Messaging Service Wiretap Discovered through Expired TLS Cert

Fascinating story of a covert wiretap that was discovered because of an expired TLS certificate:

The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired.

However, jabber.ru found no expired certificates on the server, ­ as explained in a blog post by ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.

The expired certificate was instead discovered on a single port being used by the service to establish an encrypted Transport Layer Security (TLS) connection with users. Before it had expired, it would have allowed someone to decrypt the traffic being exchanged over the service.

Tags: , , , ,

Posted on October 27, 2023 at 7:01 AM20 Comments

Comments

Winter October 27, 2023 8:26 AM

ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.

For his own well-being, I hope Ms or Mr ValdikSS [1] has done the “pseudononymization” with good opsec, .

[1] Other options than Ms, Mrs, or Mr are illegal in Russia.

John October 27, 2023 9:48 AM

Sounds huge, but wasn’t it irrelevant if someone used OTR or OMEMO to communicate?

Or maybe it allowed to intercept user credentials when logging in?

Vesselin Bontchev October 27, 2023 10:18 AM

“Another possible, although much more unlikely scenario is an intrusion on the internal networks of both Hetzner and Linode targeting specifically jabber.ru — much harder to believe but not entirely impossible,” the researcher wrote.

Actually, this is the much more likely scenario.

If this was indeed lawful interception by the German law enforcement, they would have obtained a court order and would have forced the hoster either to provide them with the private key or to generate a new certificate for interception purposes. They wouldn’t have used Let’s Encrypt.

No, somebody hacked the hosters and didn’t want them to know that interception was going on. It could be the German intelligence services, of course – or some other NATO actor.

Clive Robinson October 27, 2023 10:20 AM

@ ALL,

This sort of “Man In The Middle(MITM) attack is not new, and it happens because the CA system is corupt in many ways.

In your browser there will be hundreds of “Root Certificates” used by all sorts of CA’s including “Hostile Nation Militaries” which you can use as a euphemism for “SigInt and other Intel agencies”.

Most browsers make “editting” the root certificates out about as dificult as they can do… Why is one of those questions they either avoid or effectively lie about.

The most charitable explanation is they are paid in some way to make this security vulnarability available.

Worse the CA industry solution is to make the life expectancy of user certificates as short as they can. Last time I looked it was down to a year and a day… Having it this short actually opens up other security vulnerabilities, as well as making the private key loss more likely…

It’s been said quite a number of times but we actually need to action it[1],

“We need to replace PKCerts with a much more secure and available system.”

Otherwise we will keep reading about these occasional mistakes by those spying on us every which way they can.

[1] Generally there are three ways to deal with a security hazard,

1, Replace/fix it with something safer.
2, Some how mittigate against the harms when in use.
3, Don’t use it so the harms do not happen.

I’m an “Option 3” sort of person, thus look at doing things significantly different to most.

But I appriciate that whilst “Option 1” is nice and prefered way it gets exponentially more difficult and expensive to do.

Which is why we end up with so many “Option 2” solutions that become new types of vulnerabilities in their own right.

There is of course another way to deal with it, which lies between option 2 and 3.

Which is what true “End to End Encryption”(E2EE) is all about.

Whilst we talk a lot about E2EE it generally hides the point it is not true E2EE because a “Third Party is involved” which is why Tyranical government Employees can push the agendas they do by lying to legislators and the like.

As I’ve said in the past “Secure Messaging Apps” are not secure, not just because of “third parties involved in the encryption” but because the rest of the system alows eaay “end runs” around the “security end point” to the plaintext interface.

In effect this is what “source filtering” is all about. If you can examin the plaintext before it becomes cipher text then you do not need to break the encryption in the app.

The way to stop this is to move the security end point off of the communications device like your Mobile phone or other Smart Device.

The downside is it lacks conveniance / ease of use for the user, and the user needs a good grasp on basic crypto OpSec.

We’ve all heard what a great success international Police collaboration has been in busting “Serious Organised Crime”(SOC) by planting back doored phones onto criminals.

Well that is what they want to do to all of us.

However what they don’t want you knowing is that if those criminals had coded, enciphered or both their messages before they put them on the backdoored phones, their messages would have remained private thus secure against the authorities.

This is something the smarter crooks already know and the less smart ones are now finding out about. In effect it’s an evolurionary process, and the criminals have the advantage over the police.

It’s about time the rest of us started availing ourselfs of such protection as I’ve explained in the past.

Clive Robinson October 27, 2023 12:16 PM

@ Tim,

“We can always rely on Clive to have the most awful out of touch and clueless take.”

Hmm, you’ve obviously not read the first couple of paragraphs of the story, as anyone can see.

But also as everyone can see you are actually contributing nothing, and as we used to say,

“Lowering the average IQ in the room”

Which makes me think your handle is made up, as your style is very reminisant of another who finally raised the IQ by ceasing to comment.

