On 01/25/2011 09:50 PM, Peter Gutmann wrote:
This isn't one of those namby-pamby one-site phishing MITMs, this is a MITM of
an entire country:
For those who don't want to read the whole thing, the solution was "duuhh, we
turned on thuh SSL" - they were using plain HTTP for logon. Sigh.
Of course, Microsoft helpfully provides the government of Tunisia with a
trusted root CA in their products. If you have access to a Windows box,
visit https://www.certification.tn/ . Then look for "Agence Nationale de
Certification Electronique" in your personal trusted root store.
For some reason, MS Windows doesn't list everyone it trusts until they
actually need trusting. Then root certs get installed on the fly.
Oh and it's a code signing cert. This is used for things like running
ActiveX controls without prompting. I.e., arbitrary code execution.
cryptography mailing list