FBI entrapping hackers - using FBI self-signed SSL cert
They didn't even bother removing "Federal Bureau of Investigation" from the organization field on the "self-signed" SSL certificate. I'm not sure if I should feel flattered that I'm on the FBI radar for people of "skill" or insulted that they think I'd actually bite on something as low/primitive as darkode.
Are they looking for scraps? Or is this just entrapment to look good on the news? What I know is that they really need to step up their game if they want to get to the serious bunch.
http://i.imgur.com/3znIw4L.jpg
6 comments
[ 4.2 ms ] story [ 32.3 ms ] threadMaybe they're not going after "skill", they're going after people dumb enough to register.[0] They can pick up script kids that look good for the cameras and will undoubtedly brag about all their "hacking" exploits making them easier to convict.
[0]: 419 scammers use the same tactic to weed out people who likely won't fall for a 419 scam.
In general I suspect that self signed certificate is a joke in bad taste. What I'd be far more concerned about is their poor use of the SSL system, in the sense that they could and should have created their own CA and attached the CA's signing certificate to the e-mail, so the web-site (to known users) would have appeared correctly signed and would have made it slightly harder for law enforcement to intercept.
As is law enforcement can just catch and release traffic (MITM), re-sign it with their own self-signed certificate and nobody would be the wiser...
Plus, if you really want to be amused then I suggest you check out the FBI's real SSL certificate on their web-site:
https://www.fbi.gov/
- Overly broad (*.fbi.com) could have used "Subject Alternative Name" to list sub-domains instead.
- 3 year duration (for the FBI?). I mean for small online shops, that is fine, but many companies are now rolling their certificates yearly or bi-yearly (e.g. Amazon, Bank Of America, HSBC, etc).
On the positive side they are using a 2048 bit key length. I dunno. I guess it depends to what standard you hold the FBI up to. If you think their site should be as secure as a banking site or large online retailer then they fail at that...