Most active commenters
  • KirillPanov(4)
  • MattJ100(4)
  • LeoPanthera(3)

←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 44 comments | 20 Oct 23 20:31 UTC | HN request time: 0.444s | source | bottom
1. LeoPanthera ◴[20 Oct 23 22:54 UTC] No.37962383[source]
The summary of the attack from https://notes.valdikss.org.ru/jabber.ru-mitm/ is very interesting:

* The attacker managed to issue multiple SSL/TLS certificates via Let’s Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023

* The Man-in-the-Middle attack for jabber.ru/xmpp.ru client XMPP traffic decryption confirmed to be in place since at least 21 July 2023 for up to 19 Oct 2023, possibly (not confirmed) since 18 Apr 2023, affected 100% of the connections to XMPP STARTTLS port 5222 (not 5223)

* The attacker failed to reissue TLS certificate and MiTM proxy started to serve expired certificate on port 5222 for jabber.ru domain (Hetzner)

* The MiTM attack stopped shortly after we begun our investigation and network tests on 18 Oct 2023, along with tickets to Hetzner and Linode support team, however passive wiretapping (additional routing hop) is still in place at least on a single Linode server

* Neither servers appear to be hacked

* Both Hetzner and Linode network appear to be reconfigured specifically for this kind of attack for the XMPP service IP addresses

---

Neither that page, nor the page linked from here, mention certificate pinning, maybe because XMPP doesn't support it (I don't know), but if it did, wouldn't that have prevented this kind of attack?

replies(7): >>37962604 #>>37963159 #>>37963258 #>>37963349 #>>37963431 #>>37964615 #>>37964717 #
2. Nextgrid ◴[20 Oct 23 23:24 UTC] No.37962604[source]
How would you do certificate pinning if you don't control the clients?

My understanding is that certificate pinning is only possible if you control the clients, in which case you can embed which certificates are allowed directly in the client and bypass the whole web PKI.

In a situation with general-purpose clients connecting, how would they know which certificates are meant to be allowed? That's what the web PKI is used for.

Of course, if you do provide your own clients, this just moves the problem further up the chain - in this case the place where customers would download the custom client software would be compromised and a malicious client served instead.

replies(3): >>37962673 #>>37962874 #>>37963604 #
3. LeoPanthera ◴[20 Oct 23 23:33 UTC] No.37962673[source]
> How would you do certificate pinning if you don't control the clients?

Well you cannot. If you were paranoid, you would perhaps supply a hash through some out-of-band mechanism, which would require manually updating for each new cert.

Obviously most people wouldn't ever want to do that.

4. dist-epoch ◴[21 Oct 23 00:10 UTC] No.37962874[source]
Isn't this what those "key hash pictures" in WhatsApp/Signal are solving?

XMPP clients could implement such a mechanism, and if any certificate/domain along the path changes, the users in a conversation would be notified.

replies(1): >>37965220 #
5. jacquesm ◴[21 Oct 23 00:59 UTC] No.37963159[source]
> Both Hetzner and Linode network appear to be reconfigured specifically for this kind of attack for the XMPP service IP addresses

This suggests a compromise of Hetzner and Linode network management.

replies(2): >>37963466 #>>37963612 #
6. simpaticoder ◴[21 Oct 23 01:18 UTC] No.37963258[source]
>The attacker managed to issue multiple SSL/TLS certificates via Let’s Encrypt

This implies that the attacker was able to validate domain ownership of jabber.ru and xmpp.ru by either a) being able to respond to the ACME protocol on domain(s) hosted http OR b) being able to write to a DNS TXT file for the domain(s). This implies that the victim already lost control of their process server and/or their nameserver.

replies(2): >>37963315 #>>37963880 #
7. tetromino_ ◴[21 Oct 23 01:35 UTC] No.37963315[source]
No. Most probably it merely implies someone upstream of them (presumably their hosting provider under compulsion from German law enforcement) intercepted and spoofed their unencrypted, unauthenticated ACME HTTP traffic.

