[WARNING] DNS + Root Cert is insecure! - Android General

Firstly some little rant about keweon which is the most hypocrite security service I've ever seen:
[
The mentioned bet was with me. PM for details or public if you make me care enough.
>Copypasting all the elaborate posts from the Telegram sphere as I cant bother to spend much time on it.
I mostly agree with whats written there.
Seriously I dont care about Thorsten (MrT69) personally or in any other way.
I am actually quite sick of this topic. Even mad that I have to deal with basic **** like that. These people managed to trigger a hermit into logging on to tracking heavy XDA.
Why I do this? It needs to be done.
I could have never imagined that such a blatant scam could gain enough traction that it regularly annoys me.
]
<<< A little bit of ranting about keweon >>>
"
Evidence and proof of concept that keweon Online Security is not as secure as claimed by its developer.
After a group of independent IT and cyber security specialists proved that keweon is not as secure as claimed by the developer, they confronted the developer with the results and reminded him of a bet. All keweon support groups on TG then were deleted by the developer personally and without further explanation on the morning of February 4, 2019.
We all know by now that the way keweon DNS works is based on users using keweon's DNS and the keweon root certificate.
What has now been proven is exactly what keweon could do with its users, but Torsten vehemently denies and claims "that's impossible" and "that doesn't work":
1. get users to use your DNS server.
2. get users to use your root certificate.
3. redirecting a page, e.g. mybank.com, to one of the keweon servers (by changing the DNS record)
4. issue your own SSL certificate for the website, users have installed your Root-CA and so this is not a "witch work"
5. read username/password from the connection (if 2FA is used, just wait until the user logs in and use the token again quickly as it is valid for 30 seconds).
We now have proof that this is possible without a doubt. In fact, this is a classic MITM attack, and anyone who denies that it is possible either has no idea (you shouldn't assume this from Torsten) or is trying to hide something from his users.
The developer of keweon has repeatedly asserted and insisted that a root certificate cannot intercept connections or collect data.
Quote from the keweon developer with his PayPal bet:
"Prove that to me. Give me any DNS and a root certificate and try to get my PayPal data.
I'll then even contact you when I sign up for PayPal. If you manage to get my PayPal data this way, you can log in and transfer 500 Euro to your account. I have made this offer very often and this is a serious offer from my side."
Unfortunately the developer of keweon didn't contribute his part to the test as he promised so often and of course he didn't log into Paypal via our provided DNS and root certificate.
The only reaction on his part was, apart from some insults, the deletion of all keweon groups on TG.
The security test of the keweon servers also revealed that under certain conditions connections are even redirected to keweon's own termination server and answered with 1x1 pixel gifs.
The fact is that the requests contain tracking IDs that can be easily managed from these servers.
So even Torsten's statement that the keweon SSL server only terminates requests with empty (0 byte) responses is wrong.
This again contradicts Torsten's own statement.
The point now is that the developer of keweon Online Security is actively trying to deny that it is possible for him to abuse the root certificate, although it has now been proven that it is actually possible for him to do exactly that with the keweon root certificate and its users.
Until the developer decides to disprove the accusations made against keweon Online Security or can prove that the accusations against him are unfounded, it is advisable for obvious reasons of security not to use keweon Online Security for the time being.
Anyone who is interested in repeating this test can do so at:
http://https-interception.info.tm/, where you will find a DNS and a root certificate, same as with keweon Online Security.
Furthermore there is a real-time log about recorded connections.
Everything else can be found there.
Please be careful not to use your correct email address or password for this test!
#keweon #test #bet #evidence #ProofOfConcept
"
<<< /rant >>>
<<< Explanation of some DNS and TLS/HTTPS basics for noobs >>>
DNS And Root Certificates - What You Need To Know
e8aebe8eb8b24035ae75260ca0ea80a7 / 20190205
Due to recent events we felt compelled to write an impromptu article on this matter. It's intended for all audiences so it will be kept simple - technical details may be posted later.
1. What Is DNS And Why Does It Concern You?
DNS stands for Domain Name System and you encounter it daily. Whenever your web browser or any other application connects to the internet it will most likely do so using a domain. A domain is simply the address you type: i.e. duckduckgo.com. Your computer needs to know where this leads to and will ask a DNS resolver for help. It will return an IP like 176.34.155.23; the public network address you need to know to connect. This process is called a DNS lookup.
There are certain implications for both your privacy and your security as well as your liberty:
- Privacy
Since you ask the resolver for an IP for a domain name, it knows exactly which sites you're visiting and, thanks to the "Internet Of Things", often abbreviated as IoT, even which appliances you use at home.
- Security
You're trusting the resolver that the IP it returns is correct. There are certain checks to ensure it is so, under normal circumstances, that is not a common source of issues. These can be undermined though and that's why this article is important. If the IP is not correct, you can be fooled into connecting to malicious 3rd parties - even without ever noticing any difference. In this case, your privacy is in much greater danger because, not only are the sites you visit tracked, but the contents as well. 3rd parties can see exactly what you're looking at, collect personal information you enter (such as password), and a lot more. Your whole identity can be taken over with ease.
- Liberty
Censorship is commonly enforced via DNS. It's not the most effective way to do so but it is extremely widespread. Even in western countries, it's routinely used by corporations and governments. They use the same methods as potential attackers; they will not return the correct IP when you ask. They could act as if the domain doesn't exist or direct you elsewhere entirely.
2. Ways DNS lookups can happen
2.1 3rd Party DNS Resolvers Hosted By Your ISP
Most people are using 3rd party resolvers hosted by their internet service provider. When you connect your modem, they will automatically be fetched and you might never bother with it at all.
2.2 3rd Party DNS Resolver Of Your Choice
If you already knew what DNS means then you might have decided to use another DNS resolver of your choice. This might improve the situation since it makes it harder for your ISP to track you and you can avoid some forms of censorship. Both are still possible though, but the methods required are not as widely used.
2.3 Your Own (local) DNS Resolver
You can run your own and avoid some of the possible perils of using others'. If you're interested in more information drop us a line.
3. Root Certificates
3.1 What Is A Root Certificate?
Whenever you visit a website starting with https, you communicate with it using a certificate it sends. It enables your browser to encrypt the communication and ensures that nobody listening in can snoop. That's why everybody has been told to look out for the https (rather than http) when logging into websites. The certificate itself only verifies that it has been generated for a certain domain. There's more though:
That's where the root certificate comes in. Think of it as the next higher level that makes sure the levels below are correct. It verifies that the certificate sent to you has been authorized by a certificate authority. This authority ensures that the person creating the certificate is actually the real operator.
This is also referred to as the chain of trust. Your operating system includes a set of these root certificates by default so that the chain of trust can be guaranteed.
3.2 Abuse
We now know that:
- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator
How can it be abused?
- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.
- This site can send you a fake certificate.
- A malicious root certificate can "verify" this fake certificate.
This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!
It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.
All your data is compromised!
4. Conclusion
4.1 Risks
- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.
4.2 Actions To Take
Do not ever install a 3rd party root certificate! There are very few exceptions why you would want to do so and none of them are applicable to general end users.
Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.
5. Seeing It Live
5.1 WARNING
A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.
DO NOT ENTER PRIVATE DATA!
REMOVE THE CERT AND DNS AFTERWARDS
If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.
5.2 Live Demo
Here is the link: http://keweonbet.info.tm/
- Set the provided DNS resolver
- Install the provided root certificate
- Visit https://paypal.com and enter random login data
- Your data will show up on the website
6. Further Information
If you are interested in more technical details, let us know. If there is enough interest, we might write an article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.
For more information/feedback/corrections visit our chat linked in the pinned post. (Search ID 0728e516cf2446e7b25af7622c26d8d + 5 in case you hid it.)
All content is licensed under CC BY-NC-SA 4.0. (Attribution-NonCommercial-ShareAlike 4.0 International https://creativecommons.org/licenses/by-nc-sa/4.0/)
- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator
How can it be abused?
- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.
- This site can send you a fake certificate.
- A malicious root certificate can "verify" this fake certificate.
This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!
It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.
All your data is compromised!
4. Conclusion
4.1 Risks
- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.
4.2 Actions To Take
Do not ever install a 3rd party root certificate! There are very few exceptions why you would want to do so and none of them are applicable to general end users.
Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.
5. Seeing It Live
5.1 WARNING
A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.
DO NOT ENTER PRIVATE DATA!
REMOVE THE CERT AND DNS AFTERWARDS
If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.
5.2 Live Demo
Here is the link: http://https-interception.info.tm
- Set the provided DNS resolver
- Install the provided root certificate
- Visit https://paypal.com and enter random login data
- Your data will show up on the website
6. Further Information
If you are interested in more technical details, let us know. If there is enough interest, we might write an article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.
For more information/feedback/corrections visit just PM the poster here.
He activated Mail forwarding.
All content is licensed under CC BY-NC-SA 4.0. (Attribution-NonCommercial-ShareAlike 4.0 International https://creativecommons.org/licenses/by-nc-sa/4.0/)

