←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 1 comments | 20 Oct 23 20:31 UTC | HN request time: 0s | source
Show context
liquidk ◴[20 Oct 23 23:06 UTC] No.37962482[source]
The provider has access to the host, they can just inspect the job from the outside and you won’t be able to tell
replies(3): >>37962632 #>>37962862 #>>37963439 #
the8472 ◴[20 Oct 23 23:27 UTC] No.37962632[source]
secure boot + virtualized memory encryption is supposed to prevent that, you'll have to trust intel/amd though.
replies(4): >>37962858 #>>37963072 #>>37963119 #>>37963152 #
1. dist-epoch ◴[21 Oct 23 00:07 UTC] No.37962858[source]
Only if secure boot was enabled by a trusted party on trusted hardware.

If you enable secure boot remotely without physical access to the machine you can't be sure it was actually setup in a non-compromised way. For example the machine could be running a custom backdoor-ed TPM, BIOS settings, ...