Same can happen to you.

replies(2): >>37963692 #>>37965243 #
8. jcims ◴[21 Oct 23 01:41 UTC] No.37963349[source]
> * The attacker failed to reissue TLS certificate and MiTM proxy started to serve expired certificate on port 5222 for jabber.ru domain (Hetzner)

This is gold.

replies(3): >>37963430 #>>37970717 #>>37985687 #
9. tptacek ◴[21 Oct 23 01:59 UTC] No.37963430[source]
The absolute lack of giving a shit is one of your major clues this was a lawful intercept scenario.
10. Bu9818 ◴[21 Oct 23 01:59 UTC] No.37963431[source]
>affected 100% of the connections to XMPP STARTTLS port 5222 (not 5223)

Why did they only target the STARTTLS port? On a related note, I would never use the STARTTLS port (opportunistic encryption) if I knew that the server had a regular TLS port...

replies(3): >>37963588 #>>37966043 #>>37971429 #
11. LeoPanthera ◴[21 Oct 23 02:10 UTC] No.37963466[source]
> This suggests a compromise of Hetzner and Linode network management.

No it doesn't. It suggests that they both complied with a request from law enforcement.

replies(1): >>37964707 #
12. KirillPanov ◴[21 Oct 23 02:36 UTC] No.37963588[source]
Easier to conceal the attack.

The MiTM attacker can pass through a command stream without STARTTLS. If they intercepted 5223 they would have to do their own client-side TLS handshake with the attacked server, which would look really obvious to anybody doing TLS fingerprinting on the server: all of a sudden, 100% of their clients have the exact same TLS fingerprint.

Stop outsourcing your PKI to ICANN, folks. Domains are not public keys.

replies(1): >>37964733 #
13. KirillPanov ◴[21 Oct 23 02:39 UTC] No.37963604[source]
TLS client certificates.

Use them.

Stop using domains. Stop.

replies(1): >>37964330 #
14. KirillPanov ◴[21 Oct 23 02:40 UTC] No.37963612[source]
More likely the carrier upstream of them.
replies(1): >>37964112 #
15. simpaticoder ◴[21 Oct 23 02:54 UTC] No.37963692{3}[source]
Okay, but the part I don't understand is why do it this way? If the hosting provider is a threat, they don't need new certs. They can just read your private keys off your disk and MITM with that.
replies(4): >>37963855 #>>37963879 #>>37965520 #>>37965565 #
16. fulafel ◴[21 Oct 23 03:34 UTC] No.37963855{4}[source]
Here's a good example why trust is not binary ("you either trust Hetzner or don't"). Quite possibly wiretapping law doesn't require them to facilitate the server breakin.
17. T3OU-736 ◴[21 Oct 23 03:41 UTC] No.37963879{4}[source]
Your private keys at rest are / should be encrypted, so it would take a bit more than just reading them.

The next level of mitigating that sort of a thing is to have keys not be on the hosts at all. Enter HSM - Hardware Security Module. A wildly complex topic I cannot hope to cover in an HN comment, but fundamentally, the private keys are not on the same HW as the server software which needs them.

A fundamental property of an HSM is that you, the HSM user, don't actually see the private key. You can ask the HSM to generate one. Derive things from it (in the cryptographic sense of derive). Even prove the provenance of such derived data. But the HSM should not reveal the actual private key.

In the cloud world, the HSM equivalent is known as KMS (Key Management Service), and the Good cloud providers all let you manage your own (with the downside being that you now need to manage your own keys).

18. mike_d ◴[21 Oct 23 03:42 UTC] No.37963880[source]
On April 3rd the IP address for ns1.jabber.ru was changed [1]. Two weeks later the first LetsEncrypt certificate was issued. Could be related?