I appreciate you taking the time to write this up.

After reading this, im a bit scared because yesterday i installed both the dns and cert from keweon and since then i logged into bank accounts and several important sites (apps and browser).
Is this really that bad? Is keweon creator really capable of stealing users data just by using a custom dns and cert?

2 yrs later the same s**t again?
I'm honored about the fact that you try to fight against keweon. It seems you are someone from the advertising industries and this statement is almost the same as you have started the big ****storm against me 2 yrs ago.
Did you ever talk about the 46 Root Certificates within Windows which are responsible to share Ransomware, Malware, Spyware and other crap? No.
Did you ever talks about all the Apps which are using hidden root certificates to spy user data? No.
Did you ever talk about custom ROMS which contains hidden Root Certificates? No.
But you are still fighting against me? What will ever happens when I would shut down keweon?
keweonDNS is cleaning up the internet for various threats and of cause advertising. Because of blocking this it's causing HTTPS errors. To suppress this errors I have developed this Root Certificate. At the moment everything is still just for testing and when I launch the "real Infrastructure" there will be definitely a different Root Certificate.
You can use the DNS even without the certificate. Where is the problem? It's not a need or a must to use it but then Adblock detection is possible and a lot of other things. All addresses outside are working via HTTPS and the only reason for this certificate is to prevent HTTPS errors caused by Adblocking. I was asking you for a better Idea - no answer. Even various data protection agreed to me that this is a good Idea to protect against data collections.
I'm 100% sure you are someone from the advertising industries because until today you are only talking about common things that "might" happens or that "can" happens or "possibilities". In the meantime a lot of companies are using keweonDNS and there are some big Companies and this will definitely show that you have no idea about HTTPS and how it is working.
I repeat again. Using keweonDNS is cleaing up the internet within an incredible way. If you want to have everything faster or if you want to suppress the upcomming HTTPS errors cause by Adblocking YOU CAN USE the Certificate. It's not a MUST HAVE. But if you ever have a better Idea to fight against data collection and privacy violation without a certificate then any idea is welcome. That's the reason why it's still a TEST SYSTEM.
This certificate suppress all Adblock detections and data collections. Why you don't talk about this? Why you only talk about this is possible and that is possible? Why you don't write about the actual facts? Why you don't write about the things which are possible with the certificate?
In the meantime there are worldwide 32 million users who are using keweonDNS. Do you honestly think I didn't expect someone to try a ****storm against me or keweon? keweonDNS is a war declaration against Google, Facebook, Microsoft, Yahoo and the entire worldwide ads industry and you are talking about evil things what "might" happens? But hey, it's OK for me
I still offer to you - if you have a better idea let's do it together. I'm open for any idea or help. If you still want to fight against me then this shows me you support Google, data collection and privacy violation.

