Wait.. It is signed for just one FQDN, what is the point of using it for MITM?
On Mon, Feb 06, 2012 at 08:42:12PM +0100, Jacob Appelbaum wrote: > Hi, > > I'm at a hotel in Munich and I found a rather funny cert performing a > full MITM for *:443 - https://controller.mobile.lan is signed by VeriSign. > > CN = VeriSign Class 3 Secure Server CA - G2 > OU = Terms of use at https://www.verisign.com/rpa (c)09 > OU = VeriSign Trust Network > O = VeriSign, Inc. > C = US > > % openssl x509 -text -in cert.lan > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 69:53:ea:07:6d:f0:6c:9c:17:e8:66:0d:39:c5:6a:8e > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, > OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class > 3 Secure Server CA - G2 > Validity > Not Before: Aug 6 00:00:00 2010 GMT > Not After : Aug 5 23:59:59 2012 GMT > Subject: C=DE, ST=Lower Saxony, L=Lueneburg, O=Securepoint GmbH, > OU=NAC Support, OU=Terms of use at www.verisign.com/rpa (c)05, > CN=controller.mobile.lan > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:c4:26:1b:81:a0:5d:8a:c8:e5:2f:59:b8:4e:72: > f5:fb:9b:26:22:f6:cb:dd:c5:74:d1:4b:af:83:5d: > 04:83:74:d6:9c:48:6a:94:f6:4f:d9:33:24:1b:ec: > 0e:98:fc:1e:e8:d2:df:95:01:3a:3f:27:8c:8a:a6: > 46:2b:36:84:3a:5e:d7:a4:5d:70:38:11:48:0d:94: > c2:f8:af:f8:3d:a8:10:22:ee:13:ae:16:63:dd:4e: > c2:9c:05:cc:41:eb:23:5d:79:65:0e:28:c3:0d:37: > 5c:d8:83:a3:5b:f0:56:7c:5f:4b:28:f7:ed:d1:96: > e7:0d:ca:b9:af:34:b6:6f:43 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Key Encipherment > X509v3 CRL Distribution Points: > URI:http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl > > X509v3 Certificate Policies: > Policy: 2.16.840.1.113733.1.7.23.3 > CPS: https://www.verisign.com/rpa > > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client Authentication > X509v3 Authority Key Identifier: > > keyid:A5:EF:0B:11:CE:C0:41:03:A3:4A:65:90:48:B2:1C:E0:57:2D:7D:47 > > Authority Information Access: > OCSP - URI:http://ocsp.verisign.com > CA Issuers - > URI:http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer > > 1.3.6.1.5.5.7.1.12: > > 0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif > Signature Algorithm: sha1WithRSAEncryption > 22:e1:4d:97:e0:9b:7e:6a:3e:19:6b:b8:a7:cf:ff:b8:e3:ba: > 29:76:ea:96:d3:8e:09:f6:76:9d:ff:11:8c:1e:f1:36:f8:b4: > b9:01:37:f4:dc:9f:21:f0:de:03:bc:be:34:d5:bc:b3:df:cd: > bb:0c:56:53:f5:ec:3d:8a:ed:bc:39:eb:93:b2:de:a8:18:58: > 6a:33:7d:78:e9:f9:ce:38:2f:cf:14:1e:5d:3a:47:f3:4d:16: > 48:1b:78:c1:60:b8:f3:c6:60:03:bb:60:b7:2e:a0:e1:12:5f: > 04:e9:3b:54:92:c7:9e:24:fd:e5:9c:c4:3b:9f:71:76:32:55: > af:a8:42:b2:30:6c:b0:8c:95:a3:5b:c1:ed:69:c1:40:5c:23: > c1:82:46:b0:a9:cc:05:ed:5c:5e:c5:0b:06:ca:c3:29:19:5f: > 95:d0:67:55:ef:fa:8b:82:ef:3e:61:12:20:cd:6e:0c:b9:bf: > b2:e2:8f:63:93:0a:f2:64:a5:a1:f8:0c:5c:f8:69:63:34:5f: > b5:72:7b:a4:32:b5:4c:4e:0e:41:6e:9f:4c:1c:66:0a:57:f8: > 1d:c9:53:50:3c:64:43:d0:2e:a8:ae:5a:00:1c:dd:86:97:ea: > 26:d7:ae:e1:80:ab:38:28:6c:1d:cf:79:5b:dc:d6:f1:d1:72: > 94:80:c9:7d > > Here's the cert: > > -----BEGIN CERTIFICATE----- > MIIFTjCCBDagAwIBAgIQaVPqB23wbJwX6GYNOcVqjjANBgkqhkiG9w0BAQUFADCB > tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL > ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug > YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm > VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAwODA2 > MDAwMDAwWhcNMTIwODA1MjM1OTU5WjCBvjELMAkGA1UEBhMCREUxFTATBgNVBAgT > DExvd2VyIFNheG9ueTESMBAGA1UEBxQJTHVlbmVidXJnMRkwFwYDVQQKFBBTZWN1 > cmVwb2ludCBHbWJIMRQwEgYDVQQLFAtOQUMgU3VwcG9ydDEzMDEGA1UECxQqVGVy > bXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTA1MR4wHAYDVQQD > FBVjb250cm9sbGVyLm1vYmlsZS5sYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ > AoGBAMQmG4GgXYrI5S9ZuE5y9fubJiL2y93FdNFLr4NdBIN01pxIapT2T9kzJBvs > Dpj8HujS35UBOj8njIqmRis2hDpe16RdcDgRSA2Uwviv+D2oECLuE64WY91OwpwF > zEHrI115ZQ4oww03XNiDo1vwVnxfSyj37dGW5w3Kua80tm9DAgMBAAGjggHRMIIB > zTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBFBgNVHR8EPjA8MDqgOKA2hjRodHRw > Oi8vU1ZSU2VjdXJlLUcyLWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzIuY3Js > MEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6 > Ly93d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB > BQUHAwIwHwYDVR0jBBgwFoAUpe8LEc7AQQOjSmWQSLIc4FctfUcwdgYIKwYBBQUH > AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQAYI > KwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUtRzItYWlhLnZlcmlzaWduLmNvbS9T > VlJTZWN1cmVHMi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2Uv > Z2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDov > L2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IB > AQAi4U2X4Jt+aj4Za7inz/+447opduqW044J9nad/xGMHvE2+LS5ATf03J8h8N4D > vL401byz3827DFZT9ew9iu28OeuTst6oGFhqM3146fnOOC/PFB5dOkfzTRZIG3jB > YLjzxmADu2C3LqDhEl8E6TtUkseeJP3lnMQ7n3F2MlWvqEKyMGywjJWjW8HtacFA > XCPBgkawqcwF7VxexQsGysMpGV+V0GdV7/qLgu8+YRIgzW4Mub+y4o9jkwryZKWh > +Axc+GljNF+1cnukMrVMTg5Bbp9MHGYKV/gdyVNQPGRD0C6orloAHN2Gl+om167h > gKs4KGwdz3lb3Nbx0XKUgMl9 > -----END CERTIFICATE----- > > All the best, > Jacob > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > >
