAFKAc7yJPmmEZ6
Click to expand...
Click to collapse
Was gonna request https://go.redirectingat.com be unblocked since many many sites use it to link to products on sites like Walmart and Amazon. Can't use that form though since you require a screenshot URL, and I can't screenshot a redirection site.
You figured out a good workaround to make your request. Processing now, give it a minute and should be good.
All of your requests are cleared if you didn't notice yet. Happy browsing.
Not really sure how to publicize this and it probably isn't worth trying to do... But for those who do use this, and there are plenty of folks, I have been working on some changes.
1. These will not work with Android as I don't have the extra cash to blow on more SSL certificates. But, they will work for home networking purposes:
US.EAST.DNS.DEREKGORDON.COM
US.WEST.DNS.DEREKGORDON.COM
DE.FRUNKFURT.DNS.DEREKGORDON.COM
BR.SAO.DNS.DEREKGORDON.COM
2. DNS.DEREK.GORDON.COM is now a pool of a number of VM instances that are connected to Google's CDN. It will grow as necessary. This helps spread out some of the intensity that has been hitting the TLS daemon.
3. Servers will automatically reboot between once a week to every other week depending on load and latency. Sometimes the intense flood of queries really makes things sluggish. Reboot takes just a few seconds and I'm working for it to time it during off-peak hours so hardly anyone will notice.
Hi, I have my own pihole installed on aws server. Could you please share tutorial how could i make it work with private dns in android pie. Thanks.
Related
EFF is bringing the security and privacy of HTTPS Everywhere to an important new frontier: your Android phone. As of today, you can install HTTPS Everywhere on Firefox for Android (until now, it could only protect desktop browsers). With HTTPS Everywhere installed, Firefox for Android encrypts thousands of connections from your browser that would otherwise be insecure. This gives Firefox a huge security advantage over every other mobile browser available today.
This is exciting news, because HTTPS encryption allows smartphone users to safely download apps, browse the web, exchange emails and instant messages, sync data between devices, and countless other everyday tasks. As we carry around our phones and tablets, we often connect to unfamilar WiFi networks, putting our personal data at risk of being monitored, collected, and tampered with by anyone else on the same network, as well as Internet Service Providers, network operators, and government agencies. In fact, we discovered last week that NSA and GCHQ have been invisibly tracking and profiling users based on data leakage from smartphone apps.
HTTPS Everywhere guards agains these attacks in your browser by switching insecure HTTP connections to secure HTTPS connections whenever possible using thousands of URL rewrite rules. Whereas data sent to a server over HTTP can easily be read and modified by third parties, HTTPS uses strong encryption to guarantee data confidentiality and integrity.
Click to expand...
Click to collapse
https://www.eff.org/deeplinks/2014/01/making-the-mobile-web-safer-with-https-everywhere
Figured I'd share this with you guys. HTTPS Everywhere has been a great desktop Firefox addon, I'm really happy to see them finally get a mobile Firefox version out. Probably the best way this would protect people are when using public wifi, but of course the site you visit would have to offer some form of HTTPS/SSL for the addon to work. It basically just helps you get the most out of sites that do offer it (some sites, like Youtube for instance default to HTTP).
Hmmm.. interesting.... But does Https Everywhere still have the problem that because of it, pages in general load a lot slower?
I haven't noticed any slow down personally. All this does really is help sites that support HTTPS/SSL to some extent, but for whatever reason do not default to it when I user visits the page. And obviously they make sure the site doesn't get broken before adding it in their extension's site list.
There's a whole FAQ here too that might explain it better than I ever could. All I know is if Tor browsers use it along with Noscript, it's a good security add on. Way better than nothing.
https://www.eff.org/https-everywhere/faq
But the add on should also make use of their SSL Observatory, which is a measure in place to protect users:
The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded datasets of all of the publicly-visible SSL certificates on the IPv4 Internet, in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure.
Click to expand...
Click to collapse
https://www.eff.org/observatory
Greetings all and Happy Holidays.
Per some fellow XDA users request and also to compliment the great thread "[TUTO] How To Secure Your Phone," by: unclefab, I figured this would help...a thread on VPN.
I am also shocked to not see anything in the security forum about VPN! I did a search and NOTHING.
What is a VPN?
(Virtual Private Network)
A simple search on the web will give you the nitty gritty stuff on what a VPN is, but I'll just lay it out very simply.
A VPN takes your data connection and encrypts it so it protects your data from not only your ISP seeing your traffic, but also from middle man attacks. Say if you were at a cafe connected to their open (unsecured) public WiFi and you did some shopping online, which involved you entering in your credit card number, name, address, etc... Well, it doesn't take much for someone to intercept your sensitive data passing through the cafe's unsecured WiFi connection.
How it works:
Encrypts your Computer's/Phone's data ---> Connects it to your VPN's server (Exit Server) ---> Then it reaches the end destination (website). (Safe Passage)
ie...
Safely passes your Internet Data, through a ---> [TUNNEL] ---> ...that is encrypted so that all your data is not only anonymous, but also protected.
There are may VPN's service providers out there, however, they are not all created equal. I've spent a lot of time researching VPN's and have went to great lengths to find the best of the best. The criteria of what I was looking for is as follows:
Offshore Company. Something outside of the US.
Liked and approved by even the extreme private/security activists.
Reliability and Speed! Some VPN's can be very slow only allowing you to achieve 30-50% of your internet speed at best.
A wide choice of servers.
Able to pay anonymously.
A VPN THAT WORKS ON OUR ANDROID DEVICES!
Some VPN companies have their own Android VPN client, which makes things a breeze. Just launch, connect and violla....all your traffic is now safely tunneled.
For the companies that do not have their own Android VPN client, you'll have to use the app: OpenVPN, which can be a hit or a miss for those on KK 4.4. Let me explain...
When I was on my Note 3 on 4.3, OpenVPN worked flawlessly and my speeds were darn near 100% of my regular LTE speeds even connected to a VPN! Well, once KK 4.4 came around, it completely ruined everything in terms of being able to stay connected. KK 4.4 is and was a nightmare for OpenVPN users. Upgrading from 4.3 to 4.4 was the biggest mistake I have ever made in my Android world. Bottom line, KK 4.4 sucks.
The good news is, there are a few VPN companies that work flawlessly on KK 4.4. I'm using one at the moment and it stays connected just fine with awesome speeds!
Why you should use a VPN:
Well think about. You can go the whole nine yards in securing your phone, which is awesome, but then you'd still be tunneling all that traffic "unencrypted," over the internet .... this is counter-intuitive in every way that you look at it. It's like ordering a BIG MAC Extra value meal and getting a diet coke. I mean really? What's the point? Diet? No matter how you see it, you're going to get fat if you keep eating it and thinking a diet coke is going to take edge off of you getting fat. Sorry, it doesn't work that way....
Imagine a semi-trucks driving down the highway with some completely exposed and some locked and covered. Well you'll obviously be able to see the exposed cargo on all the trucks that are not contained yes? Whereas the ones that are covered and locked, you'd have no clue what's in there. This is how a VPN works....it covers your data/traffic so that no one can see or know what is inside of that container during transit...ie...it provides a safe passage of your data over the internet to the end destination.
Now a VPN will protect your data from point A to the end destination (website.) That website will only be able to see your "exit server," and not your ISP or your location, but of course your data.
Ex: You're in New York connected to the internet using a VPN ----> The VPN server you're connected to is in Texas ---> The website you're visiting is located and hosted in Canada.
In that example, your "encrypted" data/traffic is being routed through Texas and then to Canada where the website is hosted/located. Make sense?
Because you're connecting to a VPN server, this is why you have to know which ones to use so that you can trust your data routing through their servers. Not all VPN companies are created equal!
If you're interested to know which VPN's are best in general and for our Android devices, PM me and I'll share with you my research. I don't want to advertise anything on here to be in compliance with the forum rules.
I hope this helps!
To be continued....
You forgot to tell the data is not encrypted by the VPN between it's server and the website's server, you are only moving a problem from place A to place B. It may be better for you if this is what you are looking for but it doesn't add that much security.
How a VPN works : Your device data is encrypted FIRST, it leaves your device and goes to the VPN's server, it is DECRYPTED, and then it is relayed to the server you were trying to contact. Your data is less traceable but you're not anonymous, the VPN provider knows who you are and your DNS provider may still know what you are looking at if you the device leak DNS requests.
Your guide is missing details, anonymity and security is not easy and trying to simplify it too much you lost important parts users should not forget.
Regards
Magissia said:
You forgot to tell the data is not encrypted by the VPN between it's server and the website's server, you are only moving a problem from place A to place B. It may be better for you if this is what you are looking for but it doesn't add that much security.
How a VPN works : Your device data is encrypted FIRST, it leaves your device and goes to the VPN's server, it is DECRYPTED, and then it is relayed to the server you were trying to contact. Your data is less traceable but you're not anonymous, the VPN provider knows who you are and your DNS provider may still know what you are looking at if you the device leak DNS requests.
Your guide is missing details, anonymity and security is not easy and trying to simplify it too much you lost important parts users should not forget.
Regards
Click to expand...
Click to collapse
Misleading? I think you need to re-read the post. Here let me help you:
"A VPN takes your data connection and encrypts it so it protects your data from not only your ISP seeing your traffic, but also from middle man attacks. Say if you were at a cafe connected to their open (unsecured) public WiFi and you did some shopping online, which involved you entering in your credit card number, name, address, etc... Well, it doesn't take much for someone to intercept your sensitive data passing through the cafe's unsecured WiFi connection."
"Now a VPN will protect your data from point A to the end destination (website.) That website will only be able to see your "exit server," and not your ISP or your location, but of course your data."
"Ex: You're in New York connected to the internet using a VPN ----> The VPN server you're connected to is in Texas ---> The website you're visiting is located and hosted in Canada."
So you're going to argue the fact that a VPN wouldn't be affective in a cafe scenario like the example I've given in the post?
Any additional information is appreciated, but please don't come in here saying that it's misleading....
THE FACT IS...YOU'RE BETTER OFF WITH A VPN, than WITHOUT ONE. PERIOD.
It's about trust, the VPN server can do the middle man attack itself or one could do it somewhere between the VPN's server and the final destination.
Of course you're better with a VPN most of the time, but it's important to clearly state it's not captain america's shield neither. It's important to clearly tell at all cost that the data is encrypted only between you and the VPN's server.
Best regards.
The only way to ensure you are safe from MITM is to use end to end encryption, like SSL/TLS (https). Even if the MITM is using sslstrip, you'll be able to tell by the security popup in your browser when it asks you to trust the connection (which you shouldn't...)
VPN is useful for protecting you from someone sniffing the airwaves on an open network or for accessing services behind a firewalled network. (Like SMB/Windows File Sharing).
Like Magissa said, it isn't captain America's shield, and don't be fooled by a false sense of security. You have to trust the VPN provider, and it would be pretty easy for one to sniff your traffic or read logs...
iunlock said:
Greetings all and Happy Holidays.
Per some fellow XDA users request and also to compliment the great thread "[TUTO] How To Secure Your Phone," by: unclefab, I figured this would help...a thread on VPN.
I am also shocked to not see anything in the security forum about VPN! I did a search and NOTHING.
What is a VPN?
(Virtual Private Network)
A simple search on the web will give you the nitty gritty stuff on what a VPN is, but I'll just lay it out very simply.
A VPN takes your data connection and encrypts it so it protects your data from not only your ISP seeing your traffic, but also from middle man attacks. Say if you were at a cafe connected to their open (unsecured) public WiFi and you did some shopping online, which involved you entering in your credit card number, name, address, etc... Well, it doesn't take much for someone to intercept your sensitive data passing through the cafe's unsecured WiFi connection.
How it works:
Encrypts your Computer's/Phone's data ---> Connects it to your VPN's server (Exit Server) ---> Then it reaches the end destination (website). (Safe Passage)
ie...
Safely passes your Internet Data, through a ---> [TUNNEL] ---> ...that is encrypted so that all your data is not only anonymous, but also protected.
There are may VPN's service providers out there, however, they are not all created equal. I've spent a lot of time researching VPN's and have went to great lengths to find the best of the best. The criteria of what I was looking for is as follows:
Offshore Company. Something outside of the US.
Liked and approved by even the extreme private/security activists.
Reliability and Speed! Some VPN's can be very slow only allowing you to achieve 30-50% of your internet speed at best.
A wide choice of servers.
Able to pay anonymously.
A VPN THAT WORKS ON OUR ANDROID DEVICES!
Some VPN companies have their own Android VPN client, which makes things a breeze. Just launch, connect and violla....all your traffic is now safely tunneled.
For the companies that do not have their own Android VPN client, you'll have to use the app: OpenVPN, which can be a hit or a miss for those on KK 4.4. Let me explain...
When I was on my Note 3 on 4.3, OpenVPN worked flawlessly and my speeds were darn near 100% of my regular LTE speeds even connected to a VPN! Well, once KK 4.4 came around, it completely ruined everything in terms of being able to stay connected. KK 4.4 is and was a nightmare for OpenVPN users. Upgrading from 4.3 to 4.4 was the biggest mistake I have ever made in my Android world. Bottom line, KK 4.4 sucks.
The good news is, there are a few VPN companies that work flawlessly on KK 4.4. I'm using one at the moment and it stays connected just fine with awesome speeds!
Why you should use a VPN:
Well think about. You can go the whole nine yards in securing your phone, which is awesome, but then you'd still be tunneling all that traffic "unencrypted," over the internet .... this is counter-intuitive in every way that you look at it. It's like ordering a BIG MAC Extra value meal and getting a diet coke. I mean really? What's the point? Diet? No matter how you see it, you're going to get fat if you keep eating it and thinking a diet coke is going to take edge off of you getting fat. Sorry, it doesn't work that way....
Imagine a semi-trucks driving down the highway with some completely exposed and some locked and covered. Well you'll obviously be able to see the exposed cargo on all the trucks that are not contained yes? Whereas the ones that are covered and locked, you'd have no clue what's in there. This is how a VPN works....it covers your data/traffic so that no one can see or know what is inside of that container during transit...ie...it provides a safe passage of your data over the internet to the end destination.
Now a VPN will protect your data from point A to the end destination (website.) That website will only be able to see your "exit server," and not your ISP or your location, but of course your data.
Ex: You're in New York connected to the internet using a VPN ----> The VPN server you're connected to is in Texas ---> The website you're visiting is located and hosted in Canada.
In that example, your "encrypted" data/traffic is being routed through Texas and then to Canada where the website is hosted/located. Make sense?
Because you're connecting to a VPN server, this is why you have to know which ones to use so that you can trust your data routing through their servers. Not all VPN companies are created equal!
If you're interested to know which VPN's are best in general and for our Android devices, PM me and I'll share with you my research. I don't want to advertise anything on here to be in compliance with the forum rules.
I hope this helps!
To be continued....
Click to expand...
Click to collapse
which is the best VPN to use?
I've installed OpenVPN for Android and it works fine.
[VPN (Virtual Private Network) and why you should use it if you're serious ab...
TheMoroccan said:
which is the best VPN to use?
Click to expand...
Click to collapse
There's no concrete answer to that question. Your best bet is to use a VPN provider that's based outside of your country, preferably one that is less likely to corporate with your local law enforcement.
Agreed. Out of country, away from your government's reach... There are some offshore server farms in countries with lax laws... Those are usually tax havens also. Research
snapper.fishes said:
There's no concrete answer to that question. Your best bet is to use a VPN provider that's based outside of your country, preferably one with a less likely to corporate with your local law enforcement.
Click to expand...
Click to collapse
Thanks bro for the info.
Beginning with 2016 we will not longer support the coexistence with EYEO's AdBlocker.
This tool is an advertising gateway and they will pass more and more advertising.
keweonDNS
THE FIRST ADBLOCKER WORLDWIDE
WHICH RUNS ON
EVERY OPERATION SYSTEM
EVERY BROWSER
EVERY SYSTEM
without any Software Installation
Tested & working on:
WinXP to Win10 - Windows Mobile - Linux - UNIX - Android - iPhone - iPad - MacOS - BeOS - BLACKBERRY - JavaOS - XBOX - PLAYSTATION - APPLE WATCH - WebOS - Microsoft EDGE - RASBERRY - NAS DEVICES - SmartTV's
Click to expand...
Click to collapse
I'm proud to present a brand new ad-block and security solution. I hope to find some supporter here to check, test and optimize the system.
The name of this system is keweon which is a short form from the German words "keine werbung online". Translated to English this would be "no advertising online"
Unfortunately every online presence is within German language because my English is not longer the best.
The idea and very first solution was born in year 2003. In the year 2013 I decided to launch the system as an online based system and we have tested this system almost on every device. AdBlocking is just only one of the many features but at the moment it's only important if the black and white lists are usable and what to change.
keweon is also the only adblock solution world wide which is not possible to block. If you find a web page where you receive the message "Blocked because you are using an adblocker" let me know this link here or post it on our facebook page and we will change this.
Now it's up to you to decide what you want to think about it.
How can you use it?
The big advantage is that you don't need to install any software. Just point your device to the keweonDNS Server and - that's it!
You can use it on your device or on your SOHO Router or you can use it just on your PC to test and see how does it work.
It's working on EVERY operation system, on EVERY device. Even on IPhone, PlayStation, XBOX and if you want it will even run on the Apple Watch.
Here are the keweonDNS Server list and where they are located:
DNS Server IPv4
GERMANY 01 (*) 46.101.208.121
GERMANY 02 (**) 46.101.187.194
UNITED KINGDOM 01 (*) 178.62.117.240
USA - Dallas (TX) (**) 45.32.198.153
DNS Server IPv6
GERMANY 01 (*) 2a03:b0c0:3:d0::3c:7001
GERMANY 02 (**) 2a03:b0c0:3:d0::b0:8001
UNITED KINGDOM 01 (*) 2a03:b0c0:1:d0::28:8001
USA - Dallas (TX) (**) 2001:19f0:6400:8945:5400:00ff:fe17:5dba
(*) = only available for Germany, Austria, Switzerland and Liechtenstein
(**) = global available
Our DNS Server are not pointing to Google server at the other end. We want to have a clean DNS solution. The DNS servers points to root-server.net infrastructure only.
This might cause some troubles e.g. with MarkMonitor URL's and Domains. I don't care because this company is anyway block at 99,999% via keweonDNS
HTTPS Advertising - no more chance
This is also a big advantage that keweon is able to cover also this crap. We know the current solution is not the best but it is the cheapest.
If you want get rid of the HTTPS advertising error message than you need to install the keweon Adblock Root Certificate on your Computer or on your device.
I know that there are better solutions but the problem is that keweon is currently just a hobby and to buy a public certificate and spending 800 Euro just for fun would be a big financial pain.
You don't need the certificate to use the keweon Adblock but if you want to get rid of the https nags you need to use is.
Browser example without keweon Root Certificate:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Browser example with keweon Root Certificate:
If you want to see what is inside this certificate than browse to the keweon HTTPS Sniper Server and take a look inside the SSL Certificate. You can see what URL's we will take over for ad-blocking reason.
