Strange certificates at probe 17009
Probe #17009, located in Bangkok, when asked to perform a "sslcert" measurement, always retrieve a certificate whose expiration date is 2024-10-31, whatever the target is. There is probably a man-in-the-middle before the probe...
The Fortinet name in the certificate suggests a firewall or proxy that is intercepting traffic from the probe. -----Original Message----- From: ripe-atlas [mailto:ripe-atlas-bounces@ripe.net] On Behalf Of Stephane Bortzmeyer Sent: Saturday, August 1, 2015 10:36 AM To: ripe-atlas@ripe.net Subject: [atlas] Strange certificates at probe 17009 Probe #17009, located in Bangkok, when asked to perform a "sslcert" measurement, always retrieve a certificate whose expiration date is 2024-10-31, whatever the target is. There is probably a man-in-the-middle before the probe...
This ISP (True Internet - AS7470 and AS17552 ) already intercepts http traffic using transparent proxy since quite some time. There were rumours recently that Thai ISPs would start intercepting https and making users install their TLS certificate. But I have not seen any evidence of it personally, nor have I heard of anyone who got certificate hijacked while browsing.... So its likely a proxy in the probe host's local network. On Sat, Aug 1, 2015 at 11:36 PM Andrew Bosch <andrewbosch@comcast.net> wrote:
The Fortinet name in the certificate suggests a firewall or proxy that is intercepting traffic from the probe.
-----Original Message----- From: ripe-atlas [mailto:ripe-atlas-bounces@ripe.net] On Behalf Of Stephane Bortzmeyer Sent: Saturday, August 1, 2015 10:36 AM To: ripe-atlas@ripe.net Subject: [atlas] Strange certificates at probe 17009
Probe #17009, located in Bangkok, when asked to perform a "sslcert" measurement, always retrieve a certificate whose expiration date is 2024-10-31, whatever the target is. There is probably a man-in-the-middle before the probe...
Am Samstag, 1. August 2015, 17:36:14 schrieb Sajal Kayan:
.... So its likely a proxy in the probe host's local network. Yep, as a Fortigate 100D is to small to be used in Carrier networks and I think a carrier based solution wouldn't use the self generated certificate of the device...
On Sat, Aug 1, 2015 at 11:36 PM Andrew Bosch <andrewbosch@comcast.net>
wrote:
The Fortinet name in the certificate suggests a firewall or proxy that is intercepting traffic from the probe.
-----Original Message----- From: ripe-atlas [mailto:ripe-atlas-bounces@ripe.net] On Behalf Of Stephane Bortzmeyer Sent: Saturday, August 1, 2015 10:36 AM To: ripe-atlas@ripe.net Subject: [atlas] Strange certificates at probe 17009
Probe #17009, located in Bangkok, when asked to perform a "sslcert" measurement, always retrieve a certificate whose expiration date is 2024-10-31, whatever the target is. There is probably a man-in-the-middle before the probe...
participants (4)
-
Andrew Bosch -
Karsten Thomann -
Sajal Kayan -
Stephane Bortzmeyer