From owner-freebsd-security@freebsd.org Mon Sep 26 06:42:41 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 066CFBEAB8B for ; Mon, 26 Sep 2016 06:42:41 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id E5D84167 for ; Mon, 26 Sep 2016 06:42:40 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 3C40A3AE87 for ; Sun, 25 Sep 2016 23:42:34 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Two Dumb Questions Date: Sun, 25 Sep 2016 23:42:34 -0700 Message-ID: <32084.1474872154@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2016 06:42:41 -0000 Sorry folks. I'm almost entirely ignorant about everything crypto, and these questions would probably be better asked elsewhere, but you all on this list are nicer that folks elsewhere, and probably will have the kindness not to poke too much fun at my ignorance. So, here goes... First question: Regarding the specific kind of MiM deception being discussed in the following old article (which appears to be from way back in 2010), I'm confused by the assertion that it would be necessary to either bribe or bully some CA into handing out a fradulent cert in order to make the scheme work: https://www.wired.com/2010/03/packet-forensics/ Here's my point: If you really have already managed to become the man-in-the-middle anyway, then couldn't you just dummy up any and all responses, including those for DNS, in such a way as to make it all appear to the victim that everything was "normal", you know, such that he can see the cute little padlock symbol to the left of the URL in the browser? Second question: I've been trying to do some very simple- minded early reconnaissance on something that I believe to be a Really Bad Domain. The web site for the domain doesn't appear to use SSL at all, however when I went to this site: https://censys.io/ and punched in teh domain name and then clicked on "certificates" I was surprised to find three different ones shown for the domain in question, all three apparently issued by "Let's Encrypt Authority X3". So anyway, my question is real simple: Is there some way to work backwards from those in order to get some clues... any clues... about the identities of the actual owners/operators of this specific domain and/or its associated web site? Thanks in advance for any and all enlightenment. Regards, rfg