Related

Poor SSL Implementations Leave Many Android Apps Vulnerable

Originally Posted by timothyon Saturday October 20, @08:27AM
from the that's-why-they-buy-guns dept.
Trailrunner7 writes "There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations. The researchers conducted a detailed study of 13,500 of the more popular free apps on Google Play, the official Android app store, looking at the SSL/TLS implementations in them and trying to determine how complete and effective those implementations are. What they found is that more than 1,000 of the apps have serious problems with their SSL implementations that make them vulnerable to MITM attacks, a common technique used by attackers to intercept wireless data traffic. In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials."
Refrence http://yro.slashdot.org/story/12/10...mentations-leave-many-android-apps-vulnerable
I myself have implemented them for shopping apps (SSL for anything dealing with user details, payment, etc.). When you're communicating with an external service that requires (or where you want to use) encrypted connections and that service only offers SSL (this is probably 90% of the time) you need to use it. Now the catch here is that the standard SSL handlers available to you in Android provide an "ideal" setup, where servers and certs are exactly as they "should" be. The problem is unless you are paying rediculous amounts for dedicated SSL services and high quality certs your setup will not be the "ideal", and you'll have to make exceptions by overriding code.
As an example, in the shopping system I set up there were two sets of certs, one set was signed [payment gateway] the other wasn't [user control panel]. I had to jump through a few hoops, and the app would be open for man-in-the-middle if set up right - but luckily all they'd get would be user login details, address and phone number - billing is all external and requires a separate authorization.
As spreading news about the issue among would only be able to protect privacy and crucial information of the consumers
all discussion regarding this issue are being welcomed kindly try to focus to fix this issue

Making the Mobile Web Safer with HTTPS Everywhere

EFF is bringing the security and privacy of HTTPS Everywhere to an important new frontier: your Android phone. As of today, you can install HTTPS Everywhere on Firefox for Android (until now, it could only protect desktop browsers). With HTTPS Everywhere installed, Firefox for Android encrypts thousands of connections from your browser that would otherwise be insecure. This gives Firefox a huge security advantage over every other mobile browser available today.
This is exciting news, because HTTPS encryption allows smartphone users to safely download apps, browse the web, exchange emails and instant messages, sync data between devices, and countless other everyday tasks. As we carry around our phones and tablets, we often connect to unfamilar WiFi networks, putting our personal data at risk of being monitored, collected, and tampered with by anyone else on the same network, as well as Internet Service Providers, network operators, and government agencies. In fact, we discovered last week that NSA and GCHQ have been invisibly tracking and profiling users based on data leakage from smartphone apps.
HTTPS Everywhere guards agains these attacks in your browser by switching insecure HTTP connections to secure HTTPS connections whenever possible using thousands of URL rewrite rules. Whereas data sent to a server over HTTP can easily be read and modified by third parties, HTTPS uses strong encryption to guarantee data confidentiality and integrity.
Click to expand...
Click to collapse
https://www.eff.org/deeplinks/2014/01/making-the-mobile-web-safer-with-https-everywhere
Figured I'd share this with you guys. HTTPS Everywhere has been a great desktop Firefox addon, I'm really happy to see them finally get a mobile Firefox version out. Probably the best way this would protect people are when using public wifi, but of course the site you visit would have to offer some form of HTTPS/SSL for the addon to work. It basically just helps you get the most out of sites that do offer it (some sites, like Youtube for instance default to HTTP).
Hmmm.. interesting.... But does Https Everywhere still have the problem that because of it, pages in general load a lot slower?
I haven't noticed any slow down personally. All this does really is help sites that support HTTPS/SSL to some extent, but for whatever reason do not default to it when I user visits the page. And obviously they make sure the site doesn't get broken before adding it in their extension's site list.
There's a whole FAQ here too that might explain it better than I ever could. All I know is if Tor browsers use it along with Noscript, it's a good security add on. Way better than nothing.
https://www.eff.org/https-everywhere/faq
But the add on should also make use of their SSL Observatory, which is a measure in place to protect users:
The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded datasets of all of the publicly-visible SSL certificates on the IPv4 Internet, in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure.
Click to expand...
Click to collapse
https://www.eff.org/observatory

[DEV] keweon - AdBlocker (RC1 Edition) [Project disruption]

Beginning with 2016 we will not longer support the coexistence with EYEO's AdBlocker.
This tool is an advertising gateway and they will pass more and more advertising.​
keweonDNS
THE FIRST ADBLOCKER WORLDWIDE
WHICH RUNS ON
EVERY OPERATION SYSTEM
EVERY BROWSER
EVERY SYSTEM
without any Software Installation
Tested & working on:
WinXP to Win10 - Windows Mobile - Linux - UNIX - Android - iPhone - iPad - MacOS - BeOS - BLACKBERRY - JavaOS - XBOX - PLAYSTATION - APPLE WATCH - WebOS - Microsoft EDGE - RASBERRY - NAS DEVICES - SmartTV's​
​
Click to expand...
Click to collapse
​I'm proud to present a brand new ad-block and security solution. I hope to find some supporter here to check, test and optimize the system.
The name of this system is keweon which is a short form from the German words "keine werbung online". Translated to English this would be "no advertising online"
Unfortunately every online presence is within German language because my English is not longer the best.
The idea and very first solution was born in year 2003. In the year 2013 I decided to launch the system as an online based system and we have tested this system almost on every device. AdBlocking is just only one of the many features but at the moment it's only important if the black and white lists are usable and what to change.
keweon is also the only adblock solution world wide which is not possible to block. If you find a web page where you receive the message "Blocked because you are using an adblocker" let me know this link here or post it on our facebook page and we will change this.
Now it's up to you to decide what you want to think about it.
How can you use it?
The big advantage is that you don't need to install any software. Just point your device to the keweonDNS Server and - that's it!
You can use it on your device or on your SOHO Router or you can use it just on your PC to test and see how does it work.
It's working on EVERY operation system, on EVERY device. Even on IPhone, PlayStation, XBOX and if you want it will even run on the Apple Watch.
Here are the keweonDNS Server list and where they are located:
DNS Server IPv4
GERMANY 01 (*) 46.101.208.121
GERMANY 02 (**) 46.101.187.194
UNITED KINGDOM 01 (*) 178.62.117.240
USA - Dallas (TX) (**) 45.32.198.153
DNS Server IPv6
GERMANY 01 (*) 2a03:b0c0:3:d0::3c:7001
GERMANY 02 (**) 2a03:b0c0:3:d0::b0:8001
UNITED KINGDOM 01 (*) 2a03:b0c0:1:d0::28:8001
USA - Dallas (TX) (**) 2001:19f0:6400:8945:5400:00ff:fe17:5dba
(*) = only available for Germany, Austria, Switzerland and Liechtenstein
(**) = global available
Our DNS Server are not pointing to Google server at the other end. We want to have a clean DNS solution. The DNS servers points to root-server.net infrastructure only.
This might cause some troubles e.g. with MarkMonitor URL's and Domains. I don't care because this company is anyway block at 99,999% via keweonDNS
HTTPS Advertising - no more chance
This is also a big advantage that keweon is able to cover also this crap. We know the current solution is not the best but it is the cheapest.
If you want get rid of the HTTPS advertising error message than you need to install the keweon Adblock Root Certificate on your Computer or on your device.
I know that there are better solutions but the problem is that keweon is currently just a hobby and to buy a public certificate and spending 800 Euro just for fun would be a big financial pain.
You don't need the certificate to use the keweon Adblock but if you want to get rid of the https nags you need to use is.
Browser example without keweon Root Certificate:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Browser example with keweon Root Certificate:
If you want to see what is inside this certificate than browse to the keweon HTTPS Sniper Server and take a look inside the SSL Certificate. You can see what URL's we will take over for ad-blocking reason.
How does keweonDNS work?
It's not a big secret because EVERYTHING is working on 100% pure native DNS technologies. The only thing you need is a FreeBSD Server, a LINUX Server and - YES, it is REQUIRED - a Windows Server. You need to build your own operation system based on UNIX and some special kernel things.
That's all!
I also have had a contact to a big AdBlock Company and the CEO still think this solution is a Proxy solution. I don't want to make a big discussion but keweon is running on 100% native DNS.
The only exception for this is currently YouTube. We have unlocked YouTube that you will not longer get stupid messages "Is blocked because...".
In non other country of the world are more Videos blocked than in Germany. Don't ask for the secret of the YouTube solution. It's working and we will not send the traffic over the keweon systems. That's the reason why we can offer this solution to nearly half a million users.
Check this and see:
https://apps.opendatacity.de/gema-vs-youtube/en/
Currently we have the problem that YouTube unblocker will not run 100% on iOS devices. If you want to see EVERY Video you need to uninstall the YouTube App from your device and watch the videos within the browser.
Therefore I would need additional help to sort out where the hell this app will take the GEO location information's. At the moment it seems it will use the iOS API for this but my knowledge about the iOS API is very limited.
Here are the important links:
On Facebook: https://www.facebook.com/keweonNetwork
On Twitter: https://www.twitter.com/keweonNetwork
Because of legal reason the web site is still offline. One little error on the page could cost a lot of money in Germany.
The Web: http://www.keweon.de
The keweon Root Certificate.
Keep in mind it is not required to use the certificate. If you want to get rid of the HTTPS error messages u can use it but for the basic Ad-blocking it is NOT REQUIRED.
Here is the list of the current entries within our certificate. You can double check this within our HTTPS sniper server: https://adblock.keweon.center
http://forum.keweon.de/viewtopic.php?f=9&t=8
For Windows Systeme (MSI File)
The certificate is working for IE, Edge and Chrome Browser.
http://pki.keweon.center/certs/keweonAdBlockCertificate.msi
MSI within a ZIP file:
http://pki.keweon.center/certs/keweonAdBlockCertificate-MSI.zip
For Android and iOS devices, also for Firefox and Mozilla Browser:
http://pki.keweon.center/certs/keweonAdBlockCertificate.crt
CRT within a ZIP file:
http://pki.keweon.center/certs/keweonAdBlockCertificate-CRT.zip
For Admins to use it within Active Directory as REG file:
http://pki.keweon.center/certs/keweonAdblockCertificate.reg
REG within a ZIP file:
http://pki.keweon.center/certs/keweonAdblockCertificate-REG.zip
If you want to have a "AllInOne Package" use this link please:
http://pki.keweon.center/certs/keweonAdblockCertificate.zip
What will this cost?
It will cost nothing. You can use it where ever you want to use it.
Why it's free?
Because we can do it.
We are unknown.
We don't know what you think about this solution.
That's the reason why this will be free of charge. But keep in mind that this system is only a demo system because we don't have the money to do what we want to do.
The only thing what we expect:
Like, Share and Promote us here by XDA (hit the Thanks Button), on Facebook and Twitter. That's all we want to have from you.
And now?
Now it's your turn.
Read it, use it and decide if you want to have the Internet in a newer Version. Take a look and see.
Hope you enjoy it!
How you can support keweon?
If you have found an address which is blocked that needs to be unblocked or if you have found additional critical address then just send this via email.
At the moment we need to cross check everything manually but we hope that we can automated this process within a few weeks. For this it is important how you send the email. Let's give a short example.
BLACKLIST EXAMPLE:
You have found the URL www.ads-terror.com. But this address is a Popup from the site www.cool-site.com
