On Wed, 25 Apr 2018 09:42:43 -0700 (PDT) Santhan Raj via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> What is interesting to me is the DV certificate that Amazon had > issued for myetherwallet.com (https://crt.sh/?id=108721338) and this > certificate expired on Apr 23rd 2018. > > Could it be that the attackers were using this cert all along in > place of a EV cert? _______________________________________________ I have not been able to view this link for some reason. However I can say that I've seen screenshots alleged to be of the Cert Viewer on a Windows PC connected to the attacker site, and it's hilariously bogus, it's a self-signed certificate with CA:TRUE set, and the site's name as Common Name, it looks like if somebody with no previous exposure to the Web PKI tried to make a certificate based on some random blog post or old Youtube tutorial. e.g. https://twitter.com/GossiTheDog/status/988785871188045825 There's no way this was ever valid, anywhere. If it's what was actually used (and I have no reason to believe it wasn't) the attackers relied upon the Dancing Pig effect to get their job done. Maybe we're actually lucky they didn't get a newer tutorial that taught them to use ACME. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy