[liberationtech] MiTM attack on XMPP/Jabber traffic at Hetzner and Linode (DE) suggests datacenter complicity
Undescribed Horrific Abuse, One Victim & Survivor of Many
gmkarl at gmail.com
Sun Oct 22 12:04:57 PDT 2023
> After checking https://crt.sh/ certificate transparency database, rogue certificates have been discovered which were not issued by any of jabber.ru servers.
> The maliciously-issued certificates are slightly different from the regular ones for these
> domains: either the wildcard Subject Alternative Name is missing or a single certificate is
> issued for both jabber.ru, xmpp.ru. Moreover, MiTM configuration on xmpp.ru domain
> (which points to Linode servers) was slightly misconfigured: it serves only xmpp.ru
> certificate, yet the original server is configured to serve both jabber.ru and xmpp.ru
> certificates depending on requested XMPP domain.
>
> List of rogue certificates:
> Serial Used in MiTM
> 03:f3:68:ee:36:30:80:6a:07:81:17:81:04:0c:e3:d9:10:b1 +
> 04:9c:2d:af:cc:61:88:d6:67:9f:8b:97:99:ce:ad:c9:b7:e0 +
> 03:43:75:1f:3d:80:20:7d:11:f5:61:98:5b:87:a7:37:81:c6 ?
> 04:4c:1c:8a:f4:37:a0:5a:dd:83:9c:54:74:89:bd:b9:97:90 +
> 04:d1:d2:5d:09:95:48:9b:d6:14:cc:81:91:df:ac:7f:ec:c6 ?
> 04:b7:85:83:9a:fd:df:81:26:48:5b:34:28:08:53:d9:e6:79 +
> 18 July 2023 issuing time is about the same when Hetzner server has lost network link
> for several seconds.
>
> We have a confirmation from the external network scanner that Linode servers started to
> serve 04:b7:85… certificate on port 5222 since at least 21 July 2023. Unfortunately, this
> scanner doesn’t process Hetzner ranges.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9997694704.crt
Type: application/pkix-cert
Size: 1744 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20231022/18883f98/attachment.cer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 10772470477.crt
Type: application/pkix-cert
Size: 1749 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20231022/18883f98/attachment-0001.cer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9181082748.crt
Type: application/pkix-cert
Size: 1830 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20231022/18883f98/attachment-0002.cer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9997621208.crt
Type: application/pkix-cert
Size: 1749 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20231022/18883f98/attachment-0003.cer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9243798287.crt
Type: application/pkix-cert
Size: 1838 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20231022/18883f98/attachment-0004.cer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9243917614.crt
Type: application/pkix-cert
Size: 1838 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20231022/18883f98/attachment-0005.cer>
More information about the cypherpunks
mailing list