Now create a text file as like as a hosts file and add the bad URL. Use the Hash sign (#) to seperate the comment. As comment you should use the source URL where you have found the Popup.
www.ads-terror.com # www.cool-site.com
If you have found a malware site or address or something like the "Flashplayer Update" which is in real a malware or spyware trash than comment this with what it is. Just one or two words that we know what it is. You can also combine this or write a few more words. It's up to you.
www.ads-terror.com # fake flashplayer
WHITELIST EXAMPLE:
We know that 7 million entries will not be 100% safe and clean. So don't worry, if you find an address which is blocked which should be not blocked than let's whitelist this.
Also write this into a TXT File and comment this with some self spelling infos that we know why.
bit.ly # Twitter URL shortener
That's all. Please don't send any screenshot or PDF or anything else than a TXT file. Keep in mind that we only will work with the attachments. It does not make sence to send the information within the email body. Whatever you write in the mail this will be ignored because this is an half automated process.
Where to send?
It's easy.
If you have an request and attachment for white listing send this to:
[email protected]
If you have an request and attachment for black listing send this to:
[email protected]
Anything else?
Yes. If you have seen a website where you will receive the Message "this website is blocked because you are using an adblocker" than we also want this to know.
Sometimes it will take a few hours, sometimes this can take up to 3 days until whe are able to break this. But we keep you updated on twitter if we are able to remove this crap.
If you have found an address please copy this address also into a TXT file and send this to:
[email protected]
A few of our blocked URL's might cause some HTTPS errors. For this we have the Root Certificate and because of this we are able to manage this errors within a few minutes.
If you are using the keweon Adblock Root Certificate and find an error on a web page than make a screenshot OR send a TXT file with the URL.
We will double check this and if we see that this address needs to be placed in our HTTPS certficate we will do this. If something wents wrong we will remove this address from our blacklist.
If you see or find an error within the HTTPS certificate than we also need this to know. Send the screenshot or the TXT file to this address and we will take action.
[email protected]
Update of white and black lists
Currently we have a job, we have family and we can not offer 24x7 support for this. This system is just a damn small system, it's a hobby and this update procedure can cause a timeout for round about 60 sec. when we do an update on our DNS Servers. We know how to solve this but we don't have the money currently for this.
This update has only impact to NEW site and URL requests.
If you are playing an online game, stay on facebook or doing work on the same site you will see no interruption. If you do a new site request and you will see that this request runs into a time out take a smoke or move away for a new cup of coffee.
I hope you enjoy this and if you have any recommendations please let me know this.
What is keweonDNS?
keweonDNS is more than just a simple adblocker system. keweon is a solution which offers a lot of cute things.
privacy Protection
protection by Virus and Trojan infection (prevent the download of additional files)
protection against spying (blocking the source address)
Internet without Ads and Popups
real time online ad-blocking
domain address based
working with ipv4 and ipv6
tracking protection
malware protection
spyware protection
trojan protection
fake security filter
fake software filter
phishing protection
advantage because of all of this: up to 50% faster internet on all devices
We also have found a solution where we are able to block even IP Addresses and filter single websites or a picture. But currently it is to expensive to release this for public usage.
We need your support!
The keweonDNS phishing protection is a beta solution at the moment because we have the idea. We know what to do. We know where to do.
But we have no email with a phishing address or URL. We hope someone of you is able to support us and send us a few URL's.
If you receive a phishing mail than copy the content of the mail into a TXT file. Please make sure that you will copy the PHISHING address into this TXT file and then send the TXT file as attachment to:
[email protected]
!!! ATTENTION !!!
IF YOU DON'T KNOW WHAT TO DO - NEVER CLICK ON A LINK WITHIN A PHISHING MAIL.
ASK A FRIEND OF YOU OR SOMEONE WHO KNOWS WHAT TO DO!​
Click to expand...
Click to collapse
​If you are not sure than you can forward and send the complete mail to us. Please send this mail to:
[email protected]
The problem is that our mail provider might filter this mail. That is the reason why we are asking for the source and destination address within a text file.
It will not help if you only send a screenshot because the LINK and the LINK REFERENCE are completely different. It's also an idea if you are able to save the message and send the message as ZIP file.
If we have this mail we will take action and prevent phishing attacks when you are using the keweonDNS Servers.
Currently we have not a real solution how you can send the information's within a secure way. You can do what you want as long as you are safe and can make sure that you will be not infected.
If you have any idea how to send the complete mail your welcome to keep us informed.
It seems no one is using this System because of my self signed Root Certificate.
I want to get rid of the Certificate installation.
Does someone know if there are some provider who offers free public web server certificates?
Currently I only know Comondo.
Thanks in advance!
(2015/12/11 - 12:15) EDIT:
Click to expand...
Click to collapse
We have done a Certificate request with public domains entries within the SAN field.
After this the certificate request was catched by fraud detection and they denied the certificate.
Bad luck for us. But we don't give up.
If someone knows a different solution than our Root Certificate please let me know.
At the moment it is only possible to get rid of the HTTPS trash with our Root Certificate.
Thanks in advance!
Over 500 Hits and no one seems to be interessted?
Can someone explain to me why there is a problem to give it a try and test this System?
Would be a great thing. Thanks in advance.
I'll give it a try, i already promoted it over my friends, i thank you for your work
Inviato dal mio Nexus 4 con Tapatalk 2
jacomail95 said:
I'll give it a try, i already promoted it over my friends, i thank you for your work
Inviato dal mio Nexus 4 con Tapatalk 2
Click to expand...
Click to collapse
That's good to know.I will Update this Thread with more options.
I have no exerience with Italy and ads, Malware and Spyware.
Hope you will give some feedback to optimize it. Infos and how2 will follow within this Thread the next few hours.
Thanks and I hope you enjoy this system
Now you can help us with update and clean up the white and black lists.
http://forum.xda-developers.com/showpost.php?p=64055856&postcount=2
Best regards!
Hello , thanks for this dns. Could you provide server & net provider information?
Please take a look at dnscrypt.org , usage would be great.
Your website isnt loading , what happened
Sent from my GT-I9505 using XDA Free mobile app
HeathenMan said:
Hello , thanks for this dns. Could you provide server & net provider information?
Please take a look at dnscrypt.org , usage would be great.
Your website isnt loading , what happened
Sent from my GT-I9505 using XDA Free mobile app
Click to expand...
Click to collapse
At this point DNS encryption is not a thing we Plan to implement.
This System is comlete VPS based and a real smal system.