Bob October 27, 2023 3:20 PM

There recently has been a new tool developed by the XMPP community at CertWatch that will help set up and monitor for these kinds of attacks.

Clive Robinson October 28, 2023 8:13 AM

@ yet another bruce,

“Kicking out anyone” for what ever reason is not a power I or you have here, nor would I want it to be (as I’ve repeatedly pointed out in the past).

But you will also,find that there is a protracted history, thus it’s not “a random stranger [who] is a jerk” issue. Because there is a well established “style and agenda” going back quite some time with this type.

The fact such behaviour is proportionately increasing makes it way more of a visable problem than it used to be in the past and you have to consider the direct and indirect harms.

So you need to see it not as a single event but as an MO or similar.

Thus consider the history, that in the past being polite etc to such types only encoraged them to

“Play to their imaginary audiance”

So it made the problem worse not better thus increasing the harms.

So the “ignore it with very little conscious thought” was also tried but that either,

1, Encoraged/enraged them,
2, They started picking on others,
3, They went compleately over board.

So increasing the harms.

So sometimes as with keeping perennials you have to,

“Nip things in the bud”

In that way resources are minimally wasted and the rest can hopefully grow stronger even in a changing climate.

The indirect harms are unfortunately an issue that few consider sufficiently.

We’ve known for some time there are organisations that screen people for prospective employers often illegaly or using unlawful methods. Hence there is legislation to try to prevent it, but where there is money there is a market that will form.

Such unlawfull operators are known to scrap / hover-up the internet via search engines and automated scripts to produce often factually incorrect reports (which is why making such reports has became contrary to the law in many jurisdictions).

The “Christopher Steele Dossier” is perhaps the most famous example of such a flawed report most will be aware of, and the rumblings over it still continue getting on for a decade after it was probably commissioned[1].

The limitations of the “sources and methods” used are one of the reasons for the high error rate, and almost always it is because they did not apply the resources required or failed to follow the rules that even scurrilous journalists do. That is they were doing it on the cheap because so were those employing them doing it on the cheap and they assumed nobody would find out they were acting illegally or highly questionably so could get away with doing it on the cheap.

And… Just recently people have woken up to the realisation that AI ML LLM are doing the same thing but publically thus “slandering them” which indirectly has brought the same “doing it on the cheap” issue up. So it is now an issue front and square in the public view.

The excuses given by those running the LLMs is varried but some boil down to “similar names”. Thus you very much have to consider “collateral harms”.

Whilst I’m not a public figure, I stand behind my name, as does our host and others who post here using their given names. And as I’ve mentioned before several times I’ve found atleast five others not just share my name, but our various professional domains –like those Venn Diagrams that got coloured in at school– intersect.

So the harms problem is considerably larger than just one entity, especially with the rise of “cancel culture”[2].

So “ignoring” is not an option any longer, not that it ever should be which is why harassment, cyber-bullying and slander, are unlawful activities with criminal and civil penalties even though the idiots behind it mistakenly think they are anonymous.

Thus the “nip the bad bud” at first showing is the only way to ensure, the truth of it is there for others to see and thus the potential harms for all minimized.

[1] From just a few days back,

https://www.theguardian.com/us-news/2023/oct/17/russian-sources-disappeared-after-trump-declassified-ex-spys-evidence-uk-court-told

[2] It’s said that,

“A lie can be halfway around the world before the truth has got it’s boots on.”

Perhaps the most famous of recent times was “Pizza-gate” where compleat and utter nonsense that was easily disproved just would not stop getting passed on around. As way to many just wanted to believe it as it fed into their cognative and other deficiencies,

https://www.dailydot.com/debug/pizzagate-fake-news-conspiracy-theories/

A gun-toting idiot waving it around and firing it in a public place as a consequence is an indicator of the harms to others such nonsense can achieve.

Abel C. October 28, 2023 2:56 PM

Clive, re:

Most browsers make “editting” the root certificates out about as dificult as they can do…

Not quite. The UI, if available, is invariably awful, but at least I’ve never had to hex-edit or recompile the browser: Firefox and Chromium both read it from libnssckbi.so. Granted, Chromium gets weird now—connection attempts mysteriously timing out—if you just prevent it from reading the file. But you can grab the source tree, rebuild that library after deleting out all the certs, and use a tool like “bwrap” to bind the “slug” library on top of the real one. And then, of course, you have to add the certificates you want (Chromium has an ignore-certificate-errors-spki-list option to accept specific ones based on a base64 SHA256 fingerprint, whereas Firefox has cert_override.txt for which Python generator code can be found online).

