nationwide interception of Facebook & webmail login credentials in Tunisia

Passive PROFITS passiveprofits at yahoo.com
Tue Feb 1 12:06:26 GMT 2011 

--- On Mon, 1/31/11, Richard Clayton <richard at highwayman.com> wrote:

> From: Richard Clayton <richard at highwayman.com>
> Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia
> To: UKcrypto at chiark.greenend.org.uk
> Date: Monday, January 31, 2011, 7:46 AM
> In article <967819.51174.qm at web110516.mail.gq1.yahoo.com>,
> Passive
> PROFITS <passiveprofits at yahoo.com>
> writes
> 
> >So Cert Patrol just picked up an SSL certificate switch
> for 
> >encrypted.google.com; here's the new SHA1 fingerprint
> I've got... 
> >
> >F1:BD:D4:59:78:7F:6B:EB:2F:4D:A8:72:E1:74:86:53:79:6B:3A:DD
> >
> >Anyone confirm they've also had a switch
> 
> Yes I have that one too...  apparently it is valid
> from 5Jan11 to 5Jan12

Many thanks for this Richard, truly appreciated.  

FYI, Cert Patrol also noticed (rather a neat feature), that the switch had occurred before the expiry of the previous certificate, which is why it was flagged by Cert Patrol as 'suspicious' [apart from the switch itself which it would also have noticed regardless I think/assume].

Great extension!  Though I'm no coder, and cannot check it's bona-fides; does seem to work as advertised on the tin, which is always nice! :)

> My guess would be that the previous cert was about to
> expire so they
> have bought a new one, and now pushed it out...

Ibid; it was pushed out early; 263 days early, after only 102 days use (why; this does of course seem highly suspicious, as in theory, there would have been no need for this new cert at all for some considerable period of time)?  The obvious (though not necessarily correct) implication is that the private key AND/OR passphrase, have been stolen or lost, etc.; essentially compromised in some way.  

A Google for any info on the new certificate issue (though only a quick few search phrases) brought up no info whatsoever relating to this particular new certificate yesterday [done before I made the post here], in and of itself, a highly unsatisfactory state of affairs, most especially in the light of events around the world this week and last.

I took a screen shot of the Cert Patrol screen, if you're interested I could send on or off list (I do not know if this list is capable or desirous of any attachments flowing through it - moderator/owner?).  If this list does not accept (or does but has a policy of not doing so) attachments, I can upload to make available for a few hours, if more than just yourself would wish to take a peek at the screen shot?

> ... means the next push will be smack in the middle of
> Xmas/New Year
> next year. Some lucky sysadmin will not be pleased!

Ibid; not necessarily; they seem to have changed this cert after only 102 days validity (rather than use; not sure when it was first brought into use, as opposed to 'minted').

> I note that Google have chosen to go with a 1024bit cert
> again, despite
> strong US Government encouragement for 2048bits. I expect
> that's because
> they can't face making the longer certs work on mobile
> platforms.

Unable to intelligently comment on this I'm afraid to say, other than it's public domain knowledge AFAIK (reported at least in the UK press by the London Evening Standard] that Google was CIA venture capital fund seeded.  i.e. who knows who you're really dealing with with Google.

Thanks again for the confirmation though, very much appreciated.

Sincerely,

PP

More information about the ukcrypto mailing list