No, I am not attacking your e-mail

| Comments (0) | COMSEC
Lately I've had several people contact me to complain about bogus certificates with their email servers. Why are they contacting me? Well, the certificates are labelled RTFM, Inc.:
Version: 3 (0x2) 
Serial Number: 0 (0x0) 
Signature Algorithm: md5WithRSAEncryption 
Issuer: C=US, O=RTFM, Inc., OU=Widgets Division, CN=Test CA20010517 
Validity 
    Not Before: May 17 16:01:14 2001 GMT 
    Not After : Dec 25 16:01:14 2006 GMT 
Subject: C=US, O=RTFM, Inc., OU=Widgets Division, CN=Test
...

This is happening for customers of Comcast, Charter, and Cox (at least).

So, these actually are my certificates, distributed with an article I wrote a few years back about how to program to OpenSSL, but I'm certainly not intercepting people's email. Obviously, this could be an attack, but you'd think an attacker competent enough to capture connections to an ISP's mail servers would manage to get a certificate that (1) isn't expired and (2) doesn't have localhost in the name.

That said, it's hard to see how this could be a simple misconfiguration problem. My guess is that some server is shipping with these certificates as a default and the ISPs are neglecting to change them after they install the software. Pretty amazing it's this widespread, though.

Acknowledgement: Thanks to Danny McPherson for helping me make contact with the ISPs. Anyone with more information please contact me at ekr@rtfm.com.

Leave a comment