1. https://dns.coffee/nameservers/ns1.jabber.ru

19. duskwuff ◴[21 Oct 23 04:34 UTC] No.37964112{3}[source]
No, that wouldn't insert a hop between the server and the provider's network.
20. callalex ◴[21 Oct 23 05:28 UTC] No.37964330{3}[source]
And how do you distribute those to anonymous users?
21. throwaway4good ◴[21 Oct 23 06:38 UTC] No.37964615[source]
Is it given that this attack was done from within Hetzner?

As I understand the techniques applied; this could have also been done at another place on the network route to the targeted server.

Ie. by the telecommunications company delivering traffic into Hetzner.

replies(1): >>37964699 #
22. throwaway4good ◴[21 Oct 23 06:55 UTC] No.37964699[source]
Tele communication companies have internal “police groups” (where I am from - I expect it to be the same in Germany) that does nothing but service wiretapping requests from the police. Telcos are required by law to do this.

Them expanding into mtm https wiretapping is a new for me but maybe to be expected …

23. dhbanes ◴[21 Oct 23 06:57 UTC] No.37964707{3}[source]
So… compromised.
replies(1): >>37964949 #
24. MattJ100 ◴[21 Oct 23 07:01 UTC] No.37964717[source]
XMPP supports channel binding, which is not mentioned in this post but would have prevented this attack. Unfortunately jabber.ru is running server software from 2016, and that old version doesn't support it.

Pinning is problematic these days, because certificates are short-lived and renewed frequently. Users would be constantly asked to accept new certificates on a monthly basis, and they wouldn't think twice about clicking 'Accept' on an attacker's certificate then.

Channel binding works regardless of the certificate, and ensures the TLS stream is terminated by the entity you exepect.

The focus on (lack of) CT/SCT support in XMPP clients puzzles me, because it would not have detected this attack at all, which used valid CT-logged certs from Let's Encrypt. SCT verification would help detect theoretical issuance from another CA if they had a strict CAA record in place (they did not). But even then, channel binding is more privacy-friendly and does not depend on a third party.

replies(2): >>37964854 #>>37966693 #
25. MattJ100 ◴[21 Oct 23 07:04 UTC] No.37964733{3}[source]
They were doing their own TLS handshake - that's how the attack was discovered (the attacker presented a different certicate, which eventually expired, presumably due to negligence). They were decrypting and re-encrypting.
replies(1): >>37965005 #
26. knorker ◴[21 Oct 23 07:33 UTC] No.37964854[source]
Pinnig is based on the keypair, not the cert. You can renew and not break pinning, right?

Also you can phase in a new cert with pinning.

replies(1): >>37964971 #
27. xinayder ◴[21 Oct 23 07:57 UTC] No.37964949{4}[source]
Compromised means they got hacked, which would translate to all servers in Linode and Hetzner being unsafe for all customers.

Since this affected only one client and it's more likely than not a lawful intercept, it's not a compromise.

replies(1): >>37966022 #
28. MattJ100 ◴[21 Oct 23 08:01 UTC] No.37964971{3}[source]
Yes, you can pin the public key instead, which is generally more helpful. But most ACME clients (including the "official" certbot) default to rotating the key too. That can be disabled, but it's a problematic default for this use case which means clients can't just enable pinning.
replies(1): >>37965363 #
29. KirillPanov ◴[21 Oct 23 08:10 UTC] No.37965005{4}[source]
Read it again:

> they would have to do their own client-side TLS handshake

By intercepting the STARTTLS port the attacker can merely decrypt -- rather than, as you wrote, decrypting and re-encrypting.

replies(2): >>37965170 #>>37966234 #
30. fuzzy2 ◴[21 Oct 23 08:49 UTC] No.37965170{5}[source]
This is not what the attackers did however. From the original article (not this one):

> Traffic dump on port 5222, the connection is hijacked on application level (L7), the server receives replaced ClientHello message from the client.

