[Cryptography] Threatwatch: CIN - Corruptor-Injector Network

Jerry Leichter leichter at lrw.com
Fri Aug 14 17:26:38 EDT 2015 

>> yeh but then...
>> 
>> crt.sh - owned by comodo
>> comodo involved with privdog mitm
>> comodo issues certs for cloudflare
>> ben laurie works for google
>> 
>> none of above is a killer but would suggest not necessarily proof of no wrongdoing.
>> 
>> also, is injecting a modified version of chrome into an http stream impossible - i dont think so.
>> do ppl in general check md5 or other sums - nope, only paranoid cpunks :D
>> 
>> as for cryptostorm, they generally have been reliable and i would need to read more about CIN before i either dismiss or agree with them on this topic.
> 
> 
> Basically, yes.  The situation we are looking at isn't verifiable from the outside.
Perhaps this is true in some generic sense, but it's bizarre to say this in this case.

Someone *from Google* tells you stuff about stuff *done by Google* that's readily checked.  Is google.fr a SAN in the certificate in question?  Simply convert the damn cert into readable form and check.  Is this what Google *intended*?  Who should you ask other than someone *at Google*?  An OSCP at Google 404's if connected to by a browser.  Did Google intend that to happen?  Again ... who would you ask other than someone at Google.

You then have the second level question:  Is this a reasonable configuration?  And that's not hard to check.  For the google.fr case ... this is exactly what SAN's are for.  For OSCP's ... there's documentation out there, but what possible security vulnerability is returning a 404 supposed to represent, even if other OSCP providers choose to do something different.

Then there's all the weird stuff about Comodo and CT.  The question is whether this is a legitimate Google cert.  Someone from Google says it is.  Who else could make a stronger claim for that fact?  CT can provide some evidence that others have seen that cert from Google, which you can accept or not.

Really, this is an absurd claim at this point.  Think about it:  Someone claims that if you try to get stuff from Google, you'll be MITM'ed and will actually get something else.  Someone at Google says, no, what you're seeing is exactly what you should expect to see.  Let's look at the cases here:

1. Google and the person at Google know what they are telling the truth as they understand it, and they are correct:  There's no MITM attack.
2. Google and the person at Google know what they are telling the truth as they understand it, and they are *in*correct:  There really is a MITM attack.
3. Google and the person at Google are, honestly or dishonestly, telling you all is OK; but in fact there is no MITM attack.
4. Google and the person at Google are, honestly or dishonestly, telling you all is OK; but in fact there *is* a MITM attack.

In case 1, all is golden.

In case 2, it makes no difference who makes the statements - there's no point looking for conspiracies.  The attackers are just too good; go back to notes on paper left at dead drops.

In case 3, Google's incompetent, but in fact you're safe anyway.  (But it's hard to square this situation with the actual observations.)

That leaves us case 4 ... but it makes no sense.  If Google is complicit or has just had the wool pulled over its eyes - why would anyone bother with a MITM attack?  Just have Google distribute the "bad" versions of Chrome directly.

There's taking care, and there's tin-hattery.  If you fall into the latter pit ... The Terrorists/Eavesdroppers Have Won.  :-(

                                                        -- Jerry

More information about the cryptography mailing list