Exit node re-writing PKI certificates?
Hey all, I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine. My Thunderbird is configured to check mail via TOR. Earlier tonight I got a certificate warning message from thunderbird, saying that mail.riseup.net:465 was presenting a certificate that had been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring on 03-01-2015. Oddity among oddities, this does not match the issue dates of the other certificate reported below. Whois returns no match for cabinethardwareparts.com When I mentioned this on a Riseup IRC channel, I was told that there had previously (02-28-2014) been a help ticket from a riseup mail user, accessing their account via TOR, who had a certificate error involving a certificate issued to the same domain. So, I guess I just wanted to alert you all to the fact that this is happening. I'm not sure what it means. Is the exit node in question pointing my traffic at somewhere other than mail.riseup.net:465? Is the exit node re-writing the traffic to include the bad certificate? If so, why? If part of a MITM scheme, why not use a certificate issued to mall.riseup.net or mail.riseop.net, or something else less obvious than cab.cabinethardwareparts.com? I am more curious than anything, and any thoughts are appreciated. I'll paste the details from the previous help ticket below, since they actually captured more details about the bad certificate than I did. Kind Regards, -Iggy =-=-=-=-==-=-==-=- PASTED TEXT BEGINS =-=-==-=-=-=-=--=- Hi there wonderful riseup birds, Today I was attempting to sent a GPGd email to another riseup.net user but thunderbird flagged that a suspicious certificate was being served whose address did not match riseup.net. Its common name was: cab.cabinethardwareparts.com Serial 01:E3:94:E1:BD issued on: 05/03/13 expires: 05/03/14 organization: unknown The key was: Modulus (2048 bits): ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af 8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5 94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df 4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01 7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39 72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74 e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d 90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93 54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90 25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c 2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32 26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3 b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2 90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0 a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85 1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83 Exponent (24 bits): 65537 =-=-=-=-==-=-==-=- PASTED TEXT ENDS =-=-==-=-=-=-=--=-
Really useful to know at this point would be the complete suspicious certificate (which would e.g. tell us who signed it) and the exit node in use. On Wed, Mar 19, 2014 at 11:00 PM, Iggy <iggy19@riseup.net> wrote:
Hey all,
I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine.
My Thunderbird is configured to check mail via TOR.
Earlier tonight I got a certificate warning message from thunderbird, saying that mail.riseup.net:465 was presenting a certificate that had been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring on 03-01-2015. Oddity among oddities, this does not match the issue dates of the other certificate reported below.
Whois returns no match for cabinethardwareparts.com
When I mentioned this on a Riseup IRC channel, I was told that there had previously (02-28-2014) been a help ticket from a riseup mail user, accessing their account via TOR, who had a certificate error involving a certificate issued to the same domain.
So, I guess I just wanted to alert you all to the fact that this is happening. I'm not sure what it means.
Is the exit node in question pointing my traffic at somewhere other than mail.riseup.net:465?
Is the exit node re-writing the traffic to include the bad certificate? If so, why? If part of a MITM scheme, why not use a certificate issued to mall.riseup.net or mail.riseop.net, or something else less obvious than cab.cabinethardwareparts.com?
I am more curious than anything, and any thoughts are appreciated.
I'll paste the details from the previous help ticket below, since they actually captured more details about the bad certificate than I did.
Kind Regards,
-Iggy
=-=-=-=-==-=-==-=- PASTED TEXT BEGINS =-=-==-=-=-=-=--=-
Hi there wonderful riseup birds,
Today I was attempting to sent a GPGd email to another riseup.net user but thunderbird flagged that a suspicious certificate was being served whose address did not match riseup.net.
Its common name was: cab.cabinethardwareparts.com Serial 01:E3:94:E1:BD issued on: 05/03/13 expires: 05/03/14 organization: unknown The key was:
Modulus (2048 bits): ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af 8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5 94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df 4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01 7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39 72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74 e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d 90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93 54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90 25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c 2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32 26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3 b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2 90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0 a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85 1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83
Exponent (24 bits): 65537
=-=-=-=-==-=-==-=- PASTED TEXT ENDS =-=-==-=-=-=-=--=-
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I am assuming there is no way to tell this now, after the fact? -iggy On 03/19/2014 11:08 PM, Zack Weinberg wrote:
Really useful to know at this point would be the complete suspicious certificate (which would e.g. tell us who signed it) and the exit node in use.
On Wed, Mar 19, 2014 at 11:00 PM, Iggy <iggy19@riseup.net> wrote:
Hey all,
I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine.
My Thunderbird is configured to check mail via TOR.
Earlier tonight I got a certificate warning message from thunderbird, saying that mail.riseup.net:465 was presenting a certificate that had been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring on 03-01-2015. Oddity among oddities, this does not match the issue dates of the other certificate reported below.
