[tor-relays] Exit node re-writing PKI certificates?

AVee d6relay at d6.nl
Fri Mar 21 13:34:32 UTC 2014 

On 2014-03-20 04:00, Iggy wrote:

> Hey all,
> 
> I use an email account from riseup.net, which I usually access via
> Thunderbird, running on a linux machine.
> 
> My Thunderbird is configured to check mail via TOR.
> 
> Earlier tonight I got a certificate warning message from thunderbird,
> saying that mail.riseup.net:465 was presenting a certificate that had
> been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring
> on 03-01-2015. Oddity among oddities, this does not match the issue
> dates of the other certificate reported below.
> 
> Whois returns no match for cabinethardwareparts.com

And the ARIN record[1] on the IP refers to WebsiteWelcome.com, which in 
turn is a privacy protected domain in whois. The site itself only shows 
a notice about the abuse addres. The addres listed on Arin is 5005 
Mitchelldale Suite #100 Houston. This happens to be the Houston of 
HostGator[2]. So it's probably a VPS or server run by a HostGator 
customer.
> 
> When I mentioned this on a Riseup IRC channel, I was told that there 
> had
> previously (02-28-2014) been a help ticket from a riseup mail user,
> accessing their account via TOR, who had a certificate error involving 
> a
> certificate issued to the same domain.
> 
> So, I guess I just wanted to alert you all to the fact that this is
> happening. I'm not sure what it means.
> 
> Is the exit node in question pointing my traffic at somewhere other 
> than
> mail.riseup.net:465?
> 
> Is the exit node re-writing the traffic to include the bad certificate?
> If so, why? If part of a MITM scheme, why not use a certificate issued
> to mall.riseup.net or mail.riseop.net, or something else less obvious
> than cab.cabinethardwareparts.com?

It could be a MITM but it could also be an honest configuration error. 
If the server is has botched local firewall rules to redirect traffic on 
port 465 to the port the local mail server is actually running on (e.g. 
25) without properly checking the actually checking the destination of 
the traffic you'd end up connecting to the local server.
There is a SMTP running on port 465 there (says it's Exim 4.80.1) and 
sends a self-signed certificate valid from March 1, 2014 till March 1, 
2015 which matches what you saw (and could well be an certificate which 
was automatically generated during the installation of the system, at 
least debian does this).

Honest mistake (or plausible deniability). I certainly wouldn't 
recommend it, but it would be interesting to know if you would get 
anywhere if you accepted the certificate. If you actually get your email 
it's clearly a MITM, although even if that fails it might still be 
harvesting your login details.

Either way, it goes to show it's worth to be checking certificates.

AVee

1: http://whois.arin.net/rest/net/NET-192-254-128-0-1/pft
2: http://www.hostgator.com/contact/

More information about the tor-relays mailing list