Kevin Beaumont
Pretty incredible report here about what is likely lawful interception of TLS encrypted communications (used by basically every web service) targeted at an instant messaging service popular in Russia.. the TLS communications were being recertificated in the middle (similar to how enterprise firewalls do TLS decryption) for six months to snoop on communications.. it only got rumbled as somebody (drum roll) let the interception certificate expire by mistake. 33 comments
Pedro Fonseca
@GossiTheDog if you read this https://www.lighthousereports.com/investigation/flight-of-the-predator/ and listen to @jackrhysider predator episode, you reach the same conclusion without Vodafone telling you. 
Acesabe
@GossiTheDog
Kevin Riggle
@GossiTheDog I mean they can ask, the correct response is usually to tell them to go fuck themselves. Not that everyone does
Nicholas Weaver
@GossiTheDog @kevinriggle  
Chris Partridge
@GossiTheDog And this isn't a cache issue or anything, I've been trying to approve it all day. Mouse moves offscreen to hit refresh because apparently when I do a screen recording at 2am I forget what "F5" does.
Chris Partridge
@GossiTheDog For folks not familiar with Reddit's moderation tools (hopefully all of ye), here's how approving posts removed by Reddit's spam filter usually works. The filter's bad, but the approval is snappy and persists immediately. The valdikss.org.ru post is absolutely being handled differently, so I'm wondering why.
Markus Unterwaditzer
@tweedge @GossiTheDog on r/hetzner it stays up because the URL is obfuscated: https://www.reddit.com/r/hetzner/comments/17ccp3i/hetzner_does_run_a_mitm_proxy_in_front_of_my/ OP is the author of the blogpost under a burner account, he seems to know very well that his domain is shadowbanned. seems to be like this for a while, according to post history of u/ValdikSS
Markus Unterwaditzer
@tweedge @GossiTheDog see also that burner accounts post history. nothing that account has posted has been censored, and it seems they have been posting 2 days ago as well. manual intervention seems unlikely because the r/hetzner post was literally on the frontpage of hackernews and the post there is now up for quite a few hours. it's possible that at some point the blog domain was shitlisted due to "trust & safety"
Markus Unterwaditzer
@tweedge @GossiTheDog anyway, maybe all that is needed to have your post stay up is a link shortener?
Chris Partridge
@untitaker @GossiTheDog Thank you for for info! I hadn't looked at HN - interesting to see that some references to this are staying up if not linking directly. I made a post on r/cybersecurity showing what's been going on and used web.archive.org links. Reddit's spam filter also initially removed my post but I think (?) it's staying up now. Hard to tell when your own post could be shadowbanned by design. :P 
Chris Partridge
@bontchev @GossiTheDog Yep, you are correct. Amending my post. A hamfisted, shortsighted, and poorly communicated policy by Reddit - as always. https://www.reddit.com/r/ModSupport/comments/t66l5f/reddit_blocked_all_domains_under_russian_cctld_ru/
Elizabeth
@GossiTheDog huh. I don't have a lot of knowledge of XMPP, but, any theories on why would they MITM the STARTTLS port, but not the TLS one? it looks like they definitely could have done that too... 
Ge0rG
@elizabeth
Dietrich Feist
@GossiTheDog Well, this popular russian site was running on a server in Germany. So no surprise that someone has been keeping an eye on it.
netthier
@lienrag @GossiTheDog The attacker was apparently able to issue valid LE certs for the affected domain, so unless something like certificate pinning was used on the client they wouldn't notice anything wrong with the cert.
Robin Bradshaw
@GossiTheDog facebook has a tool that will bonitor Certificate Transparency logs and alert you when certs are issued for domains or homographs of domains you are monitoring are issued, im not sure if there are any other similar services https://developers.facebook.com/tools/ct/subscriptions
GrumpSec Spottycat
@GossiTheDog I assume they did the ACME bit from somewhere else or the MITM box and then just MITMed the rest of the ACME flow that should’ve gone to the actual VM? 
Natanael ⚠️
@kyhwana @GossiTheDog that seems to have happened during the recorded downtime (because ACME checks connectivity from multiple undisclosed sources, you need to intercept every incoming connection during the check) |
Gregory's Server
I don’t think it is widely understood how lawful interception works.
Governments can request broad access, including installation or access to middleware to intercept things.
Additionally, some countries have warrantless access to essentially any communications, eg https://www.bbc.co.uk/news/business-27732743
More providers should be more open about this as there’s a lack of tension point with governments, which harms society.