On 2014-03-20 04:00, Iggy wrote:
Hey all,
I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine.
My Thunderbird is configured to check mail via TOR.
Earlier tonight I got a certificate warning message from thunderbird, saying that mail.riseup.net:465 was presenting a certificate that had been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring on 03-01-2015. Oddity among oddities, this does not match the issue dates of the other certificate reported below.
Whois returns no match for cabinethardwareparts.com
And the ARIN record[1] on the IP refers to WebsiteWelcome.com, which in turn is a privacy protected domain in whois. The site itself only shows a notice about the abuse addres. The addres listed on Arin is 5005 Mitchelldale Suite #100 Houston. This happens to be the Houston of HostGator[2]. So it's probably a VPS or server run by a HostGator customer.
When I mentioned this on a Riseup IRC channel, I was told that there had previously (02-28-2014) been a help ticket from a riseup mail user, accessing their account via TOR, who had a certificate error involving a certificate issued to the same domain.
So, I guess I just wanted to alert you all to the fact that this is happening. I'm not sure what it means.
Is the exit node in question pointing my traffic at somewhere other than mail.riseup.net:465?
Is the exit node re-writing the traffic to include the bad certificate? If so, why? If part of a MITM scheme, why not use a certificate issued to mall.riseup.net or mail.riseop.net, or something else less obvious than cab.cabinethardwareparts.com?
It could be a MITM but it could also be an honest configuration error. If the server is has botched local firewall rules to redirect traffic on port 465 to the port the local mail server is actually running on (e.g. 25) without properly checking the actually checking the destination of the traffic you'd end up connecting to the local server. There is a SMTP running on port 465 there (says it's Exim 4.80.1) and sends a self-signed certificate valid from March 1, 2014 till March 1, 2015 which matches what you saw (and could well be an certificate which was automatically generated during the installation of the system, at least debian does this).
Honest mistake (or plausible deniability). I certainly wouldn't recommend it, but it would be interesting to know if you would get anywhere if you accepted the certificate. If you actually get your email it's clearly a MITM, although even if that fails it might still be harvesting your login details.
Either way, it goes to show it's worth to be checking certificates.
AVee
1: http://whois.arin.net/rest/net/NET-192-254-128-0-1/pft 2: http://www.hostgator.com/contact/