[cryptography] yet another certificate MITM attack

Jeffrey Walton noloader at gmail.com
Sat Jan 12 06:21:47 EST 2013


On Thu, Jan 10, 2013 at 4:53 PM, ianG <iang at iang.org> wrote:
> On 7/01/13 14:33 PM, ianG wrote:
>>
>> ...
>
> http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/
>
> Pictures above seem to indicate VeriSign as the CA, but whether that means
> they know about the MITMing is not clear.
Might as well pin it for posterity. It looks like the server is well
configured. The 3 levels is somewhat odd (I usually only see 2 here).

Jeff

$ echo "GET HTTP/1.0" | openssl s_client -connect cloud1.browser.ovi.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Illinois/L=Itasca/O=Nokia/OU=OVI Browser/CN=cloud1.browser.ovi.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3
International Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3
International Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGwTCCBamgAwIBAgIQem60KzQkFEj/5/vUyxgW1DANBgkqhkiG9w0BAQUFADCB
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
DTEyMDIyNzAwMDAwMFoXDTEzMDMwMjIzNTk1OVoweDELMAkGA1UEBhMCVVMxETAP
BgNVBAgTCElsbGlub2lzMQ8wDQYDVQQHFAZJdGFzY2ExDjAMBgNVBAoUBU5va2lh
MRQwEgYDVQQLFAtPVkkgQnJvd3NlcjEfMB0GA1UEAxQWY2xvdWQxLmJyb3dzZXIu
b3ZpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+p2V/gxN4t
xriYZDJMxfvot0XoASZ75U8zxZK65N5WGYRWaQnb95hNgXtF5ECTkIfz8rCQ1Uum
/BIyqZNu0wmdBfEKsft/k4wnm/ApId20lbM+wEYj6RUgFoENGjX3U4tZ9SxhANAp
dL0ySN6bduOEyY/r+KZgx851BIiIXJar3M3Nfpzf/AXCh9gL6VxOkNi5Dcffcmev
26dI74QveRqHFg2+nixwOsamSbNfMcpzcpUqhe3qjyD2HzNpYZJke2a91mAaM+19
H7dQ8usC1Ydn0cO+jPe5JXFGMOnFJfJfsoirJ4ouzTi2q7j4T4IVRQaoLk9YZg3U
J9lSEWieYpUCAwEAAaOCAwAwggL8MIIBSQYDVR0RBIIBQDCCATyCFmNsb3VkMi5i
cm93c2VyLm92aS5jb22CFmNsb3VkMy5icm93c2VyLm92aS5jb22CFmNsb3VkNC5i
cm93c2VyLm92aS5jb22CFmNsb3VkNS5icm93c2VyLm92aS5jb22CFmNsb3VkNi5i
cm93c2VyLm92aS5jb22CFmNsb3VkNy5icm93c2VyLm92aS5jb22CFmNsb3VkOC5i
cm93c2VyLm92aS5jb22CFmNsb3VkOS5icm93c2VyLm92aS5jb22CF2Nsb3VkMTAu
YnJvd3Nlci5vdmkuY29tghdjbG91ZDExLmJyb3dzZXIub3ZpLmNvbYIXY2xvdWQx
Mi5icm93c2VyLm92aS5jb22CF2Nsb3VkMTMuYnJvd3Nlci5vdmkuY29tghZjbG91
ZDEuYnJvd3Nlci5vdmkuY29tMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEEGA1Ud
HwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20v
U1ZSSW50bEczLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYB
BQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwKAYDVR0lBCEwHwYJ
YIZIAYb4QgQBBggrBgEFBQcDAQYIKwYBBQUHAwIwcgYIKwYBBQUHAQEEZjBkMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPAYIKwYBBQUHMAKG
MGh0dHA6Ly9TVlJJbnRsLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNl
cjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsO
AwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2ln
bi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAGazj7k6uZoLl97Q
tcZgcLS80j/4Nye0rCtl8MYYwxJHEbWWIBv+r29YWWENo0xUUQUWsNQmfiWU52IH
5f9w/3EmWtkRpe8TZWX8SnRlTbCeitxHWoeBsUVdCsL/ry7Cu1yPDfTUoUG+hPe/
h5BczfWfOMMVcr9L9pz9JlOL0ko3zW3R8HJeYEPqAKjECSnEeTxm4jV4DPxP9HaT
vQQV+RIp6gQXaZy0VtYiBhS7PC+l0PfPx8Ts1TkwW+/G4ofZm6ZomG6IZ3/YlrLT
H+Jsbjp81SiXaO6oERMzMCcayzWj0w2bvfWF8i1JcTPwUSIOQAcsJbbSML5Ynyxe
o/teQMY=
-----END CERTIFICATE-----
subject=/C=US/ST=Illinois/L=Itasca/O=Nokia/OU=OVI
Browser/CN=cloud1.browser.ovi.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3
International Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4713 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 0A99236EC232948C3E0F12B04471B4F5DB4F5A9247A345C9C24B5C4CDDCB100C
    Session-ID-ctx:
    Master-Key:
D1FA6870F40DCEE21965B33FE99E06996BAEF8F2EF7FE88C92502D12DCB8794C59BF993100B583D9A077A915C2AA36FD
    Key-Arg   : None
    Start Time: 1357989238
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE



More information about the cryptography mailing list