[tor-relays] Exit node re-writing PKI certificates?

Iggy iggy19 at riseup.net
Thu Mar 20 03:55:53 UTC 2014


I am assuming there is no way to tell this now, after the fact?

-iggy

On 03/19/2014 11:08 PM, Zack Weinberg wrote:
> Really useful to know at this point would be the complete suspicious
> certificate (which would e.g. tell us who signed it) and the exit node
> in use.
> 
> On Wed, Mar 19, 2014 at 11:00 PM, Iggy <iggy19 at riseup.net> wrote:
>> Hey all,
>>
>> I use an email account from riseup.net, which I usually access via
>> Thunderbird, running on a linux machine.
>>
>> My Thunderbird is configured to check mail via TOR.
>>
>> Earlier tonight I got a certificate warning message from thunderbird,
>> saying that mail.riseup.net:465 was presenting a certificate that had
>> been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring
>> on 03-01-2015.  Oddity among oddities, this does not match the issue
>> dates of the other certificate reported below.
>>
>> Whois returns no match for cabinethardwareparts.com
>>
>> When I mentioned this on a Riseup IRC channel, I was told that there had
>> previously (02-28-2014) been a help ticket from a riseup mail user,
>> accessing their account via TOR, who had a certificate error involving a
>> certificate issued to the same domain.
>>
>> So, I guess I just wanted to alert you all to the fact that this is
>> happening.  I'm not sure what it means.
>>
>> Is the exit node in question pointing my traffic at somewhere other than
>> mail.riseup.net:465?
>>
>> Is the exit node re-writing the traffic to include the bad certificate?
>>  If so, why?  If part of a MITM scheme, why not use a certificate issued
>> to mall.riseup.net or mail.riseop.net, or something else less obvious
>> than cab.cabinethardwareparts.com?
>>
>> I am more curious than anything, and any thoughts are appreciated.
>>
>> I'll paste the details from the previous help ticket below, since they
>> actually captured more details about the bad certificate than I did.
>>
>>
>>
>> Kind Regards,
>>
>> -Iggy
>>
>>
>>
>> =-=-=-=-==-=-==-=-
>> PASTED TEXT BEGINS
>> =-=-==-=-=-=-=--=-
>>
>> Hi there wonderful riseup birds,
>>
>> Today I was attempting to sent a GPGd email to another riseup.net user
>> but thunderbird flagged that a suspicious certificate was being served
>> whose address did not match riseup.net.
>>
>> Its common name was: cab.cabinethardwareparts.com
>> Serial 01:E3:94:E1:BD
>> issued on: 05/03/13
>> expires: 05/03/14
>> organization: unknown
>> The key was:
>>
>> Modulus (2048 bits):
>> ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af
>> 8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5
>> 94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df
>> 4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01
>> 7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39
>> 72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74
>> e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d
>> 90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93
>> 54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90
>> 25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c
>> 2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32
>> 26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3
>> b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2
>> 90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0
>> a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85
>> 1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83
>>
>> Exponent (24 bits):
>> 65537
>>
>> =-=-=-=-==-=-==-=-
>> PASTED TEXT ENDS
>> =-=-==-=-=-=-=--=-
>>
>>
>>
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


More information about the tor-relays mailing list