---------- Forwarded message ---------- Date: Sun, 22 Oct 2023 10:34:44 +1300 Subject: [liberationtech] MiTM attack on XMPP/Jabber traffic at Hetzner and Linode (DE) suggests datacenter complicity Interesting and especially stealth MiTM at Hetzner (DE) and Linode, targeting Russia's largest XMPP/Jabber (civilian) chat service. The authors of the article make a reasonably compelling case that "this is lawful interception Hetzner and Linode were forced to setup." It would seem a rogue Letsencrypt chain was deployed at the last hop facing the dedicated server hosting the XMPP infrastructure, for which the LE ACME challenge would have passed without issue. This was used to hijack encrypted STARTTLS connections. The 'real' LE chain was then effectively ignored, as all traffic to/fro the running server was decrypted through the transparent MiTM proxy. In the case of Linode, it seems the target's VPS was migrated into a hostile VLAN with a monitor at the first hop. Their methodology is sound, strong forensics. - https://notes.valdikss.org.ru/jabber.ru-mitm/ A good overview of mitigation strategies here, from DNSSEC to CAA: - https://www.devever.net/~hl/xmpp-incident I feel it is worth noting that many civilian - and potentially dissident - Russian voices would have been using this service to protect themselves from Kremlin eavesdropping; a safe space. & yet here they are subject to a supposed lawful intervention by what we can assume are non-RU state actor(s). This event may undermine faith in secure community-run infrastructure, pushing RU communities to less secure group chat alternatives, including those the Kremlin has compromised. An ethically troubled case. -- Julian Oliver Consulting: https://nikau.io Projects: https://julianoliver.com PGP: https://julianoliver.com/key.asc