Created
May 9, 2018 23:08
-
-
Save guilhermednt/2d777906c072b436f3d0f54f6968f082 to your computer and use it in GitHub Desktop.
Verifying Banco Intermedium's private key leak
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Today the twitter user @ayubio said he had received the private key for a Brazillian bank's HTTPS certificate: | |
# - https://twitter.com/ayubio/status/994260981294469120 | |
# - https://twitter.com/ayubio/status/994262029929246722 | |
# - https://twitter.com/ayubio/status/994277992351391744 | |
# To prove he actualy had the key, another user asked him to sign a message with such key and so he did: | |
# - http://pastebin.xyz/p?q=bXllODA | |
# The commands bellow will check that signature | |
# Store the message in a file (tweet.txt) in the same way @ayubio did: | |
echo -n "https://twitter.com/ayubio/status/994277992351391744" > tweet.txt | |
# Write the signed SHA256 to another file (tweet.txt.sha256): | |
echo "ERJ+2rZ7Zv7Z7OD4pObM75giAi8WnKRqAPqlNRdEJkzMfFLsNELuXYRLHv4C9WDgvslklj8roT/j | |
QObZ8sBXknI7uJpNIJ1p0prBpn5T94zMzVSqNsViozH9+adZChKpdcTcrE7kabzwz0J3Iv49MOBU | |
nQB6UXzxwG120FbJS7WspFKCaSXdFDUubUHo/RLgySJ+4ugt9aIK5dnJhLQBPm493sQXltS+5VuI | |
r625cB5gw3jmEqKMJjp85p8fntDST23SWo7pzhJDLJbdvBI86Rfvt+B5CxUs/wVMhO1ZVvMAYA4Q | |
O/GtOdZM9JlxXIGvLamntRH91CMQpmAFGivmZA==" | base64 -d > tweet.txt.sha256 | |
# Extract Intermedium's Public Key and store it into inter.pub | |
curl https://censys.io/certificates/c69d1129e8514b18c6df0850c2395f20b28c5e01398ab80d8170a0e302d34619/pem/raw 2> /dev/null | openssl x509 -pubkey -noout -out inter.pub | |
# Run the verification command | |
openssl dgst -sha256 -verify inter.pub -signature tweet.txt.sha256 tweet.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nem precisa chegar nesse ponto.
O claim é que a marca está sendo usada indevidamente a ponto de alguém confundir a página com o site do banco. Isso não faz o menor sentido e francamente se eu fosse o juiz julgando esse caso ficaria MUITO ofendido e condenaria o banco por litigância de má fé, o que claramente seria o caso.
Sobre o certificado, tudo que foi publicado se refere a uma chave PÚBLICA. A chave privada, até onde sei, não foi publicada em nenhum momento.
Além disso, o claim que tive acesso se refere a uma marca que não aparece em NENHUM momento aqui (é um logo e aqui temos apenas texto). E eles tentam escrever de forma vaga para tentar aplicar a “qualquer” marca, mas não é assim que a banda toca, não...