31. WhyNotHugo ◴[21 Oct 23 08:59 UTC] No.37965220{3}[source]
These are usually to validate the keys used in end-to-end encryption. Both parties must confirm that they see the same details, which confirms that the same keys are being used on both ends.
32. lathiat ◴[21 Oct 23 09:05 UTC] No.37965243{3}[source]
The same way they are intercepting the jabber port they can intercept any other port for the HTTP ACME challenge. No need to get involved at the name server level.
replies(1): >>37970814 #
33. rhn_mk1 ◴[21 Oct 23 09:37 UTC] No.37965363{4}[source]
How can it be disabled in certbot?
replies(1): >>37965421 #
34. natebc ◴[21 Oct 23 09:48 UTC] No.37965421{5}[source]

  --reuse-key           When renewing, use the same private key as the
                        existing certificate. (default: False)
From the docs: https://eff-certbot.readthedocs.io/en/latest/using.html#cert...
35. sshine ◴[21 Oct 23 10:11 UTC] No.37965520{4}[source]
> just read your private keys off your disk

Not just. The disk itself may be encrypted, the keys may be encrypted. Doing this unnoticed and without rebooting would require modifications to the hardware.

36. formerly_proven ◴[21 Oct 23 10:21 UTC] No.37965565{4}[source]
Legally speaking intercepting connections is a very different ballgame from hacking or subverting an endpoint.
37. CommitSyn ◴[21 Oct 23 11:48 UTC] No.37966022{5}[source]
You're both using your own internal dictionary differently for the same correct word.

In hacking, compromised means hacked.

In intelligence, compromised means you have someone doing something on your behalf that they feel forced to do.

You seem to understand this so I'm not sure where the confusion lies.

38. upofadown ◴[21 Oct 23 11:53 UTC] No.37966043[source]
>I would never use the STARTTLS port (opportunistic encryption) if I knew that the server had a regular TLS port...

That is what XMPP clients tend to do...

These days XMPP servers tend to default to requiring TLS on both 5222 and 5223 (Let's Encrypt has changed everything). Prosody does this for example. It doesn't even support port 5223 by default anymore. Port 5223 was never an official port assignment.

So it is very possible that the MiTM was only done on port 5222 because that was the only port that clients were using.

39. MattJ100 ◴[21 Oct 23 12:25 UTC] No.37966234{5}[source]
I don't know what jabber.ru's policy is, it's running a very old version of ejabberd. But you would be hard-pressed to find an XMPP server that would allow authentication without TLS. Starttls makes no difference.
40. joelhaasnoot ◴[21 Oct 23 13:37 UTC] No.37966693[source]
If you care enough to pin, purchasing actual certificates isn't that hard is it?
41. deeth_starr_v ◴[21 Oct 23 21:41 UTC] No.37970717[source]
I mean, I’ve seen the auto renew fail a lot with the certbot. They definitely should have checked it in the renew period to make sure it was working, but I feel for them
42. deeth_starr_v ◴[21 Oct 23 21:53 UTC] No.37970814{4}[source]
Right. That makes the most sense. Let’s Encrypt wasn’t involved … it’d just need to be linode/hetzner
43. octacat ◴[21 Oct 23 23:25 UTC] No.37971429[source]
It is pretty simple. 5223 port is called "legacy SSL". So, because it is legacy, clients would, by default, use 5222 + starttls. I.e. majority of clients connect with 5222.

Also, I've never understood why they've moved 5223 (regular TLS) into deprecated. It was pretty useful to enable SSL on AWS ELB on this port. Which is not possible with 5222, because it does XML stuff before switching to TLS.

I would speculate it is to not keep 2 ports open or something, was a reason to move it to deprecated. + you can do some cleartext communication before switching to TLS (not like it is that useful).

44. rdtsc ◴[23 Oct 23 13:55 UTC] No.37985687[source]
Someone was forced to do it, but they didn’t personally agree with it so they eventually made a “mistake” to tip off the target?

There is the plain incompetence explanation: the hosting provider gave control of the operation to the government entity. The underpaid and indifferent government employee did the best they could with their level motivation and skill level.