HIGH · refiner

Mangalore Refinery and Petrochemicals Ltd

Cert expires 2026-05-05 (8 days from scan); missing CSP and Referrer-Policy

mrpl.co.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 24

Availability

HTTP 503

TLS

2026-10-25 · 134d

Headers

6 missing · 0 permissive

Email auth

SPF strict · DMARC quarantine

40

Security score

Critical

Headline findings

  • 01TLS cert expires 2026-05-05 — 7 days remaining at this writing
  • 02Missing CSP and Referrer-Policy headers
  • 03Email auth strong (DMARC p=quarantine, SPF strict)
  • 04Site connectivity issues at scan time

Urgent · time-bound actions

  • -39dRotate TLS certificate before May 5 to avoid outage2026-05-05
  • -13dAdd CSP and Referrer-Policy headers2026-05-31

TLS security

pass

Issuer
GlobalSign nv-sa
Expires
2026-10-25(134d)

Email authentication

SPF
strict
DKIM
present
DMARC
quarantine

Hardening headers

0 / 0 / 6present/permissive/missing

  • HSTSmissing
  • CSPmissing
  • X-Framemissing
  • X-Content-Typemissing
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • mrpl.co.com169.60.151.233 (RIPE-allocated cloud, typosquat cluster)
  • mrpl.in109.71.252.143 (third-party)

Public topology · CT logs

0 total

No subdomains in CT logs — minimal external attack surface.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Can MRPL rotate the expiring certificate (7 days to expiry) and implement HPKP before the May 5–25 window opens for MITM credential harvesting at the refinery?

Active fingerprints · per host

  • mrpl.co.inEOL × 1

    Apache (Server returned 503 at scan time — load balancer or maintenance)

    • CERT EXPIRY in 7 days — Tier 1 incident; missing CSP; site connectivity issues at scan time

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Cert-expiry MITM window (May 5–25)

effort days
detect low (bad)
Entry
After May 5, browsers reject the cert. Attacker acquires fake wildcard via Let's Encrypt; intercepts traffic until real cert pinned again.
Pivot
Refinery staff receive fake SAP ERP login page; admin credentials harvested.
Objective
MITM credential harvest at refinery scale.
#2

Path B: SAP.MRPL subdomain hijack

effort days
detect medium
Entry
Exploit exposed credentials or plugin RCE on sap.mrpl.co.in.
Pivot
Lateral move to financial / production systems.
Objective
Operational security impact; production data exfil.
#2

Path C: Weak cert renewal chain → MITM persists

effort days
detect low (bad)
Entry
If renewed with weaker CA or missing pinning.
Pivot
MITM via cross-signed deprecated CA; malware distribution masked as official updates.
Objective
Persistent supply-chain compromise.
#3

Path D: ERP procurement compromise

effort days
detect medium
Entry
ERP exposure surfaces procurement / vendor payment data.
Pivot
Phishing supplier mailboxes with invoice forgery; refinery payment diverted to attacker accounts.
Objective
Financial fraud; supplier-network manipulation.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Cert-expiry MITM window (May 5–25)
factor ~10–20×
pre-AI
Cert-expiry MITM is opportunistic; success window narrow
Mythos
Pre-staged Let's Encrypt + automated DNS hijack reduces window from days to minutes
Path B · SAP.MRPL subdomain hijack
factor ~5–8×
pre-AI
Subdomain hijack + lateral move standard
Mythos
Subdomain takeover combined with SAP CVE chain compresses dwell from weeks to days

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    EMERGENCY: Rotate TLS certificate before 2026-05-05

    Host
    mrpl.co.in
    Fix
    Order new cert IMMEDIATELY (target 2026-04-29 install). OV cert from established CA. CSR strength: SHA-256 RSA 2048+ minimum. Install on all SANs (mrpl.co.in, *.mrpl.co.in, *.sap.mrpl.co.in).
    Owner
    MRPL TLS Admin
    Validation
    openssl s_client | x509 -noout -enddate shows notAfter > 2026-05-15
  • critical

    Verify cert deploys to all subdomains (sap, www, etc.)

    Host
    *.mrpl.co.in / *.sap.mrpl.co.in
    Fix
    Deploy cert to load balancer + all reverse proxy endpoints.
    Owner
    MRPL TLS Admin / Infrastructure
    Validation
    curl -sI https://sap.mrpl.co.in returns 200 with valid cert

Tier 2 · within 30 days

  • high

    Implement HPKP (HTTP Public Key Pinning) for backup cert key

    Host
    mrpl.co.in
    Fix
    Pin current cert + backup CA root. 30-day max-age. Phased rollout to avoid lockout.
    Owner
    Infrastructure
    Validation
    curl -I shows Public-Key-Pins header
  • high

    Add CSP header (currently missing)

    Host
    mrpl.co.in
    Fix
    default-src 'self'; script-src 'self' 'nonce-{random}'; connect-src 'self' https://sap.mrpl.co.in; block-all-mixed-content.
    Owner
    Frontend / Security
    Validation
    curl -i shows Content-Security-Policy header
  • high

    Upgrade DMARC p=quarantine → p=reject (after 30-day baseline)

    Host
    mrpl.co.in (email)
    Fix
    Monitor 30-day rua; promote to p=reject.
    Owner
    Email Security
    Validation
    dig +short TXT _dmarc.mrpl.co.in returns p=reject
  • high

    Audit and disable unused subdomains; document SANs

    Host
    *.mrpl.co.in
    Fix
    nslookup *.mrpl.co.in. Decommission unused. Document each in SAN list.
    Owner
    Infrastructure
    Validation
    Only active subdomains resolve

Tier 3 · within 90 days

  • medium

    Certificate pinning on client applications (mobile / API)

    Host
    MRPL mobile apps / API clients
    Fix
    Pin backup cert public key; phased SDK rollout.
    Owner
    App Development
    Validation
    Client SDK logs show pin validation on TLS handshake

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.