Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
FBI entrapping hackers - using FBI self-signed SSL cert
12 points by amrali on March 9, 2013 | hide | past | favorite | 6 comments
They didn't even bother removing "Federal Bureau of Investigation" from the organization field on the "self-signed" SSL certificate. I'm not sure if I should feel flattered that I'm on the FBI radar for people of "skill" or insulted that they think I'd actually bite on something as low/primitive as darkode.

Are they looking for scraps? Or is this just entrapment to look good on the news? What I know is that they really need to step up their game if they want to get to the serious bunch.

http://i.imgur.com/3znIw4L.jpg



As someone who has generated a lot of self-signed certificates in my day, unless you did that on purpose it is very unlikely to occur.

In general I suspect that self signed certificate is a joke in bad taste. What I'd be far more concerned about is their poor use of the SSL system, in the sense that they could and should have created their own CA and attached the CA's signing certificate to the e-mail, so the web-site (to known users) would have appeared correctly signed and would have made it slightly harder for law enforcement to intercept.

As is law enforcement can just catch and release traffic (MITM), re-sign it with their own self-signed certificate and nobody would be the wiser...

Plus, if you really want to be amused then I suggest you check out the FBI's real SSL certificate on their web-site:

https://www.fbi.gov/


Yeah the SSL cert part is the irony since darkode has been infiltrated long ago now. It's amusing that they are seeking people out like that, I guess they are expecting very low profile catch.


Their certificate looks fine to me. What is amusing is that even though they strip out critical display elements from the website (probably css), they still manage to display insecure content.


- Subject is invalid (and wrong)

- Overly broad (*.fbi.com) could have used "Subject Alternative Name" to list sub-domains instead.

- 3 year duration (for the FBI?). I mean for small online shops, that is fine, but many companies are now rolling their certificates yearly or bi-yearly (e.g. Amazon, Bank Of America, HSBC, etc).

On the positive side they are using a 2048 bit key length. I dunno. I guess it depends to what standard you hold the FBI up to. If you think their site should be as secure as a banking site or large online retailer then they fail at that...


Wow.

Maybe they're not going after "skill", they're going after people dumb enough to register.[0] They can pick up script kids that look good for the cameras and will undoubtedly brag about all their "hacking" exploits making them easier to convict.

[0]: 419 scammers use the same tactic to weed out people who likely won't fall for a 419 scam.


I think they have a bigger fish to fry given all the higher profile attacks that have been showering the place for quite sometime. Maybe you're right and they are just after many low-profile kids instead of that one big fish to make some noise and show that they have been doing something.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: