<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Sun, 9 Aug 2015 at 20:25 ianG <<a href="mailto:iang@iang.org">iang@iang.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There's a long post by "cryptostorm_team" that describes a capture of<br>
the activity of a CIN or Corruptor-Injector Network.<br>
<br>
<a href="https://cryptostorm.org/viewtopic.php?f=67&t=8713" rel="noreferrer" target="_blank">https://cryptostorm.org/viewtopic.php?f=67&t=8713</a><br>
<br>
The short story appears to be malware injected into the router which<br>
then proceeds to present a false view of many things, including google<br>
sites and chrome downloads.<br>
<br>
That last part again - the CIN appears to be capable of injecting a<br>
special download of Chrome which then participates in the false<br>
presentation to user.  Given the complexity of modern software I'd say<br>
this to be an impossible task except for a very well funded, long term<br>
adversary.<br></blockquote><div><br></div><div>Or, actually, it is impossible.</div><div><br></div><div>That article appears to be complete nonsense.</div><div><br></div><div>For example:</div><br>"This certificate identifies itself (via CN field) as *.<a href="http://google.com">google.com</a> despite being served during a putative session with <a href="http://google.fr">google.fr</a>(again, this kind of obvious certificate misconfiguration is all but impossible to imagine google doing in production systems):"</div><div class="gmail_quote"><br></div><div class="gmail_quote">Impossible to imagine, but ... true. The certificate is fine, <a href="http://google.fr">google.fr</a> is a SAN.</div><div class="gmail_quote"><br></div><div class="gmail_quote">This supposedly fake certificate, btw, is well known to CT:</div><div class="gmail_quote"><br></div><div class="gmail_quote"><a href="https://crt.sh/?q=4B9D33E64EF6104E2043BF1E0928924F6D41337A">https://crt.sh/?q=4B9D33E64EF6104E2043BF1E0928924F6D41337A</a><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">Another example:</div><br>"<a href="http://clients1.google.com/ocsp">http://clients1.google.com/ocsp</a> 404s when loaded.This is not the sort of thing one will find in a legitimately Google-issued certificate, created less than 10 days ago."<div><br></div><div>Oh yes it is. That is completely correct behaviour for an OCSP responder.</div><div><br></div><div>The alleged bad certificate, btw, for future record is:</div><br>-----BEGIN CERTIFICATE-----<br>MIIGxTCCBa2gAwIBAgIIa4/pt17tKWYwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE<br>BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl<br>cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNTA2MTAzMzE1WhcNMTUwODA0MDAwMDAw<br>WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN<br>TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n<br>b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6qywJ47uyuZZh7I4<br>4f3qvA9T+u3Zy6fI3V0M2W1sQ/fWd9hgs2Ieobbo9lDh3wM912o++qSsLUKA/zud<br>+wa5uqOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG<br>A1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw<br>ZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt<br>YW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds<br>ZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds<br>ZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv<br>b2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q<br>Lmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n<br>bGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou<br>Z29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv<br>b2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv<br>LmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq<br>Lmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq<br>LnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1<br>YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k<br>cm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv<br>b2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu<br>YmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC<br>B4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds<br>ZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v<br>Z2xlLmNvbS9vY3NwMB0GA1UdDgQWBBRYmgbDFeI+6yulnYNz+u8RSD6b7TAMBgNV<br>HRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud<br>IAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp<br>Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCSRnI2r+DE<br>aeRcZNOWvOrf9XlRnQVRiBjC46eRWp4aP2IU/au5wh8w7hXK8044hcjrlVXl/Z1K<br>oL65aEyFwdKM33Mx7Dle74jL12aSHPitnFJQsFkDQ+oB6ydMz1bk8fH3A5Lq3L03<br>yIgNwF+pU1MlKL5rbhZ8ekQOw4EwGXVd4PsgAxT0KESx3MD/K9CgSZxf/Z7D00m2<br>3wHvx9WPjiWBqjqoHBG0YU+asMtPa0GplNpDlTU0qfxFQlhG05446DbjIAAZ1JTQ<br>jhV5+ga4YI/Mvnt4Xf2qEi8Jj1HsdB2Vz94V4NqjyBI2gjPKu5uZFLXHYJY8olUK<br>fPfn9P6xBumP<br>-----END CERTIFICATE-----<div><br></div><div>To be clear, it isn't fake.</div></div>