←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 2 comments | 20 Oct 23 20:31 UTC | HN request time: 0.427s | source
Show context
manxman ◴[21 Oct 23 02:26 UTC] No.37963542[source]
A quick warning on hetzner. I needed a personal bare metal machine so signed up.

I was travelling and on an IP in a distant land so their sign up asked for secondary verification via PayPal. All passed and now it’s should get a server?

Nope - next day their support emailed telling me they would not approve my account without… no word of a lie here… either 1: a fax of my passport info page or 2: a scan and email containing the same.

I refused reminding them of GDPR and that email is at best opportunistically encrypted and at worst open to interception.

They replied stating they believed they were GDPR compliant because all they do is use the passport to verify the account and delete the document. They also said I could hide anything sensitive other than my name and date of birth!!

I suggested the process is not GDPR compliant as anyone could intercept unencrypted emails and that they should talk to a lawyer if they did not believe my assertion.

Within a short time the server was approved and online. I queried if they would revise their process in light of our interaction. They did not address the question.

replies(8): >>37963761 #>>37964297 #>>37964364 #>>37964823 #>>37965391 #>>37968710 #>>37970183 #>>37974389 #
petre ◴[21 Oct 23 05:19 UTC] No.37964297[source]
They had the option to send it encrypted with PGP. But yes, this reminds me of communist countries where you had to leave your ID at the hotel upon check in. The Stasi mentality lingers on and accomplishes nothing.
replies(4): >>37964394 #>>37964616 #>>37964665 #>>37968756 #
1. OmarAssadi ◴[21 Oct 23 06:48 UTC] No.37964665[source]
I think it is less Stasi and more so 30 euro dedicated servers with unmetered gigabit lines are ripe for bad clients.

You've got the general issue of abuse and fraud that all providers face. But I think there are two issues that make it worse for companies like Hetzner, OVH, and other low-cost providers:

1. Chargebacks are a big deal, both in terms of being cut off from payment networks but also the fees imposed, which are especially harsh if your margins are likely razor thin sometimes; looking at the server auctions right now, it's kind of wild that Hetzner manages to give you a place in a datacenter, 3700X, 64GB RAM, 2x1TB enterprise SSDs, and unmetered gigabit on a decent network for 33 euros while still making a profit.

2. I would imagine that attempting the proper credit-card theft kind of fraud is also more of an issue for low-cost providers, not only because of #1, but because I think you'd manage to keep and abuse servers bought with stolen money for a lot longer; I think legitimate owners of said cards are less likely to notice 30 euro charges every month compared to being robbed blind by unexpected AWS fees.

I've had to deal with anti-fraud paranoia from OVH, BuyVM, Hetzner, and many others, likely all for the same reasons as Hetzner.

Both Hetzner and OVH refused to provide me service without photo ID or a passport. BuyVM refused one of my Jordanian friends entirely unless he paid in crypto. And while minor in comparison, I've had to change my PayPal email to match my account email on BuyVM despite it literally previously being paypal@myfirstandlastname.tld.

Not meant to be a dig at BuyVM, btw, even though the crypto bit may seem harsh. I really like them; freedom to host pretty much anything that isn't straight-up illegal, even Tor exit nodes, the support is good, they're often around and transparent in the community chat, and it's hard to beat free BGP announces, up to 10Gbps speeds, anycasted VMs across Europe and the US for <$10/month, and optional $3/month DDoS mitigation -- especially since it's the kind of small enough, tight-ship type of thing to where you can moan about poor routing or custom mitigation filters and potentially have someone actually try to take care of it (and it's also hard to beat for abusive or awful clients too, hence the trouble).

They provide great service, even if only to use as a DDoS-mitigated tunnel for more powerful servers elsewhere, or as a CDN, etc.

replies(1): >>37974425 #
2. immibis ◴[22 Oct 23 11:22 UTC] No.37974425[source]
BuyVM comes off as one of those sites that's explicitly set up to host illegal content, but with plausible deniability. I don't understand how they're still allowed to remain operating. Governments usually err on the side of arresting innocent people.

P.S. Hetzner gigabit is not actually unmetered, but the limits are vague, but high (>100TB/month)