this post was submitted on 21 Oct 2023
6 points (100.0% liked)

XMPP

316 readers
1 users here now

XMPP (aka Jabber) is the community-owned standard for real-time federated messaging.

For a quick start click here

JoinJabber.org support chat

JoinJabber.org admin support chat

XMPP.net Provider List

Also see JoinJabber.org FAQ

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] perestroika 3 points 1 year ago* (last edited 1 year ago) (2 children)

A TTL of 64 supeficially suggests to me that the attack occurred on the server / in the hosting location. Network hardware is supposed to decrease it on every hop, is it not?

18 July 2023 issuing time is about the same when Hetzner server has lost network link for several seconds.

Seems to support a hypothesis that the attack occurred at the hosting location.

  • The attacker managed to issue multiple SSL/TLS certificates via Let’s Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023
  • The Man-in-the-Middle attack for jabber.ru/xmpp.ru client XMPP traffic decryption confirmed to be in place since at least 21 July 2023 for up to 19 Oct 2023, possibly (not confirmed) since 18 Apr 2023, affected 100% of the connections to XMPP STARTTLS port 5222 (not 5223)
  • The attacker failed to reissue TLS certificate and MiTM proxy started to serve expired certificate on port 5222 for jabber.ru domain (Hetzner)

Too bad they didn't discover how the forged certificate was obtained.

My guess, since those were .ru domains and that's a hot topic: spooks from three letter agencies spooking around. Either Russian agencies trying to catch dissidents or other agencies trying to catch someone working for Russian agencies.

[–] nicocool84@sh.itjust.works 3 points 1 year ago (1 children)

Too bad they didn’t discover how the forged certificate was obtained.

I don't think they forged certifs, they obtained valid ones because they controlled the machine behind the IP?

spooks from three letter agencies spooking around

Apparently that server was widely for "dark market" sort of things. Isn't a "simple" police investigation more likely?

[–] perestroika 2 points 1 year ago

Perhaps indeed.