How does keweonDNS work?
It's not a big secret because EVERYTHING is working on 100% pure native DNS technologies. The only thing you need is a FreeBSD Server, a LINUX Server and - YES, it is REQUIRED - a Windows Server. You need to build your own operation system based on UNIX and some special kernel things.
That's all!
I also have had a contact to a big AdBlock Company and the CEO still think this solution is a Proxy solution. I don't want to make a big discussion but keweon is running on 100% native DNS.
The only exception for this is currently YouTube. We have unlocked YouTube that you will not longer get stupid messages "Is blocked because...".
In non other country of the world are more Videos blocked than in Germany. Don't ask for the secret of the YouTube solution. It's working and we will not send the traffic over the keweon systems. That's the reason why we can offer this solution to nearly half a million users.
Check this and see:
https://apps.opendatacity.de/gema-vs-youtube/en/
Currently we have the problem that YouTube unblocker will not run 100% on iOS devices. If you want to see EVERY Video you need to uninstall the YouTube App from your device and watch the videos within the browser.
Therefore I would need additional help to sort out where the hell this app will take the GEO location information's. At the moment it seems it will use the iOS API for this but my knowledge about the iOS API is very limited.
Here are the important links:
On Facebook: https://www.facebook.com/keweonNetwork
On Twitter: https://www.twitter.com/keweonNetwork
Because of legal reason the web site is still offline. One little error on the page could cost a lot of money in Germany.
The Web: http://www.keweon.de
The keweon Root Certificate.
Keep in mind it is not required to use the certificate. If you want to get rid of the HTTPS error messages u can use it but for the basic Ad-blocking it is NOT REQUIRED.
Here is the list of the current entries within our certificate. You can double check this within our HTTPS sniper server: https://adblock.keweon.center
http://forum.keweon.de/viewtopic.php?f=9&t=8
For Windows Systeme (MSI File)
The certificate is working for IE, Edge and Chrome Browser.
http://pki.keweon.center/certs/keweonAdBlockCertificate.msi
MSI within a ZIP file:
http://pki.keweon.center/certs/keweonAdBlockCertificate-MSI.zip
For Android and iOS devices, also for Firefox and Mozilla Browser:
http://pki.keweon.center/certs/keweonAdBlockCertificate.crt
CRT within a ZIP file:
http://pki.keweon.center/certs/keweonAdBlockCertificate-CRT.zip
For Admins to use it within Active Directory as REG file:
http://pki.keweon.center/certs/keweonAdblockCertificate.reg
REG within a ZIP file:
http://pki.keweon.center/certs/keweonAdblockCertificate-REG.zip
If you want to have a "AllInOne Package" use this link please:
http://pki.keweon.center/certs/keweonAdblockCertificate.zip
What will this cost?
It will cost nothing. You can use it where ever you want to use it.
Why it's free?
Because we can do it.
We are unknown.
We don't know what you think about this solution.
That's the reason why this will be free of charge. But keep in mind that this system is only a demo system because we don't have the money to do what we want to do.
The only thing what we expect:
Like, Share and Promote us here by XDA (hit the Thanks Button), on Facebook and Twitter. That's all we want to have from you.
And now?
Now it's your turn.
Read it, use it and decide if you want to have the Internet in a newer Version. Take a look and see.
Hope you enjoy it!
How you can support keweon?
If you have found an address which is blocked that needs to be unblocked or if you have found additional critical address then just send this via email.
At the moment we need to cross check everything manually but we hope that we can automated this process within a few weeks. For this it is important how you send the email. Let's give a short example.
BLACKLIST EXAMPLE:
You have found the URL www.ads-terror.com. But this address is a Popup from the site www.cool-site.com
Now create a text file as like as a hosts file and add the bad URL. Use the Hash sign (#) to seperate the comment. As comment you should use the source URL where you have found the Popup.
www.ads-terror.com # www.cool-site.com
If you have found a malware site or address or something like the "Flashplayer Update" which is in real a malware or spyware trash than comment this with what it is. Just one or two words that we know what it is. You can also combine this or write a few more words. It's up to you.
www.ads-terror.com # fake flashplayer
WHITELIST EXAMPLE:
We know that 7 million entries will not be 100% safe and clean. So don't worry, if you find an address which is blocked which should be not blocked than let's whitelist this.
Also write this into a TXT File and comment this with some self spelling infos that we know why.
bit.ly # Twitter URL shortener
That's all. Please don't send any screenshot or PDF or anything else than a TXT file. Keep in mind that we only will work with the attachments. It does not make sence to send the information within the email body. Whatever you write in the mail this will be ignored because this is an half automated process.
Where to send?
It's easy.
If you have an request and attachment for white listing send this to:
[email protected]
If you have an request and attachment for black listing send this to:
[email protected]
Anything else?
Yes. If you have seen a website where you will receive the Message "this website is blocked because you are using an adblocker" than we also want this to know.
Sometimes it will take a few hours, sometimes this can take up to 3 days until whe are able to break this. But we keep you updated on twitter if we are able to remove this crap.
If you have found an address please copy this address also into a TXT file and send this to:
[email protected]
A few of our blocked URL's might cause some HTTPS errors. For this we have the Root Certificate and because of this we are able to manage this errors within a few minutes.
If you are using the keweon Adblock Root Certificate and find an error on a web page than make a screenshot OR send a TXT file with the URL.
We will double check this and if we see that this address needs to be placed in our HTTPS certficate we will do this. If something wents wrong we will remove this address from our blacklist.
If you see or find an error within the HTTPS certificate than we also need this to know. Send the screenshot or the TXT file to this address and we will take action.
[email protected]
Update of white and black lists
Currently we have a job, we have family and we can not offer 24x7 support for this. This system is just a damn small system, it's a hobby and this update procedure can cause a timeout for round about 60 sec. when we do an update on our DNS Servers. We know how to solve this but we don't have the money currently for this.
This update has only impact to NEW site and URL requests.
If you are playing an online game, stay on facebook or doing work on the same site you will see no interruption. If you do a new site request and you will see that this request runs into a time out take a smoke or move away for a new cup of coffee.
I hope you enjoy this and if you have any recommendations please let me know this.
