Email or username:

Password:

Forgot your password?
Kevin Beaumont

Pretty incredible report here about what is likely lawful interception of TLS encrypted communications (used by basically every web service) targeted at an instant messaging service popular in Russia..

the TLS communications were being recertificated in the middle (similar to how enterprise firewalls do TLS decryption) for six months to snoop on communications.. it only got rumbled as somebody (drum roll) let the interception certificate expire by mistake.

notes.valdikss.org.ru/jabber.r

33 comments
Kevin Beaumont

I don’t think it is widely understood how lawful interception works.

Governments can request broad access, including installation or access to middleware to intercept things.

Additionally, some countries have warrantless access to essentially any communications, eg bbc.co.uk/news/business-277327

More providers should be more open about this as there’s a lack of tension point with governments, which harms society.

Pedro Fonseca

@GossiTheDog if you read this lighthousereports.com/investig and listen to @jackrhysider predator episode, you reach the same conclusion without Vodafone telling you.

Andrew Wippler

@GossiTheDog Interception is easy if I have control of the wire.

Acesabe

@GossiTheDog
Should we be surprised? Is the UK one of these countries, I think it's safe to presume all comms are up for grabs unless we ensure we are using trustworthy apps/services.

Kevin Riggle

@GossiTheDog I mean they can ask, the correct response is usually to tell them to go fuck themselves. Not that everyone does

Kevin Beaumont

@kevinriggle that’s not the case in many countries, you have no choice.

Nicholas Weaver

@GossiTheDog @kevinriggle
Even in the US. Ladar Levison of Lavabit was lucky that his FAFO over a PR/TT (not even a warrant for contents) for Snowden's account didn't result in him receiving jail time. Because he eventually got a good lawyer who convinced him to stop the FA because he was going to FO shortly.

Kee Hinckley

@GossiTheDog @chort It’s always DNS
…unless it’s an expired cert.

Gustav Wengel

@GossiTheDog Woof that's an embarassing way to disclose your wiretap

Chris Partridge

@GossiTheDog Going to add a little bit of conspiracy here - someone tried to post this link in r/cybersecurity. It was removed as spam by Reddit, and that post *cannot be approved* - it keeps resetting to 'removed' without further explanation.

Edit: After research, nevermind, Hanlon's razor strikes again. Apparently Reddit started forbidding all links with .ru TLD in 2022 - a hamfisted "trust and safety" policy with enormous false positives such as this. reddit.com/r/ModSupport/s/dSwH

@GossiTheDog Going to add a little bit of conspiracy here - someone tried to post this link in r/cybersecurity. It was removed as spam by Reddit, and that post *cannot be approved* - it keeps resetting to 'removed' without further explanation.

Edit: After research, nevermind, Hanlon's razor strikes again. Apparently Reddit started forbidding all links with .ru TLD in 2022 - a hamfisted "trust and safety" policy with enormous false positives such as this. reddit.com/r/ModSupport/s/dSwH

Chris Partridge

@GossiTheDog And this isn't a cache issue or anything, I've been trying to approve it all day. Mouse moves offscreen to hit refresh because apparently when I do a screen recording at 2am I forget what "F5" does.

Chris Partridge

@GossiTheDog For folks not familiar with Reddit's moderation tools (hopefully all of ye), here's how approving posts removed by Reddit's spam filter usually works. The filter's bad, but the approval is snappy and persists immediately. The valdikss.org.ru post is absolutely being handled differently, so I'm wondering why.

DELETED

@tweedge @GossiTheDog on r/hetzner it stays up because the URL is obfuscated: reddit.com/r/hetzner/comments/

OP is the author of the blogpost under a burner account, he seems to know very well that his domain is shadowbanned. seems to be like this for a while, according to post history of u/ValdikSS

DELETED

@tweedge @GossiTheDog see also that burner accounts post history. nothing that account has posted has been censored, and it seems they have been posting 2 days ago as well.

manual intervention seems unlikely because the r/hetzner post was literally on the frontpage of hackernews and the post there is now up for quite a few hours. it's possible that at some point the blog domain was shitlisted due to "trust & safety"

DELETED

@tweedge @GossiTheDog anyway, maybe all that is needed to have your post stay up is a link shortener?

Chris Partridge

@untitaker @GossiTheDog Thank you for for info! I hadn't looked at HN - interesting to see that some references to this are staying up if not linking directly.

I made a post on r/cybersecurity showing what's been going on and used web.archive.org links. Reddit's spam filter also initially removed my post but I think (?) it's staying up now. Hard to tell when your own post could be shadowbanned by design. :P

Chris Partridge

@bontchev @GossiTheDog Yep, you are correct. Amending my post. A hamfisted, shortsighted, and poorly communicated policy by Reddit - as always. reddit.com/r/ModSupport/commen

Elizabeth

@GossiTheDog huh.

I don't have a lot of knowledge of XMPP, but, any theories on why would they MITM the STARTTLS port, but not the TLS one? it looks like they definitely could have done that too...

Ge0rG

@elizabeth
STARTTLS is the most widely used port by #xmpp clients, as it allows selecting the right server domain (this predates TLS SNI by quite a while, and then there is inertia). Many xmpp servers don't even offer Direct TLS, and IIRC no client will directly probe it, if there is no explicit SRV record for Direct TLS.
@GossiTheDog

Dietrich Feist

@GossiTheDog Well, this popular russian site was running on a server in Germany. So no surprise that someone has been keeping an eye on it.

Lien Rag

@GossiTheDog

Recertification in the middle gives no warning ?

netthier

@lienrag @GossiTheDog The attacker was apparently able to issue valid LE certs for the affected domain, so unless something like certificate pinning was used on the client they wouldn't notice anything wrong with the cert.

Robin Bradshaw

@GossiTheDog facebook has a tool that will bonitor Certificate Transparency logs and alert you when certs are issued for domains or homographs of domains you are monitoring are issued, im not sure if there are any other similar services developers.facebook.com/tools/

GrumpSec Spottycat

@GossiTheDog I assume they did the ACME bit from somewhere else or the MITM box and then just MITMed the rest of the ACME flow that should’ve gone to the actual VM?

Natanael ⚠️

@kyhwana @GossiTheDog that seems to have happened during the recorded downtime (because ACME checks connectivity from multiple undisclosed sources, you need to intercept every incoming connection during the check)

Go Up