We are using some overloaded security on the servers. If we have success to establish this as an commercial system we will use DNS encryption.
But at the moment we only want to clean up the Black and white lists and for this DNS encryption will cause more troubles than security.
Best regards!
Technical Focus:
It seems that adblock blocking will become the "Advertising Surprise XXL Feature" for 2016.
May be for all other Adblockers. But this will not work with the keweon System.
We cross the fingers and we wil see :fingers-crossed:
Blocking Adblocker which blocking ads to make sure that ads will never blocked
If you see any Website which is blocked when you will use an ad-blocker please test this also with the keweon System.
Yahoo is working on this to prevent ad-blocker usage.
We are working on this problem too and for a well-balanced result we take the other side.
Help and let us know when you find such a site!
Tell us what you think about this:
kinox.to and movie2k.to are now 98% ad free.
We also removed the abo traps when you use this sites on your mobile phone.
Best regards and we hope you enjoy this!
What are you doing with all the user data you are collecting with this?
Gesendet von meinem HTC One mit Tapatalk
flummi3000 said:
What are you doing with all the user data you are collecting with this?
Gesendet von meinem HTC One mit Tapatalk
Click to expand...
Click to collapse
Collecting data? From users? Or any connections?
I guess you are german because that's typically german bull****!
Who the hell told you that we collecting data? Collecting user data via DNS Server? Did you saw any data collection?
Do you realy belive that we break the communication to nearly everywhere and than we collect data for what?
Oh damn!! Almost idiots only here in germany!
Sprint
Anyone know how to change the DNS on android KK?
Sent from my N9515 using XDA Forums Pro.
brad65807 said:
Sprint
Anyone know how to change the DNS on android KK?
Sent from my N9515 using XDA Forums Pro.
Click to expand...
Click to collapse
Check the Playstore and search "RomToolBox". But this tool requires root.
Unfortunately I'm using currently an iPhone but with this Tool I have had the best experience on android.
With higher versions than KK (4.4) I have no clue how to change the DNS Servers because HTC OneMax with 4.4 was my last android device.
I just use the DNS changer from Playstore. Works fine so far. Thanks for your effort!:good:
Shockwave71 said:
I just use the DNS changer from Playstore. Works fine so far. Thanks for your effort!:good:
Click to expand...
Click to collapse
Good to know. thanks for the Feedback :good:
bencozzy said:
I have to agree this is not open source so only security conscious conclusion is that you are data sniffing.
Click to expand...
Click to collapse
Hmmm... Data sniffing with DNS? How? And why?
Everyone is claiming that it is not possible to protect data. I have found years ago a solution and after 10 years I decided to launch this as an online solution.
Let's assume that I will data sniffing. What can I get?
Compare DNS as a phone book. You have the option to look inside where the Webserver or the destination exists. You are searching only a phone number or IP Address.
If you take data from the webserver this will not served and offered by the DNS Servers because this will be done from the webserver which you are browsing to. DNS is only telling your browser, hey go there and there you will find the rest.
The only thing I would get is which IP address is seeking for what address. So what data I should sniff? I only will get the information which IP address is searching xyz.com. Based on this information what should I do with this?
If I would like to have this Data that makes no sence because I have a account to statista.com where I can get more and detailed informations about this. Therefore is no need to launch such a tool.
I decided to build this project DNS based because in no country of the world it is requrired to log DNS request. May be China is an exception but especially in germany where it is required by law to log EVERY web server access DNS will be an exception.
Everyone is claiming that it is not possible to filter dangerous things within the Internet or web sites. Also the site and user tracking. If you use my DNS you can browse to Amazon do a search any you will get not "stalking result" when you visit ebay after your amazon visit.
I have disabled this online tracking which a lot of people say this it not possible. I'm working with this keweonDNS solution since years and also a lot of other people. This was finally the reason why I decided to launch this system as a public system. I'm specialist for Active Directoy since 2000 and I promises to you I will and I can do things with DNS where others will never dream of.
And yes. The system is closed source. And it will stay closed source.
On the one hand I have spend years of work into this system and if you ask someone who has experience with DNS this guy will confirm that this will not work what I do. I heard this so many times - but it's working. On the other handy I keep this closed because I will give no one the chance to break my system or doing some evil things.
If this system will have success than hey, I will find an Investor and I'm able to implement all the security features and launch this as an global system. Yes, this is what I want to do with this.
At the moment you will see only 20% of it's power because all other things would make this system damn expensive when I would release this as public system.
Big companies better pray that this never will happens because for them this system will become an evil nightmare.
If it's no success and everyone has concerns to use it than I will put everything back into the drawer and that's it. At the moment it is fun, fun, fun and more fun. Nothing more.
The same is with my Adblock Root Certificate. I was searching a solution. I found it and it's working. Within a Windows System you will see 42 root certificates. Do you know what they will do? Do you know what they are responsible for? I guess you will not know this but you trust them by default.
I will open and release my complete certificate if you want.
I can not take the fear away which you might have with my system, it's up to you to use it. But the main reason is I want to keep my data on my machine. I don't like if someone try to spy me, my machine and everything what I do.
At the moment I only want to know if the Black and White Lists are OK. To launch the system as a public system there is a lot of additional work required which is not possible that one or two guys can handle this.
I have a solution. I offer the solution as a public system and I will never say that this is the master solution. But with keweon you have more security and options than every other system.
It is absolut O.K. that someone thinks twice bevor he use this system. It is absolut O.K. when someone do not trust the certificate. And it's absolut OK when someone think that this is a big peace of sh**t.
I expected a lot of complains and I'm prepared for nearly everything.
But to think that I'm collecting data?
That's a hard pain because this is what I hate and that is something what this system prevent.
If you will not trust this solution it's O.K. for me. If you have any recommendations how can I achieve more trust into this system than let me know this because I'm open to anything.
Best regards!
bencozzy said:
I have to agree this is not open source so only security conscious conclusion is that you are data sniffing.
Click to expand...
Click to collapse
Just shut-up for godsake if you want to use it use it, or if you don't leave it, why so many complaints, go learn computer networks DNS stuffs and then talk, its just a solution, there are many other adblocking solutions out there. If you are concerned with too much privacy why use Google or xda there's trackers everywhere, its inevitable to avoid. Grow up please.

