[tor-relays] Exit node re-writing PKI certificates?
zackw at cmu.edu
Thu Mar 20 03:08:12 UTC 2014
Really useful to know at this point would be the complete suspicious
certificate (which would e.g. tell us who signed it) and the exit node
On Wed, Mar 19, 2014 at 11:00 PM, Iggy <iggy19 at riseup.net> wrote:
> Hey all,
> I use an email account from riseup.net, which I usually access via
> Thunderbird, running on a linux machine.
> My Thunderbird is configured to check mail via TOR.
> Earlier tonight I got a certificate warning message from thunderbird,
> saying that mail.riseup.net:465 was presenting a certificate that had
> been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring
> on 03-01-2015. Oddity among oddities, this does not match the issue
> dates of the other certificate reported below.
> Whois returns no match for cabinethardwareparts.com
> When I mentioned this on a Riseup IRC channel, I was told that there had
> previously (02-28-2014) been a help ticket from a riseup mail user,
> accessing their account via TOR, who had a certificate error involving a
> certificate issued to the same domain.
> So, I guess I just wanted to alert you all to the fact that this is
> happening. I'm not sure what it means.
> Is the exit node in question pointing my traffic at somewhere other than
> Is the exit node re-writing the traffic to include the bad certificate?
> If so, why? If part of a MITM scheme, why not use a certificate issued
> to mall.riseup.net or mail.riseop.net, or something else less obvious
> than cab.cabinethardwareparts.com?
> I am more curious than anything, and any thoughts are appreciated.
> I'll paste the details from the previous help ticket below, since they
> actually captured more details about the bad certificate than I did.
> Kind Regards,
> PASTED TEXT BEGINS
> Hi there wonderful riseup birds,
> Today I was attempting to sent a GPGd email to another riseup.net user
> but thunderbird flagged that a suspicious certificate was being served
> whose address did not match riseup.net.
> Its common name was: cab.cabinethardwareparts.com
> Serial 01:E3:94:E1:BD
> issued on: 05/03/13
> expires: 05/03/14
> organization: unknown
> The key was:
> Modulus (2048 bits):
> ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af
> 8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5
> 94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df
> 4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01
> 7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39
> 72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74
> e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d
> 90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93
> 54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90
> 25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c
> 2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32
> 26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3
> b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2
> 90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0
> a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85
> 1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83
> Exponent (24 bits):
> PASTED TEXT ENDS
> tor-relays mailing list
> tor-relays at lists.torproject.org
More information about the tor-relays