Whois returns no match for cabinethardwareparts.com
When I mentioned this on a Riseup IRC channel, I was told that there had previously (02-28-2014) been a help ticket from a riseup mail user, accessing their account via TOR, who had a certificate error involving a certificate issued to the same domain.
So, I guess I just wanted to alert you all to the fact that this is happening. I'm not sure what it means.
Is the exit node in question pointing my traffic at somewhere other than mail.riseup.net:465?
Is the exit node re-writing the traffic to include the bad certificate? If so, why? If part of a MITM scheme, why not use a certificate issued to mall.riseup.net or mail.riseop.net, or something else less obvious than cab.cabinethardwareparts.com?
I am more curious than anything, and any thoughts are appreciated.
I'll paste the details from the previous help ticket below, since they actually captured more details about the bad certificate than I did.
Kind Regards,
-Iggy
=-=-=-=-==-=-==-=- PASTED TEXT BEGINS =-=-==-=-=-=-=--=-
Hi there wonderful riseup birds,
Today I was attempting to sent a GPGd email to another riseup.net user but thunderbird flagged that a suspicious certificate was being served whose address did not match riseup.net.
Its common name was: cab.cabinethardwareparts.com Serial 01:E3:94:E1:BD issued on: 05/03/13 expires: 05/03/14 organization: unknown The key was:
Modulus (2048 bits): ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af 8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5 94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df 4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01 7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39 72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74 e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d 90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93 54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90 25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c 2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32 26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3 b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2 90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0 a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85 1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83
Exponent (24 bits): 65537
=-=-=-=-==-=-==-=- PASTED TEXT ENDS =-=-==-=-=-=-=--=-
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wed, 19 Mar 2014 23:55:53 -0400 Iggy <iggy19@riseup.net> allegedly wrote:
I am assuming there is no way to tell this now, after the fact?
-iggy
On 03/19/2014 11:08 PM, Zack Weinberg wrote:
Really useful to know at this point would be the complete suspicious certificate (which would e.g. tell us who signed it) and the exit node in use.
On Wed, Mar 19, 2014 at 11:00 PM, Iggy <iggy19@riseup.net> wrote:
Hey all,
I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine.
According to torstatus.blutmagie.de, cab.cabinethardwareparts.com is on 192.254.168.26. (See https://torstatus.blutmagie.de/router_detail.php?FP=0cc9b8aa649881c39e948e70... It has fast, exit, guard and stable flags set. The node is apparently unnamed, but there is a whois record. See https://torstatus.blutmagie.de/cgi-bin/whois.pl?ip=192.254.168.26 Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
On 2014-03-20 04:00, Iggy wrote:
Hey all,
I use an email account from riseup.net, which I usually access via Thunderbird, running on a linux machine.
My Thunderbird is configured to check mail via TOR.
Earlier tonight I got a certificate warning message from thunderbird, saying that mail.riseup.net:465 was presenting a certificate that had been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring on 03-01-2015. Oddity among oddities, this does not match the issue dates of the other certificate reported below.
Whois returns no match for cabinethardwareparts.com
And the ARIN record[1] on the IP refers to WebsiteWelcome.com, which in turn is a privacy protected domain in whois. The site itself only shows a notice about the abuse addres. The addres listed on Arin is 5005 Mitchelldale Suite #100 Houston. This happens to be the Houston of HostGator[2]. So it's probably a VPS or server run by a HostGator customer.
When I mentioned this on a Riseup IRC channel, I was told that there had previously (02-28-2014) been a help ticket from a riseup mail user, accessing their account via TOR, who had a certificate error involving a certificate issued to the same domain.
So, I guess I just wanted to alert you all to the fact that this is happening. I'm not sure what it means.
Is the exit node in question pointing my traffic at somewhere other than mail.riseup.net:465?
Is the exit node re-writing the traffic to include the bad certificate? If so, why? If part of a MITM scheme, why not use a certificate issued to mall.riseup.net or mail.riseop.net, or something else less obvious than cab.cabinethardwareparts.com?
It could be a MITM but it could also be an honest configuration error. If the server is has botched local firewall rules to redirect traffic on port 465 to the port the local mail server is actually running on (e.g. 25) without properly checking the actually checking the destination of the traffic you'd end up connecting to the local server. There is a SMTP running on port 465 there (says it's Exim 4.80.1) and sends a self-signed certificate valid from March 1, 2014 till March 1, 2015 which matches what you saw (and could well be an certificate which was automatically generated during the installation of the system, at least debian does this). Honest mistake (or plausible deniability). I certainly wouldn't recommend it, but it would be interesting to know if you would get anywhere if you accepted the certificate. If you actually get your email it's clearly a MITM, although even if that fails it might still be harvesting your login details. Either way, it goes to show it's worth to be checking certificates. AVee 1: http://whois.arin.net/rest/net/NET-192-254-128-0-1/pft 2: http://www.hostgator.com/contact/
participants (4)
-
AVee -
Iggy -
mick -
Zack Weinberg