As someone who has generated a lot of self-signed certificates in my day, unless you did that on purpose it is very unlikely to occur.
In general I suspect that self signed certificate is a joke in bad taste. What I'd be far more concerned about is their poor use of the SSL system, in the sense that they could and should have created their own CA and attached the CA's signing certificate to the e-mail, so the web-site (to known users) would have appeared correctly signed and would have made it slightly harder for law enforcement to intercept.
As is law enforcement can just catch and release traffic (MITM), re-sign it with their own self-signed certificate and nobody would be the wiser...
Plus, if you really want to be amused then I suggest you check out the FBI's real SSL certificate on their web-site:
Yeah the SSL cert part is the irony since darkode has been infiltrated long ago now. It's amusing that they are seeking people out like that, I guess they are expecting very low profile catch.
Their certificate looks fine to me. What is amusing is that even though they strip out critical display elements from the website (probably css), they still manage to display insecure content.
- Overly broad (*.fbi.com) could have used "Subject Alternative Name" to list sub-domains instead.
- 3 year duration (for the FBI?). I mean for small online shops, that is fine, but many companies are now rolling their certificates yearly or bi-yearly (e.g. Amazon, Bank Of America, HSBC, etc).
On the positive side they are using a 2048 bit key length. I dunno. I guess it depends to what standard you hold the FBI up to. If you think their site should be as secure as a banking site or large online retailer then they fail at that...
In general I suspect that self signed certificate is a joke in bad taste. What I'd be far more concerned about is their poor use of the SSL system, in the sense that they could and should have created their own CA and attached the CA's signing certificate to the e-mail, so the web-site (to known users) would have appeared correctly signed and would have made it slightly harder for law enforcement to intercept.
As is law enforcement can just catch and release traffic (MITM), re-sign it with their own self-signed certificate and nobody would be the wiser...
Plus, if you really want to be amused then I suggest you check out the FBI's real SSL certificate on their web-site:
https://www.fbi.gov/