←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 3 comments | 20 Oct 23 20:31 UTC | HN request time: 0.001s | source
Show context
manxman ◴[21 Oct 23 02:26 UTC] No.37963542[source]
A quick warning on hetzner. I needed a personal bare metal machine so signed up.

I was travelling and on an IP in a distant land so their sign up asked for secondary verification via PayPal. All passed and now it’s should get a server?

Nope - next day their support emailed telling me they would not approve my account without… no word of a lie here… either 1: a fax of my passport info page or 2: a scan and email containing the same.

I refused reminding them of GDPR and that email is at best opportunistically encrypted and at worst open to interception.

They replied stating they believed they were GDPR compliant because all they do is use the passport to verify the account and delete the document. They also said I could hide anything sensitive other than my name and date of birth!!

I suggested the process is not GDPR compliant as anyone could intercept unencrypted emails and that they should talk to a lawyer if they did not believe my assertion.

Within a short time the server was approved and online. I queried if they would revise their process in light of our interaction. They did not address the question.

replies(8): >>37963761 #>>37964297 #>>37964364 #>>37964823 #>>37965391 #>>37968710 #>>37970183 #>>37974389 #
petre ◴[21 Oct 23 05:19 UTC] No.37964297[source]
They had the option to send it encrypted with PGP. But yes, this reminds me of communist countries where you had to leave your ID at the hotel upon check in. The Stasi mentality lingers on and accomplishes nothing.
replies(4): >>37964394 #>>37964616 #>>37964665 #>>37968756 #
chatmasta ◴[21 Oct 23 17:22 UTC] No.37968756[source]
Plenty of modern hotels in Western countries require you to submit your passport to reception, who then scans it and keeps a copy of it. In fact Marriot recently suffered a data breach where the attacker obtained the photos of these passports.

Of course, that's not mutually exclusive with Western nations having "The Stasi Mentality..."

replies(1): >>37970238 #
1. petre ◴[21 Oct 23 20:38 UTC] No.37970238[source]
I know. Most of them have a fill in the blanks sheet with name address and document s/n.

I can understand scanning documents if one rents a vehicle, although for hotels I fail to see why the form shouldn't be enough. It's not like they don't have cameras at the reception desk and I don't pay with a card under my name, they can also check my ID and fill in the form themselves if they don't trust the customer. Why should I trust them to properly handle copies of my ID? They are not a bank operating under strict regulation.

The thing is back then they were physically keeping your ID until you've paid in full and checked out. Last time it happened to us in Serbia, in 2019. The receptionist regarded us with suspicion. Brought back memories from the '80s. If you've played Papers Please you know what I mean. Now about 8 Schengen Area states have introduced border checks. Great.

https://www.euractiv.com/section/justice-home-affairs/news/s...

replies(1): >>37970368 #
2. chatmasta ◴[21 Oct 23 20:58 UTC] No.37970368[source]
Interesting. That didn't happen to me when I stayed a month in an Airbnb in Serbia, although the host did ask me for a copy of my passport. (Not that I'd expect it from an Airbnb host even if hotels were doing it... just an additional data point).

For renting a vehicle (or more likely, something like a bike or moped), I can understand why they take your ID as a form of collateral in exchange for the material goods they're lending you. But for a hotel there's no real reason to hold onto it.

Out of curiosity, did you acquiesce and leave your passport with them?

replies(1): >>37970537 #
3. ◴[21 Oct 23 21:19 UTC] No.37970537[source]