FBI entrapping hackers - using FBI self-signed SSL cert

12 pointsamrali13y ago6 comments

They didn't even bother removing "Federal Bureau of Investigation" from the organization field on the "self-signed" SSL certificate. I'm not sure if I should feel flattered that I'm on the FBI radar for people of "skill" or insulted that they think I'd actually bite on something as low/primitive as darkode.

Are they looking for scraps? Or is this just entrapment to look good on the news? What I know is that they really need to step up their game if they want to get to the serious bunch.

http://i.imgur.com/3znIw4L.jpg

6 comments

UnoriginalGuy13y ago

As someone who has generated a lot of self-signed certificates in my day, unless you did that on purpose it is very unlikely to occur.

In general I suspect that self signed certificate is a joke in bad taste. What I'd be far more concerned about is their poor use of the SSL system, in the sense that they could and should have created their own CA and attached the CA's signing certificate to the e-mail, so the web-site (to known users) would have appeared correctly signed and would have made it slightly harder for law enforcement to intercept.

As is law enforcement can just catch and release traffic (MITM), re-sign it with their own self-signed certificate and nobody would be the wiser...

Plus, if you really want to be amused then I suggest you check out the FBI's real SSL certificate on their web-site:

https://www.fbi.gov/

amraliOP13y ago

Yeah the SSL cert part is the irony since darkode has been infiltrated long ago now. It's amusing that they are seeking people out like that, I guess they are expecting very low profile catch.

gizmo68613y ago

Their certificate looks fine to me. What is amusing is that even though they strip out critical display elements from the website (probably css), they still manage to display insecure content.

UnoriginalGuy13y ago

- Subject is invalid (and wrong)

- Overly broad (*.fbi.com) could have used "Subject Alternative Name" to list sub-domains instead.

- 3 year duration (for the FBI?). I mean for small online shops, that is fine, but many companies are now rolling their certificates yearly or bi-yearly (e.g. Amazon, Bank Of America, HSBC, etc).

On the positive side they are using a 2048 bit key length. I dunno. I guess it depends to what standard you hold the FBI up to. If you think their site should be as secure as a banking site or large online retailer then they fail at that...

unimpressive13y ago

Wow.

Maybe they're not going after "skill", they're going after people dumb enough to register.[0] They can pick up script kids that look good for the cameras and will undoubtedly brag about all their "hacking" exploits making them easier to convict.

[0]: 419 scammers use the same tactic to weed out people who likely won't fall for a 419 scam.

amraliOP13y ago

I think they have a bigger fish to fry given all the higher profile attacks that have been showering the place for quite sometime. Maybe you're right and they are just after many low-profile kids instead of that one big fish to make some noise and show that they have been doing something.

j / k navigate · click thread line to collapse

6 comments

UnoriginalGuy13y ago

As someone who has generated a lot of self-signed certificates in my day, unless you did that on purpose it is very unlikely to occur.

As is law enforcement can just catch and release traffic (MITM), re-sign it with their own self-signed certificate and nobody would be the wiser...

Plus, if you really want to be amused then I suggest you check out the FBI's real SSL certificate on their web-site:

https://www.fbi.gov/

amraliOP13y ago

Yeah the SSL cert part is the irony since darkode has been infiltrated long ago now. It's amusing that they are seeking people out like that, I guess they are expecting very low profile catch.

gizmo68613y ago

Their certificate looks fine to me. What is amusing is that even though they strip out critical display elements from the website (probably css), they still manage to display insecure content.

UnoriginalGuy13y ago

- Subject is invalid (and wrong)

- Overly broad (*.fbi.com) could have used "Subject Alternative Name" to list sub-domains instead.

- 3 year duration (for the FBI?). I mean for small online shops, that is fine, but many companies are now rolling their certificates yearly or bi-yearly (e.g. Amazon, Bank Of America, HSBC, etc).

unimpressive13y ago

Wow.

[0]: 419 scammers use the same tactic to weed out people who likely won't fall for a 419 scam.

amraliOP13y ago

j / k navigate · click thread line to collapse