Serious, unpatched vulnerabilities

Before I begin, I'm not here to flame tbe devs as I would love this app if these issues weren't present and do hope this problem is resolved as a result of bringing it to the attention of the community and hopefully this app's devs.
This application has serious vulnerabilities, some of which should be quite easily patched yet have not been for months to a year or so of them having been made public by a reputable security researcher working for Zimperium.
Login information via the browser is not utilizing a secure form of encryption for both web.airdroid.com or when accessing via local IP despite their SSL cert being valid for *.airdroid.com. The key for the DES encryption being used to hash the password and e-mail being hardcoded into the application despite having a POC for an attack on their users is inexcusable and shows a blatant disregard for their application's level of access as well as their user's safety and security.
My finding (as a security noob) has also deeply disturbed me following no response to bug reports or email contact. While attempting to check out their Windows desktop client, my antivirus discovered the installer attempting to download a variant of adware which monitored the user's activities and provides monetary incentives to developers which include it within their programs and applications. I do understand that if something is free, the product is you. However, I am a paying customer of this service as I'm sure many who use xda would be in an effort to support development of software and applications we enjoy. This adware was ran through and confirmed with VirusTotal and certainly is not a false positive. This desktop client also does not use SSL for communication.
Due to discovering these problems, I immediately discontinued use (the same day I renewed my yearly subscription). However, I was unable to remove the application from my phone without a full factory reset even after both application updates and upgrading android versions. With it set as a device administrator, it's access must first be revoked before uninstalling. However, across multiple devices and versions of android, attempting to remove it from device administrators causes a crash of the android settings app.
I had planned to do a POC for what I feel is an extremely likely scenario based off both public vulnerabilities as well as what I had discovered myself, but I have been far too busy with a few other projects as well as work to complete it yet. I had just stumbled across this section of the xda forums while looking for something else and hoped to get a response from the devs of this app.
I would love to be able to utilize an app with this functionality. However, there needs to be far more focus on security in its design before I would ever feel comfortable utilizing it again.
In theory, it would be entirely possible for an unstable, technically inclined person at a local coffee shop (or other public location with unsecured an wireless network) to hijack a user's login information with minimal skill level required then giving them full, unadulterated access to the application's functions such as forcing gps or camera on to track or watch someone without their consent as all connections aren't even requiring the user to accept the incoming connection on their phone to perform these actions. That is not a farfetched scenario and presents a possible threat to someone's physical safety.
Link to said researcher's findings can be found on his blog by searching Zimperium airdroid multiple vulnerabilities as I just created this account for this post and can not yet post outside links.
Thanks a lot for all this information. I really appreciate it.
Why hasn't this been addressed yet?
I remember reading this a while ago, realizing that it is a serious issue, and just how little the devs care about security on their app.
This is mainly because most end-users don't dive this deep into an app, and don't fully comprehend the severity of such vulnerabilities until it is too late.
We should make a bigger fuss about these things!
I've always been very careful with RAT-type apps and so I was when checking out AirDroid. I've uninstalled it after 30 minutes of using, just because I didn't like the fact, there's a chance some undesirable person could start spying on me. As I read this thread, I'm realising how right I was that time.