What is keweonDNS?
keweonDNS is more than just a simple adblocker system. keweon is a solution which offers a lot of cute things.
privacy Protection
protection by Virus and Trojan infection (prevent the download of additional files)
protection against spying (blocking the source address)
Internet without Ads and Popups
real time online ad-blocking
domain address based
working with ipv4 and ipv6
tracking protection
malware protection
spyware protection
trojan protection
fake security filter
fake software filter
phishing protection
advantage because of all of this: up to 50% faster internet on all devices
We also have found a solution where we are able to block even IP Addresses and filter single websites or a picture. But currently it is to expensive to release this for public usage.
We need your support!
The keweonDNS phishing protection is a beta solution at the moment because we have the idea. We know what to do. We know where to do.
But we have no email with a phishing address or URL. We hope someone of you is able to support us and send us a few URL's.
If you receive a phishing mail than copy the content of the mail into a TXT file. Please make sure that you will copy the PHISHING address into this TXT file and then send the TXT file as attachment to:
[email protected]
!!! ATTENTION !!!
IF YOU DON'T KNOW WHAT TO DO - NEVER CLICK ON A LINK WITHIN A PHISHING MAIL.
ASK A FRIEND OF YOU OR SOMEONE WHO KNOWS WHAT TO DO!
Click to expand...
Click to collapse
If you are not sure than you can forward and send the complete mail to us. Please send this mail to:
[email protected]
The problem is that our mail provider might filter this mail. That is the reason why we are asking for the source and destination address within a text file.
It will not help if you only send a screenshot because the LINK and the LINK REFERENCE are completely different. It's also an idea if you are able to save the message and send the message as ZIP file.
If we have this mail we will take action and prevent phishing attacks when you are using the keweonDNS Servers.
Currently we have not a real solution how you can send the information's within a secure way. You can do what you want as long as you are safe and can make sure that you will be not infected.
If you have any idea how to send the complete mail your welcome to keep us informed.
It seems no one is using this System because of my self signed Root Certificate.
I want to get rid of the Certificate installation.
Does someone know if there are some provider who offers free public web server certificates?
Currently I only know Comondo.
Thanks in advance!
(2015/12/11 - 12:15) EDIT:
Click to expand...
Click to collapse
We have done a Certificate request with public domains entries within the SAN field.
After this the certificate request was catched by fraud detection and they denied the certificate.
Bad luck for us. But we don't give up.
If someone knows a different solution than our Root Certificate please let me know.
At the moment it is only possible to get rid of the HTTPS trash with our Root Certificate.
Thanks in advance!
Over 500 Hits and no one seems to be interessted?
Can someone explain to me why there is a problem to give it a try and test this System?
Would be a great thing. Thanks in advance.
I'll give it a try, i already promoted it over my friends, i thank you for your work
Inviato dal mio Nexus 4 con Tapatalk 2
jacomail95 said:
I'll give it a try, i already promoted it over my friends, i thank you for your work
Inviato dal mio Nexus 4 con Tapatalk 2
Click to expand...
Click to collapse
That's good to know.I will Update this Thread with more options.
I have no exerience with Italy and ads, Malware and Spyware.
Hope you will give some feedback to optimize it. Infos and how2 will follow within this Thread the next few hours.
Thanks and I hope you enjoy this system
Now you can help us with update and clean up the white and black lists.
http://forum.xda-developers.com/showpost.php?p=64055856&postcount=2
Best regards!
Hello , thanks for this dns. Could you provide server & net provider information?
Please take a look at dnscrypt.org , usage would be great.
Your website isnt loading , what happened
Sent from my GT-I9505 using XDA Free mobile app
HeathenMan said:
Hello , thanks for this dns. Could you provide server & net provider information?
Please take a look at dnscrypt.org , usage would be great.
Your website isnt loading , what happened
Sent from my GT-I9505 using XDA Free mobile app
Click to expand...
Click to collapse
At this point DNS encryption is not a thing we Plan to implement.
This System is comlete VPS based and a real smal system.
We are using some overloaded security on the servers. If we have success to establish this as an commercial system we will use DNS encryption.
But at the moment we only want to clean up the Black and white lists and for this DNS encryption will cause more troubles than security.
Best regards!
Technical Focus:
It seems that adblock blocking will become the "Advertising Surprise XXL Feature" for 2016.
May be for all other Adblockers. But this will not work with the keweon System.
We cross the fingers and we wil see :fingers-crossed:
Blocking Adblocker which blocking ads to make sure that ads will never blocked
If you see any Website which is blocked when you will use an ad-blocker please test this also with the keweon System.
Yahoo is working on this to prevent ad-blocker usage.
We are working on this problem too and for a well-balanced result we take the other side.
Help and let us know when you find such a site!
Tell us what you think about this:
kinox.to and movie2k.to are now 98% ad free.
We also removed the abo traps when you use this sites on your mobile phone.
Best regards and we hope you enjoy this!
What are you doing with all the user data you are collecting with this?
Gesendet von meinem HTC One mit Tapatalk
flummi3000 said:
What are you doing with all the user data you are collecting with this?
Gesendet von meinem HTC One mit Tapatalk
Click to expand...
Click to collapse
Collecting data? From users? Or any connections?
I guess you are german because that's typically german bull****!
Who the hell told you that we collecting data? Collecting user data via DNS Server? Did you saw any data collection?
Do you realy belive that we break the communication to nearly everywhere and than we collect data for what?
Oh damn!! Almost idiots only here in germany!
Sprint
Anyone know how to change the DNS on android KK?
Sent from my N9515 using XDA Forums Pro.
brad65807 said:
Sprint
Anyone know how to change the DNS on android KK?
Sent from my N9515 using XDA Forums Pro.
Click to expand...
Click to collapse
Check the Playstore and search "RomToolBox". But this tool requires root.
Unfortunately I'm using currently an iPhone but with this Tool I have had the best experience on android.
With higher versions than KK (4.4) I have no clue how to change the DNS Servers because HTC OneMax with 4.4 was my last android device.
I just use the DNS changer from Playstore. Works fine so far. Thanks for your effort!:good:
Shockwave71 said:
I just use the DNS changer from Playstore. Works fine so far. Thanks for your effort!:good:
Click to expand...
Click to collapse
Good to know. thanks for the Feedback :good:
bencozzy said:
I have to agree this is not open source so only security conscious conclusion is that you are data sniffing.
Click to expand...
Click to collapse
Hmmm... Data sniffing with DNS? How? And why?
Everyone is claiming that it is not possible to protect data. I have found years ago a solution and after 10 years I decided to launch this as an online solution.
Let's assume that I will data sniffing. What can I get?
Compare DNS as a phone book. You have the option to look inside where the Webserver or the destination exists. You are searching only a phone number or IP Address.
If you take data from the webserver this will not served and offered by the DNS Servers because this will be done from the webserver which you are browsing to. DNS is only telling your browser, hey go there and there you will find the rest.
The only thing I would get is which IP address is seeking for what address. So what data I should sniff? I only will get the information which IP address is searching xyz.com. Based on this information what should I do with this?
If I would like to have this Data that makes no sence because I have a account to statista.com where I can get more and detailed informations about this. Therefore is no need to launch such a tool.
I decided to build this project DNS based because in no country of the world it is requrired to log DNS request. May be China is an exception but especially in germany where it is required by law to log EVERY web server access DNS will be an exception.
Everyone is claiming that it is not possible to filter dangerous things within the Internet or web sites. Also the site and user tracking. If you use my DNS you can browse to Amazon do a search any you will get not "stalking result" when you visit ebay after your amazon visit.
I have disabled this online tracking which a lot of people say this it not possible. I'm working with this keweonDNS solution since years and also a lot of other people. This was finally the reason why I decided to launch this system as a public system. I'm specialist for Active Directoy since 2000 and I promises to you I will and I can do things with DNS where others will never dream of.
And yes. The system is closed source. And it will stay closed source.
On the one hand I have spend years of work into this system and if you ask someone who has experience with DNS this guy will confirm that this will not work what I do. I heard this so many times - but it's working. On the other handy I keep this closed because I will give no one the chance to break my system or doing some evil things.
If this system will have success than hey, I will find an Investor and I'm able to implement all the security features and launch this as an global system. Yes, this is what I want to do with this.
At the moment you will see only 20% of it's power because all other things would make this system damn expensive when I would release this as public system.
Big companies better pray that this never will happens because for them this system will become an evil nightmare.
If it's no success and everyone has concerns to use it than I will put everything back into the drawer and that's it. At the moment it is fun, fun, fun and more fun. Nothing more.
The same is with my Adblock Root Certificate. I was searching a solution. I found it and it's working. Within a Windows System you will see 42 root certificates. Do you know what they will do? Do you know what they are responsible for? I guess you will not know this but you trust them by default.
I will open and release my complete certificate if you want.
I can not take the fear away which you might have with my system, it's up to you to use it. But the main reason is I want to keep my data on my machine. I don't like if someone try to spy me, my machine and everything what I do.
At the moment I only want to know if the Black and White Lists are OK. To launch the system as a public system there is a lot of additional work required which is not possible that one or two guys can handle this.
I have a solution. I offer the solution as a public system and I will never say that this is the master solution. But with keweon you have more security and options than every other system.
It is absolut O.K. that someone thinks twice bevor he use this system. It is absolut O.K. when someone do not trust the certificate. And it's absolut OK when someone think that this is a big peace of sh**t.
I expected a lot of complains and I'm prepared for nearly everything.
But to think that I'm collecting data?
That's a hard pain because this is what I hate and that is something what this system prevent.
If you will not trust this solution it's O.K. for me. If you have any recommendations how can I achieve more trust into this system than let me know this because I'm open to anything.
Best regards!
bencozzy said:
I have to agree this is not open source so only security conscious conclusion is that you are data sniffing.
Click to expand...
Click to collapse
Just shut-up for godsake if you want to use it use it, or if you don't leave it, why so many complaints, go learn computer networks DNS stuffs and then talk, its just a solution, there are many other adblocking solutions out there. If you are concerned with too much privacy why use Google or xda there's trackers everywhere, its inevitable to avoid. Grow up please.
I have always known that companies like google and facebook for example collect our data, web searches etc and sell this information for profit. Today, this has become an even bigger issue with what we see in the media with the nsa and other government organizations tapping into our devices and monitoring our usage. At the end of the day, most of us, myself included really dont have anything to hide, so it may not be a real issue. I have often thought that if anyone poked around in my pc or phone they would simply get bored as they are just full of geeky engineering files lol. The real thing for me is simply that it's an invasion of privacy and just not right. With that said, I find myself wanting to go the extra mile to make my pc and my phone completely private from outside sources taking my information, watching my web searches and seeing my data. My question is, is it possible to be 100% secure and private, and if not, how close can we get, and how? I have heard that VPN's can achieve this. Is this true? and if so are there any free secure VPN's for our android devices and or pc's that are really good? Do VPN's slow down our devices? Also, Is there a way when we delete android files to permanently delete them? I noticed when I flashed my rom, after doing the complete wipe that is still contains files from before the wipe.
(I know this isn't a pc forum, I only included the pc because it's relevant.)
Thank you all in advance.
There are no data retention laws in the United States. Meaning, if a data center does not want to hold any logs to their users' activity, they're not required by law to do so. Multiple countries are similar, which is why I recommend using Private Internet Access for your VPN. They have a client for PC and Android and they're really great. I've been using them for many years and have had no issues. And, if you're really wanting to remain "anonymous", you can pay for your VPN subscription using gift cards from popular outlets like Walmart, Starbucks, etc. And for search engines, I'd recommend DuckDuckGo, which doesn't log anything you search. For PC, I'd recommend disabling your IPv6 protocol in your router settings and getting uBlock Origin, HTTPS Everywhere, and PrivacyBadger. They're wonderful add-ons for Firefox or Chrome. uBlock Origin and PrivacyBadger can block WebRTC leaks which would leak your IP address and can be used to identify you. If you want more information, feel free to reply to my post and I'll help you out as much as I can.
Hoxic said:
There are no data retention laws in the United States. Meaning, if a data center does not want to hold any logs to their users' activity, they're not required by law to do so. Multiple countries are similar, which is why I recommend using Private Internet Access for your VPN. They have a client for PC and Android and they're really great. I've been using them for many years and have had no issues. And, if you're really wanting to remain "anonymous", you can pay for your VPN subscription using gift cards from popular outlets like Walmart, Starbucks, etc. And for search engines, I'd recommend DuckDuckGo, which doesn't log anything you search. For PC, I'd recommend disabling your IPv6 protocol in your router settings and getting uBlock Origin, HTTPS Everywhere, and PrivacyBadger. They're wonderful add-ons for Firefox or Chrome. uBlock Origin and PrivacyBadger can block WebRTC leaks which would leak your IP address and can be used to identify you. If you want more information, feel free to reply to my post and I'll help you out as much as I can.
Click to expand...
