HTTPS MITM of various GitHub IP addresses in China about bbs HOT 1 OPEN

The most peculiar feature of the MITM certificates is

emailAddress = [email protected]

You can find a lot of news stories by doing a web search for this email address.

https://www.oschina.net/news/114402/git-mitm (archive)

另据多名网友反馈，京东、koajs 等网站同样出现该问题，同样无效证书来自于该 QQ 邮箱，有人怀疑该疑似攻击者为黑客初学者，而攻击目的很有可能只是在练习/测试，但是此次影响范围之广，不太像是练手。

According to the feedback from several users, Jingdong, koajs and other websites have the same problem, the same invalid certificate came from the same QQ mailbox, some people suspect that the suspected attacker is a beginner hacker, and the purpose of the attack is most likely just practice/testing, but this time the scope of influence is so wide that it is not like a practicing hand.

The article linked in the post above has been updated.
https://www.williamlong.info/archives/6021.html (archive)

打开这个不受信任的证书，显示该证书的颁布者是346608453@qq.com。查询该QQ号码，显示其昵称为心即山灵，地址为黑龙江哈尔滨，通过这个QQ查询其加入的QQ群，可以发现其真名疑似叫“张勇”，居住地疑似为“哈尔滨城东新居D区”，毕业学校疑似为“建三江一中92届”。从攻击者自签名证书留下的QQ号可以在网上搜寻到部分信息，信息显示此前这名攻击者正在学习加密技术。这名攻击者还曾在技术交流网站求助他人发送相关源代码，从已知信息判断攻击者可能是在学习后尝试发起攻击。

更新：3月27日13:17，QQ号346608453在其QQ空间“心即灵山的QQ空间”发布信息，称“QQ号码被盗，现已恢复”。但这个声明却显得有些“不打自招”，因为攻击者要生成CA证书的话，随便填个邮箱都可以，根本不需要盗QQ号。

Opening this untrusted certificate shows that the issuer of the certificate is 346608453@qq.com. Querying the QQ number shows that his nickname is Xinlingshanling, whose address is Harbin, Heilongjiang. Through this QQ query to join the QQ group, it can be found that his real name is suspected to be "Zhang Yong", and his place of residence is suspected to be "Harbin Chengdong Xinju D District", the graduation school is suspected to be "92nd Sanjiang No.1 Middle School". From the QQ number left by the attacker's self-signed certificate, some information can be searched online. The information shows that the attacker was learning encryption technology before. The attacker also asked others to send related source code on the technical communication website, and judged from the known information that the attacker may have tried to launch the attack after learning.

Update: On March 27th at 13:17, QQ number 346608453 posted information in its QQ space "Heart is Lingshan's QQ space", saying that "the QQ number was stolen and has now been restored." However, this statement seems to be a bit "uninvited", because if an attacker wants to generate a CA certificate, he can fill in an email box without having to steal the QQ number.

from bbs.