Private DNS for Android (and other systems)

Private DNS has been around for a little bit on newer devices. However, finding a service that provides both the Private DNS side (TLS) and ad-blocking, filtration of bad domains, etc., has been another whole mess.
I've launched a donation-backed Private DNS service which provides an internet-side option. Think pi-hole style blocking without needing a VPN or only working from your LAN.
What's this entail?
1. Running Android Pie (or anything with the feature ported to it)
2. Using a custom Private DNS Server address that I will provide.
What happens?
1. Your DNS requests are routed via DNS-over-TLS to my CDN virtual machines.
2. Your DNS requests are then locally processed through several internal systems including the infamous Pi-Hole.
3. Final data requests from the local resolver are forwarded via DNS-over-HTTPS to root DNS servers such as 1.1.1.1 and others that are found to support HTTPS protocol.
4. No personal data is stored. Only data with respect to filtration is stored such as blocked versus permitted domains, hit/misses, and caching statistics to continue to develop a more fluid system.
What do I do?
Put "DNS.DEREKGORDON.COM in your Private DNS settings for Android.
Use IP address 35.243.170.151 for other applications to include your home network router, ChromeOS, etc.
Like it? CONSIDER DONATING. This system is kicking out almost one million responses a day for users.
More information is at http://www.derekgordon.com/dns/.
Always provide THANKS no matter what folks. It's the nice thing to do....
So we are looking at a encrypted dns with ad blocking? I would be into trying that.
I'm using dns.agduard.com at the moment on my Huawei P20 pro running Android pie.
Have a number of people using it without issue now....
Check it out here:
https://www.derekgordon.com/dns
crypted said:
Have a number of people using it without issue now....
Check it out here:
https://www.derekgordon.com/dns
Click to expand...
Click to collapse
I'm gonna check it out
Cool. Give it a go. My only concern now rests with the attack prevention stuff I've added. It rate limits and bans those who are hitting the server or servers if expanded quite hard. Basically it's to ward off attackers. Anyway no bad reports from it but it's the only factor I'm not totally sure of.
Gonna give it a shot and give you my results in 24hrs.
Cool. I have zero issues on our family's Pixel 2s and 3s. No one said much bad except someone who had login issues on an Xbox when they used the system for their network's DNS. I solved that for them.
Note I'm not filtering Google ads domain as a few people complained since they click the first couple links on Google. I haven't felt intruded upon by ads with this change since making it a couple weeks back.
hi,
sometime i can use this dns, sometime cannot.
my mi 8 using baskalos rom stated coudlnt connect.
issit because of my isp?
Very strange. No one has reported that issue. Is it the same result on WiFi vs mobile data? Want to give me your IP to search logs?
I've used the server in four countries on various WiFi and mobile netwiens without issue on Pixel 3.
How did you get the Private DNS in android Pie to recognize your dns server? I've got my own pi-hole server, yet when I put in my FQDN, I lose internet access on my phone.
First, I don't use Pi-Hole only. I made a custom Debian image and deployed it into the world of CDN. Pi-Hole's opensource software was incorporated as one of my mechanisms for blacklists.
To your point on connection, you need two things: 1) a TLS server to establish the connection and 2) signed certificates for the domain you are using installed on your server. Android will connect via TLS and will verify that your certificate is valid against its root certificates on the device.
Happy note - my server is providing over 250,000 queries daily now and over 90% connect via TLS so that indicates lots of happy Android users.
I'm check yours out and see how well it compares to the VPN connection I currently use to my pihole.
Been loving your Private DNS so far. Great job on it. Question though, do you have a form or something for people to submit domains that are blocked and shouldn't be?
Hey. Feel free to tell me these domains. There is such high usage and hardly any feedback so I haven't even thought about it. I could make a Google Form later.
Actually, I had a spare moment at lunch. Try this: https://forms.gle/oGtAFKAc7yJPmmEZ6
crypted said:
Actually, I had a spare moment at lunch. Try this: https://forms.gle/oGtAFKAc7yJPmmEZ6
Click to expand...
Click to collapse
Was gonna request https://go.redirectingat.com be unblocked since many many sites use it to link to products on sites like Walmart and Amazon. Can't use that form though since you require a screenshot URL, and I can't screenshot a redirection site.
You figured out a good workaround to make your request. Processing now, give it a minute and should be good.
All of your requests are cleared if you didn't notice yet. Happy browsing.
Not really sure how to publicize this and it probably isn't worth trying to do... But for those who do use this, and there are plenty of folks, I have been working on some changes.
1. These will not work with Android as I don't have the extra cash to blow on more SSL certificates. But, they will work for home networking purposes:
US.EAST.DNS.DEREKGORDON.COM
US.WEST.DNS.DEREKGORDON.COM
DE.FRUNKFURT.DNS.DEREKGORDON.COM
BR.SAO.DNS.DEREKGORDON.COM
2. DNS.DEREK.GORDON.COM is now a pool of a number of VM instances that are connected to Google's CDN. It will grow as necessary. This helps spread out some of the intensity that has been hitting the TLS daemon.
3. Servers will automatically reboot between once a week to every other week depending on load and latency. Sometimes the intense flood of queries really makes things sluggish. Reboot takes just a few seconds and I'm working for it to time it during off-peak hours so hardly anyone will notice.
Hi, I have my own pihole installed on aws server. Could you please share tutorial how could i make it work with private dns in android pie. Thanks.

Categories

Resources