Conversation

Notices

1.  (mint@ryona.agency)'s status on Saturday, 28-Oct-2023 16:23:04 JST 

   in reply to

   • d
   • billiam :4chan:
   • Berlusconi Anime Fever :sonnenrad:
   • Shari Vegas :windmill_of_friendship: :1488:
   • Aether
   • :niggy:
   @billiam @ShariVegas @Aether @MechaSilvio @deprecated_ii @niggy Some nigga tried to convince me it was a DNS hijack because the domain happens to be in .ru zone and stopped responding after I pointed his face to the article.
   • billiam :4chan: (billiam@shitposter.club)'s status on Saturday, 28-Oct-2023 16:23:05 JST billiam :4chan:

     • d
     • Berlusconi Anime Fever :sonnenrad:
     • Shari Vegas :windmill_of_friendship: :1488:
     • Aether
     • :niggy:

     Encrypted traffic interception on Hetzner and Linode targeting the largest Russian XMPP (Jabber) messaging service

     Summary and finale

     • The attacker managed to issue multiple SSL/TLS certificates via Let’s Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023
     • The Man-in-the-Middle attack for jabber.ru/xmpp.ru client XMPP traffic decryption confirmed to be in place since at least 21 July 2023 for up to 19 Oct 2023, possibly (not confirmed) since 18 Apr 2023, affected 100% of the connections to XMPP STARTTLS port 5222 (not 5223)
     • The attacker failed to reissue TLS certificate and MiTM proxy started to serve expired certificate on port 5222 for jabber.ru domain (Hetzner)
     • The MiTM attack stopped shortly after we begun our investigation and network tests on 18 Oct 2023, along with tickets to Hetzner and Linode support team, however passive wiretapping (additional routing hop) is still in place at least on a single Linode server
     • Neither servers appear to be hacked
     • Both Hetzner and Linode network appear to be reconfigured specifically for this kind of attack for the XMPP service IP addresses

     from https://notes.valdikss.org.ru/jabber.ru-mitm/

     @niggy @deprecated_ii @MechaSilvio @ShariVegas @Aether