imperva.com fake certificate?
Can someone shed some light on this?
So, from here in Thailand to Shanghai using trace route:
tracert english.sse.com.cn (222.73.229.73) (Shanghai stock exchange on China Telecom, located in Shanghai)
> 30 hops, from TripleT (Thai ISP) it heads to Singapore (e.g. 203.208.172.234 Singtel etc.)
Then to Zayo in the USA zayo.china-telecom.mpr1.lax12.us.zip.zayo.com [64.125.15.95]
Then to 61.152.25.125 (China Telecom in Shanghai) 24 hops 411ms!
Takes more than 30 hops and times out.
So now lets trace the route to 61.162.25.125... that midpoint server located in Shanghai
tracert 61.162.25.125
This time it routes from Thailand to Hong Kong via 203.100.48.185 HongKong
Arrives at 61.152.25.125 in 229ms, a lot faster, 15 hops vs 24 hops.....
OK, so there's an intercept on queries to the Shanghai stock exchange, that reroutes data from Thailand to the USA via Singapore.
If I trace a route to a China Telecom local server I saw in the tracepath on one run, it takes a much shorter path, twice as fast via HongKong.
It strikes me that this is a https connection, and should be secure. So what would be gained by intercepting this unless the certificate is also intercepted?
So lets go look at the certificate... holy fook, it covers like a gazillion domains, was issued to imperva.com Issued by GlobalSign nv-sa in Belgium
Including iplocation ones, and a load of Israeli ones too.
https://www.iplocation.net/ip-lookup
Care to explain GlobalSign?
Biting the hand that feeds IT
