[SSL Observatory] https://controller.mobile.lan

[Jacob Appelbaum]

Hi,

I'm at a hotel in Munich and I found a rather funny cert performing a
full MITM for *:443 - https://controller.mobile.lan is signed by VeriSign.

CN = VeriSign Class 3 Secure Server CA - G2
OU = Terms of use at https://www.verisign.com/rpa (c)09
OU = VeriSign Trust Network
O = VeriSign, Inc.
C = US

% openssl x509 -text -in cert.lan
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            69:53:ea:07:6d:f0:6c:9c:17:e8:66:0d:39:c5:6a:8e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class
3 Secure Server CA - G2
        Validity
            Not Before: Aug  6 00:00:00 2010 GMT
            Not After : Aug  5 23:59:59 2012 GMT
        Subject: C=DE, ST=Lower Saxony, L=Lueneburg, O=Securepoint GmbH,
OU=NAC Support, OU=Terms of use at www.verisign.com/rpa (c)05,
CN=controller.mobile.lan
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c4:26:1b:81:a0:5d:8a:c8:e5:2f:59:b8:4e:72:
                    f5:fb:9b:26:22:f6:cb:dd:c5:74:d1:4b:af:83:5d:
                    04:83:74:d6:9c:48:6a:94:f6:4f:d9:33:24:1b:ec:
                    0e:98:fc:1e:e8:d2:df:95:01:3a:3f:27:8c:8a:a6:
                    46:2b:36:84:3a:5e:d7:a4:5d:70:38:11:48:0d:94:
                    c2:f8:af:f8:3d:a8:10:22:ee:13:ae:16:63:dd:4e:
                    c2:9c:05:cc:41:eb:23:5d:79:65:0e:28:c3:0d:37:
                    5c:d8:83:a3:5b:f0:56:7c:5f:4b:28:f7:ed:d1:96:
                    e7:0d:ca:b9:af:34:b6:6f:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:
                URI:http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.23.3
                  CPS: https://www.verisign.com/rpa

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier:

keyid:A5:EF:0B:11:CE:C0:41:03:A3:4A:65:90:48:B2:1C:E0:57:2D:7D:47

            Authority Information Access:
                OCSP - URI:http://ocsp.verisign.com
                CA Issuers -
URI:http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer

            1.3.6.1.5.5.7.1.12:

0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
    Signature Algorithm: sha1WithRSAEncryption
        22:e1:4d:97:e0:9b:7e:6a:3e:19:6b:b8:a7:cf:ff:b8:e3:ba:
        29:76:ea:96:d3:8e:09:f6:76:9d:ff:11:8c:1e:f1:36:f8:b4:
        b9:01:37:f4:dc:9f:21:f0:de:03:bc:be:34:d5:bc:b3:df:cd:
        bb:0c:56:53:f5:ec:3d:8a:ed:bc:39:eb:93:b2:de:a8:18:58:
        6a:33:7d:78:e9:f9:ce:38:2f:cf:14:1e:5d:3a:47:f3:4d:16:
        48:1b:78:c1:60:b8:f3:c6:60:03:bb:60:b7:2e:a0:e1:12:5f:
        04:e9:3b:54:92:c7:9e:24:fd:e5:9c:c4:3b:9f:71:76:32:55:
        af:a8:42:b2:30:6c:b0:8c:95:a3:5b:c1:ed:69:c1:40:5c:23:
        c1:82:46:b0:a9:cc:05:ed:5c:5e:c5:0b:06:ca:c3:29:19:5f:
        95:d0:67:55:ef:fa:8b:82:ef:3e:61:12:20:cd:6e:0c:b9:bf:
        b2:e2:8f:63:93:0a:f2:64:a5:a1:f8:0c:5c:f8:69:63:34:5f:
        b5:72:7b:a4:32:b5:4c:4e:0e:41:6e:9f:4c:1c:66:0a:57:f8:
        1d:c9:53:50:3c:64:43:d0:2e:a8:ae:5a:00:1c:dd:86:97:ea:
        26:d7:ae:e1:80:ab:38:28:6c:1d:cf:79:5b:dc:d6:f1:d1:72:
        94:80:c9:7d

Here's the cert:

-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgIQaVPqB23wbJwX6GYNOcVqjjANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAwODA2
MDAwMDAwWhcNMTIwODA1MjM1OTU5WjCBvjELMAkGA1UEBhMCREUxFTATBgNVBAgT
DExvd2VyIFNheG9ueTESMBAGA1UEBxQJTHVlbmVidXJnMRkwFwYDVQQKFBBTZWN1
cmVwb2ludCBHbWJIMRQwEgYDVQQLFAtOQUMgU3VwcG9ydDEzMDEGA1UECxQqVGVy
bXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTA1MR4wHAYDVQQD
FBVjb250cm9sbGVyLm1vYmlsZS5sYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMQmG4GgXYrI5S9ZuE5y9fubJiL2y93FdNFLr4NdBIN01pxIapT2T9kzJBvs
Dpj8HujS35UBOj8njIqmRis2hDpe16RdcDgRSA2Uwviv+D2oECLuE64WY91OwpwF
zEHrI115ZQ4oww03XNiDo1vwVnxfSyj37dGW5w3Kua80tm9DAgMBAAGjggHRMIIB
zTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBFBgNVHR8EPjA8MDqgOKA2hjRodHRw
Oi8vU1ZSU2VjdXJlLUcyLWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzIuY3Js
MEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwHwYDVR0jBBgwFoAUpe8LEc7AQQOjSmWQSLIc4FctfUcwdgYIKwYBBQUH
AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQAYI
KwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUtRzItYWlhLnZlcmlzaWduLmNvbS9T
VlJTZWN1cmVHMi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2Uv
Z2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDov
L2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IB
AQAi4U2X4Jt+aj4Za7inz/+447opduqW044J9nad/xGMHvE2+LS5ATf03J8h8N4D
vL401byz3827DFZT9ew9iu28OeuTst6oGFhqM3146fnOOC/PFB5dOkfzTRZIG3jB
YLjzxmADu2C3LqDhEl8E6TtUkseeJP3lnMQ7n3F2MlWvqEKyMGywjJWjW8HtacFA
XCPBgkawqcwF7VxexQsGysMpGV+V0GdV7/qLgu8+YRIgzW4Mub+y4o9jkwryZKWh
+Axc+GljNF+1cnukMrVMTg5Bbp9MHGYKV/gdyVNQPGRD0C6orloAHN2Gl+om167h
gKs4KGwdz3lb3Nbx0XKUgMl9
-----END CERTIFICATE-----

All the best,
Jacob