

FBI entrapping hackers - using FBI self-signed SSL cert - amrali

They didn't even bother removing "Federal Bureau of Investigation" from the organization field on the "self-signed" SSL certificate. I'm not sure if I should feel flattered that I'm on the FBI radar for people of "skill" or insulted that they think I'd actually bite on something as low/primitive as darkode.<p>Are they looking for scraps? Or is this just entrapment to look good on the news? What I know is that they really need to step up their game if they want to get to the serious bunch.<p>http://i.imgur.com/3znIw4L.jpg
======
UnoriginalGuy
As someone who has generated a lot of self-signed certificates in my day,
unless you did that on purpose it is very unlikely to occur.

In general I suspect that self signed certificate is a joke in bad taste. What
I'd be far more concerned about is their poor use of the SSL system, in the
sense that they could and should have created their own CA and attached the
CA's signing certificate to the e-mail, so the web-site (to known users) would
have appeared correctly signed and would have made it slightly harder for law
enforcement to intercept.

As is law enforcement can just catch and release traffic (MITM), re-sign it
with their own self-signed certificate and nobody would be the wiser...

Plus, if you really want to be amused then I suggest you check out the FBI's
real SSL certificate on their web-site:

<https://www.fbi.gov/>

~~~
gizmo686
Their certificate looks fine to me. What is amusing is that even though they
strip out critical display elements from the website (probably css), they
still manage to display insecure content.

~~~
UnoriginalGuy
\- Subject is invalid (and wrong)

\- Overly broad (*.fbi.com) could have used "Subject Alternative Name" to list
sub-domains instead.

\- 3 year duration (for the FBI?). I mean for small online shops, that is
fine, but many companies are now rolling their certificates yearly or bi-
yearly (e.g. Amazon, Bank Of America, HSBC, etc).

On the positive side they are using a 2048 bit key length. I dunno. I guess it
depends to what standard you hold the FBI up to. If you think their site
should be as secure as a banking site or large online retailer then they fail
at that...

------
unimpressive
Wow.

Maybe they're not going after "skill", they're going after people dumb enough
to register.[0] They can pick up script kids that look good for the cameras
and will undoubtedly brag about all their "hacking" exploits making them
easier to convict.

[0]: 419 scammers use the same tactic to weed out people who likely won't fall
for a 419 scam.

~~~
amrali
I think they have a bigger fish to fry given all the higher profile attacks
that have been showering the place for quite sometime. Maybe you're right and
they are just after many low-profile kids instead of that one big fish to make
some noise and show that they have been doing something.