Click to collapse
Hoxic,
Thank you for all of the information. With the private internet access VPN on my PC and android, will that slow down anything like web surfing, uploads or downloads? I am limited to using Verizon's high speed DSL connection as they refer to it, (I refer to it as slowest speed connection lol) in my neighborhood and this is the only provider for me so it's already pretty slow compared to Fios and other broadband connections. I would hate to slow it down any more.
You mention to pay for these services using gift cards and such. Well as I mentioned, I do not have anything that I am actually worried about anyone seeing, this is simply my way of trying to protect my privacy so I wouldn't go that far but I am curious about that statement. Do you mean that using a VPN truly isn't private or is this just to remove any paper trail linking me to the use of a VPN provider? I have been using DuckDuckGo for several years already just to stop google from taking and selling my info. Weather it truly works or not I dont know but its a great search engine anyway so I figured why not use it.
Your advice to disabling IPv6 protocol in my router settings: I do not see anywhere in my router settings to do this so I googled it, and it looks like there's a way o do this in windows. Is that different that what you're advising? Also I read a windows blog on this and windows 10 says IPv6 is a mandatory part of Windows that they do not advise on disabling. Can you give me some more detail on this, and how to disable it, assuming the windows warning is bull.
Thanks for all of your help.
Firstly some little rant about keweon which is the most hypocrite security service I've ever seen:
[
The mentioned bet was with me. PM for details or public if you make me care enough.
>Copypasting all the elaborate posts from the Telegram sphere as I cant bother to spend much time on it.
I mostly agree with whats written there.
Seriously I dont care about Thorsten (MrT69) personally or in any other way.
I am actually quite sick of this topic. Even mad that I have to deal with basic **** like that. These people managed to trigger a hermit into logging on to tracking heavy XDA.
Why I do this? It needs to be done.
I could have never imagined that such a blatant scam could gain enough traction that it regularly annoys me.
]
<<< A little bit of ranting about keweon >>>
"
Evidence and proof of concept that keweon Online Security is not as secure as claimed by its developer.
After a group of independent IT and cyber security specialists proved that keweon is not as secure as claimed by the developer, they confronted the developer with the results and reminded him of a bet. All keweon support groups on TG then were deleted by the developer personally and without further explanation on the morning of February 4, 2019.
We all know by now that the way keweon DNS works is based on users using keweon's DNS and the keweon root certificate.
What has now been proven is exactly what keweon could do with its users, but Torsten vehemently denies and claims "that's impossible" and "that doesn't work":
1. get users to use your DNS server.
2. get users to use your root certificate.
3. redirecting a page, e.g. mybank.com, to one of the keweon servers (by changing the DNS record)
4. issue your own SSL certificate for the website, users have installed your Root-CA and so this is not a "witch work"
5. read username/password from the connection (if 2FA is used, just wait until the user logs in and use the token again quickly as it is valid for 30 seconds).
We now have proof that this is possible without a doubt. In fact, this is a classic MITM attack, and anyone who denies that it is possible either has no idea (you shouldn't assume this from Torsten) or is trying to hide something from his users.
The developer of keweon has repeatedly asserted and insisted that a root certificate cannot intercept connections or collect data.
Quote from the keweon developer with his PayPal bet:
"Prove that to me. Give me any DNS and a root certificate and try to get my PayPal data.
I'll then even contact you when I sign up for PayPal. If you manage to get my PayPal data this way, you can log in and transfer 500 Euro to your account. I have made this offer very often and this is a serious offer from my side."
Unfortunately the developer of keweon didn't contribute his part to the test as he promised so often and of course he didn't log into Paypal via our provided DNS and root certificate.
The only reaction on his part was, apart from some insults, the deletion of all keweon groups on TG.
The security test of the keweon servers also revealed that under certain conditions connections are even redirected to keweon's own termination server and answered with 1x1 pixel gifs.
The fact is that the requests contain tracking IDs that can be easily managed from these servers.
So even Torsten's statement that the keweon SSL server only terminates requests with empty (0 byte) responses is wrong.
This again contradicts Torsten's own statement.
The point now is that the developer of keweon Online Security is actively trying to deny that it is possible for him to abuse the root certificate, although it has now been proven that it is actually possible for him to do exactly that with the keweon root certificate and its users.
Until the developer decides to disprove the accusations made against keweon Online Security or can prove that the accusations against him are unfounded, it is advisable for obvious reasons of security not to use keweon Online Security for the time being.
Anyone who is interested in repeating this test can do so at:
http://https-interception.info.tm/, where you will find a DNS and a root certificate, same as with keweon Online Security.
Furthermore there is a real-time log about recorded connections.
Everything else can be found there.
Please be careful not to use your correct email address or password for this test!
#keweon #test #bet #evidence #ProofOfConcept
"
<<< /rant >>>
<<< Explanation of some DNS and TLS/HTTPS basics for noobs >>>
DNS And Root Certificates - What You Need To Know
e8aebe8eb8b24035ae75260ca0ea80a7 / 20190205
Due to recent events we felt compelled to write an impromptu article on this matter. It's intended for all audiences so it will be kept simple - technical details may be posted later.
1. What Is DNS And Why Does It Concern You?
DNS stands for Domain Name System and you encounter it daily. Whenever your web browser or any other application connects to the internet it will most likely do so using a domain. A domain is simply the address you type: i.e. duckduckgo.com. Your computer needs to know where this leads to and will ask a DNS resolver for help. It will return an IP like 176.34.155.23; the public network address you need to know to connect. This process is called a DNS lookup.
There are certain implications for both your privacy and your security as well as your liberty:
- Privacy
Since you ask the resolver for an IP for a domain name, it knows exactly which sites you're visiting and, thanks to the "Internet Of Things", often abbreviated as IoT, even which appliances you use at home.
- Security
You're trusting the resolver that the IP it returns is correct. There are certain checks to ensure it is so, under normal circumstances, that is not a common source of issues. These can be undermined though and that's why this article is important. If the IP is not correct, you can be fooled into connecting to malicious 3rd parties - even without ever noticing any difference. In this case, your privacy is in much greater danger because, not only are the sites you visit tracked, but the contents as well. 3rd parties can see exactly what you're looking at, collect personal information you enter (such as password), and a lot more. Your whole identity can be taken over with ease.
- Liberty
Censorship is commonly enforced via DNS. It's not the most effective way to do so but it is extremely widespread. Even in western countries, it's routinely used by corporations and governments. They use the same methods as potential attackers; they will not return the correct IP when you ask. They could act as if the domain doesn't exist or direct you elsewhere entirely.
2. Ways DNS lookups can happen
2.1 3rd Party DNS Resolvers Hosted By Your ISP
Most people are using 3rd party resolvers hosted by their internet service provider. When you connect your modem, they will automatically be fetched and you might never bother with it at all.
2.2 3rd Party DNS Resolver Of Your Choice
If you already knew what DNS means then you might have decided to use another DNS resolver of your choice. This might improve the situation since it makes it harder for your ISP to track you and you can avoid some forms of censorship. Both are still possible though, but the methods required are not as widely used.
2.3 Your Own (local) DNS Resolver
You can run your own and avoid some of the possible perils of using others'. If you're interested in more information drop us a line.
3. Root Certificates
3.1 What Is A Root Certificate?
Whenever you visit a website starting with https, you communicate with it using a certificate it sends. It enables your browser to encrypt the communication and ensures that nobody listening in can snoop. That's why everybody has been told to look out for the https (rather than http) when logging into websites. The certificate itself only verifies that it has been generated for a certain domain. There's more though:
That's where the root certificate comes in. Think of it as the next higher level that makes sure the levels below are correct. It verifies that the certificate sent to you has been authorized by a certificate authority. This authority ensures that the person creating the certificate is actually the real operator.
This is also referred to as the chain of trust. Your operating system includes a set of these root certificates by default so that the chain of trust can be guaranteed.
3.2 Abuse
We now know that:
- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator
How can it be abused?
- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.
- This site can send you a fake certificate.
- A malicious root certificate can "verify" this fake certificate.
This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!
It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.
All your data is compromised!
4. Conclusion
4.1 Risks
- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.
4.2 Actions To Take
Do not ever install a 3rd party root certificate! There are very few exceptions why you would want to do so and none of them are applicable to general end users.
Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.
5. Seeing It Live
5.1 WARNING
A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.
DO NOT ENTER PRIVATE DATA!
REMOVE THE CERT AND DNS AFTERWARDS
If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.
5.2 Live Demo
Here is the link: http://keweonbet.info.tm/
- Set the provided DNS resolver
- Install the provided root certificate
- Visit https://paypal.com and enter random login data
- Your data will show up on the website
6. Further Information
If you are interested in more technical details, let us know. If there is enough interest, we might write an article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.
For more information/feedback/corrections visit our chat linked in the pinned post. (Search ID 0728e516cf2446e7b25af7622c26d8d + 5 in case you hid it.)
All content is licensed under CC BY-NC-SA 4.0. (Attribution-NonCommercial-ShareAlike 4.0 International https://creativecommons.org/licenses/by-nc-sa/4.0/)
- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator
How can it be abused?
- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.
- This site can send you a fake certificate.
- A malicious root certificate can "verify" this fake certificate.
This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!
It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.
All your data is compromised!
4. Conclusion
4.1 Risks
- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.
4.2 Actions To Take
Do not ever install a 3rd party root certificate! There are very few exceptions why you would want to do so and none of them are applicable to general end users.
Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.
5. Seeing It Live
5.1 WARNING
A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.
DO NOT ENTER PRIVATE DATA!
REMOVE THE CERT AND DNS AFTERWARDS
If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.
5.2 Live Demo
Here is the link: http://https-interception.info.tm
- Set the provided DNS resolver
- Install the provided root certificate
- Visit https://paypal.com and enter random login data
- Your data will show up on the website
6. Further Information
If you are interested in more technical details, let us know. If there is enough interest, we might write an article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.
For more information/feedback/corrections visit just PM the poster here.
He activated Mail forwarding.
All content is licensed under CC BY-NC-SA 4.0. (Attribution-NonCommercial-ShareAlike 4.0 International https://creativecommons.org/licenses/by-nc-sa/4.0/)
I appreciate you taking the time to write this up.
After reading this, im a bit scared because yesterday i installed both the dns and cert from keweon and since then i logged into bank accounts and several important sites (apps and browser).
Is this really that bad? Is keweon creator really capable of stealing users data just by using a custom dns and cert?
2 yrs later the same s**t again?
I'm honored about the fact that you try to fight against keweon. It seems you are someone from the advertising industries and this statement is almost the same as you have started the big ****storm against me 2 yrs ago.
Did you ever talk about the 46 Root Certificates within Windows which are responsible to share Ransomware, Malware, Spyware and other crap? No.
Did you ever talks about all the Apps which are using hidden root certificates to spy user data? No.
Did you ever talk about custom ROMS which contains hidden Root Certificates? No.
But you are still fighting against me? What will ever happens when I would shut down keweon?
keweonDNS is cleaning up the internet for various threats and of cause advertising. Because of blocking this it's causing HTTPS errors. To suppress this errors I have developed this Root Certificate. At the moment everything is still just for testing and when I launch the "real Infrastructure" there will be definitely a different Root Certificate.
You can use the DNS even without the certificate. Where is the problem? It's not a need or a must to use it but then Adblock detection is possible and a lot of other things. All addresses outside are working via HTTPS and the only reason for this certificate is to prevent HTTPS errors caused by Adblocking. I was asking you for a better Idea - no answer. Even various data protection agreed to me that this is a good Idea to protect against data collections.
I'm 100% sure you are someone from the advertising industries because until today you are only talking about common things that "might" happens or that "can" happens or "possibilities". In the meantime a lot of companies are using keweonDNS and there are some big Companies and this will definitely show that you have no idea about HTTPS and how it is working.
I repeat again. Using keweonDNS is cleaing up the internet within an incredible way. If you want to have everything faster or if you want to suppress the upcomming HTTPS errors cause by Adblocking YOU CAN USE the Certificate. It's not a MUST HAVE. But if you ever have a better Idea to fight against data collection and privacy violation without a certificate then any idea is welcome. That's the reason why it's still a TEST SYSTEM.
This certificate suppress all Adblock detections and data collections. Why you don't talk about this? Why you only talk about this is possible and that is possible? Why you don't write about the actual facts? Why you don't write about the things which are possible with the certificate?
In the meantime there are worldwide 32 million users who are using keweonDNS. Do you honestly think I didn't expect someone to try a ****storm against me or keweon? keweonDNS is a war declaration against Google, Facebook, Microsoft, Yahoo and the entire worldwide ads industry and you are talking about evil things what "might" happens? But hey, it's OK for me
I still offer to you - if you have a better idea let's do it together. I'm open for any idea or help. If you still want to fight against me then this shows me you support Google, data collection and privacy violation.