[tor-relays] Exit node re-writing PKI certificates?

Iggy iggy19 at riseup.net
Thu Mar 20 03:00:29 UTC 2014


Hey all,

I use an email account from riseup.net, which I usually access via
Thunderbird, running on a linux machine.

My Thunderbird is configured to check mail via TOR.

Earlier tonight I got a certificate warning message from thunderbird,
saying that mail.riseup.net:465 was presenting a certificate that had
been issued to cab.cabinethardwareparts.com on 03-01-2014, and expiring
on 03-01-2015.  Oddity among oddities, this does not match the issue
dates of the other certificate reported below.

Whois returns no match for cabinethardwareparts.com

When I mentioned this on a Riseup IRC channel, I was told that there had
previously (02-28-2014) been a help ticket from a riseup mail user,
accessing their account via TOR, who had a certificate error involving a
certificate issued to the same domain.

So, I guess I just wanted to alert you all to the fact that this is
happening.  I'm not sure what it means.

Is the exit node in question pointing my traffic at somewhere other than
mail.riseup.net:465?

Is the exit node re-writing the traffic to include the bad certificate?
 If so, why?  If part of a MITM scheme, why not use a certificate issued
to mall.riseup.net or mail.riseop.net, or something else less obvious
than cab.cabinethardwareparts.com?

I am more curious than anything, and any thoughts are appreciated.

I'll paste the details from the previous help ticket below, since they
actually captured more details about the bad certificate than I did.



Kind Regards,

-Iggy



=-=-=-=-==-=-==-=-
PASTED TEXT BEGINS
=-=-==-=-=-=-=--=-

Hi there wonderful riseup birds,

Today I was attempting to sent a GPGd email to another riseup.net user
but thunderbird flagged that a suspicious certificate was being served
whose address did not match riseup.net.

Its common name was: cab.cabinethardwareparts.com
Serial 01:E3:94:E1:BD
issued on: 05/03/13
expires: 05/03/14
organization: unknown
The key was:

Modulus (2048 bits):
ba 29 4e f5 89 c8 4c 61 76 4c 08 fe 2e d9 4d af
8f 47 20 2b cb ee 00 56 d3 9b 4c 47 8c ee 75 f5
94 f8 65 f3 83 71 12 ed 32 ef 92 4e 25 90 ac df
4c 82 e6 6e 4e df b2 a9 48 f0 2a 7a 21 bd 10 01
7d fc 31 b4 93 ca ec ec 99 b2 91 e1 04 a7 5c 39
72 55 1f ee 74 49 4c e7 75 fe 84 67 a9 ff 81 74
e5 1e 35 db 2b 93 e1 f5 74 96 6b 19 3a 54 a3 0d
90 b1 8f 0c 2f e2 4f f1 13 5a ad c5 37 4e b5 93
54 70 54 7f 04 6b 30 58 fc f8 c8 15 04 c7 f6 90
25 9f 45 4b 38 9e 28 e8 ec df 7d 06 d4 0f d1 9c
2e 6c 9d ad 90 65 ce e4 de a0 5a 8a 14 fc b4 32
26 c9 2d 7e 91 fc c3 90 1c 52 9d 93 f0 47 38 d3
b1 66 27 38 0a 2f 2a 08 31 7c ea 62 fa 66 1d f2
90 4d 0f 8b 42 78 7b 69 00 c8 4a b3 84 4c c6 e0
a3 0d ce 91 b2 e7 75 6a c1 34 76 22 4e e4 df 85
1c d2 19 d5 2e ca 91 71 be 4e fd d3 81 2e e5 83

Exponent (24 bits):
65537

=-=-=-=-==-=-==-=-
PASTED TEXT ENDS
=-=-==-=-=-=-=--=-







More information about the tor-relays mailing list