[liberationtech] MiTM attack on XMPP/Jabber traffic at Hetzner and Linode (DE) suggests datacenter complicity

[Julian Oliver]

Interesting and especially stealth MiTM at Hetzner (DE) and Linode, targeting
Russia's largest XMPP/Jabber (civilian) chat service. The authors of the
article make a reasonably compelling case that "this is lawful interception
Hetzner and Linode were forced to setup."

It would seem a rogue Letsencrypt chain was deployed at the last hop facing
the dedicated server hosting the XMPP infrastructure, for which the LE ACME
challenge would have passed without issue. This was used to hijack encrypted
STARTTLS connections. The 'real' LE chain was then effectively ignored, as all
traffic to/fro the running server was decrypted through the transparent MiTM
proxy.

In the case of Linode, it seems the target's VPS was migrated into a hostile
VLAN with a monitor at the first hop.

Their methodology is sound, strong forensics. 

    - https://notes.valdikss.org.ru/jabber.ru-mitm/

A good overview of mitigation strategies here, from DNSSEC to CAA:

    - https://www.devever.net/~hl/xmpp-incident

I feel it is worth noting that many civilian - and potentially dissident -
Russian voices would have been using this service to protect themselves from
Kremlin eavesdropping; a safe space. & yet here they are subject to a supposed
lawful intervention by what we can assume are non-RU state actor(s). This
event may undermine faith in secure community-run infrastructure, pushing RU
communities to less secure group chat alternatives, including those the
Kremlin has compromised.

An ethically troubled case.

-- 
Julian Oliver

Consulting: https://nikau.io
Projects: https://julianoliver.com
PGP: https://julianoliver.com/key.asc