It’s all horrible, but not maximally horrible nor very brittle. Maybe someone more familiar with Cryptoki could even put a reasonably friendly interface on it. A more relevant point might be whether certificates even matter, now that so many site operators are offloading their management onto the big content distribution networks. When one of them has their “data Valdez” moment and a ZIP file of millions of private keys come online, that’s gonna be a bad day.

As for improving certificate issuance, I’ve said before that every issuer should be required to publish the full DNSSEC chain used for validation. Even if it ends with a signed opt-out record before reaching the Certification Authority Authorization or its NXDOMAIN, we’ll be able to see who was responsible for any particular security flaw. And this involves zero client-side changes; no actions at all for anyone other than the Authorities.

ResearcherZero October 29, 2023 3:26 AM

@Clive Robinson, @ALL

Yep, CT logging is still not a requirement of the CA/Browser Forum Baseline Requirements

“While web browsers enforce this requirement, most other TLS clients don’t, and will accept an unlogged certificate. Such infrastructure is easier to exploit because it will accept an unlogged TLS certificate, which CAs are legitimately allowed to issue. …An adversary might be able to successfully compel your CA to mis-issue a certificate.”

An adversary could also just target specific persons it knows it is interested in intercepting (i.e., only MitM traffic on a whitelist)

‘https://www.devever.net/~hl/xmpp-incident

TLS negotiations are transmitted in the clear, so it’s possible to fingerprint and identify client applications using the details in the TLS Client Hello packet.

It is also possible to fingerprint the server response. Combined, they essentially create a fingerprint of the cryptographic negotiation between client and server.

10 handshakes is enough to provide a highly accurate fingerprint, especially when combined with other information like the HTTP header and other details.

‘https://tma.ifip.org/2022/wp-content/uploads/sites/11/2022/06/tma2022-paper35.pdf

As Citizen Lab puts it…

“Decades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported.”

When you move away from a cellular tower owned by one company to one owned by another, your connection is handed off seamlessly, preventing any interruption to your phone call or streaming video. To accomplish this handoff, the cellular networks involved need to relay messages about who — and, crucially, precisely where — you are.

“network and other third-party service providers, such as those who provide IPX and inter-carrier billing settlement, should be required to encrypt the unique details of a phone’s IMSI and its accompanying mobile data files. Such activities should be accompanied by a strict and regular schedule of compliance audits.”

“While a great deal of attention has been spent on whether or not to include Huawei networking equipment in telecommunications networks comparatively little has been said about ensuring non-Chinese equipment is well secured and not used to facilitate surveillance activities.”

It is used to track human rights defenders, senior business leaders, government officials, and members of militaries.

‘https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/

Clive Robinson October 29, 2023 6:59 AM

@ ResearcherZero, ALL,

Re : Points to fingerprints.

One of the problems both science and maths has is due to the continuance of new knowledge domains starting we have a “lack of available words” in the language. So words get reused thus new meanings attached to them.

One such word is “Unicity”[1],

“Unicity is a risk metric for measuring the re-identifiability of high-dimensional anonymous data. First introduced in 2013, unicity is measured by the number of points p needed to uniquely identify an individual in a data set.”

https://en.m.wikipedia.org/wiki/Unicity_(data_analysis)

However it’s the rest of that page that should be of interest, as it gives an indication of how few points are needed to form a fingerprint, and it’s about 4,

“In 2013 researchers from the MIT Media Lab showed that only 4 points needed to uniquely identify 95% of individual trajectories in a de-identified data set of 1.5 million mobility trajectories. These points were location-time pairs that appeared with the resolution of 1 hour and 0.15 km² to 15 km². These results were shown to hold true for credit card transaction data as well with 4 points being enough to re-identify 90% of trajectories.”

Which is realy quite scary…

[1] Unicity has more than one relevent meaning to this blog so “context” becomes important, to identify which. Normally we refere to “Unicity Distance”,

https://en.m.wikipedia.org/wiki/Unicity_distance

Which is said to be the minimum length of ciphertext to recognize the plaintext[2] in a brut force of the key space search.

[2] Something rarely mentioned is that recognizing plaintext is considered one of lifes intractables, hence if pushed people talk with their arms waving of “you know it when you see it”. Which is actually mostly not true these days, and why the old recomendation of using some form of statistics flattening like compression of plaintext is recomended. However there are two ways,

1, The “Duck Test”
2, The use of a “Distinguisher”.

The “distinguisher” can be many things but quite often it’s some form of “Error Correction” in the plaintext or fixed formating flag or similar. Thus some compression systems that add checksums or similar realy should not be used.

Winter October 29, 2023 7:55 AM

@Clive, ResearcherZero

It is used to track human rights defenders, senior business leaders, government officials, and members of militaries.

I think it is an illusion to think the cell tower infrastructure can be made privacy secure.

Those who handle security of the highly endangered targets have resorted to a decoupling of SIM, phone number and identity.

Targets get an anonymous SIM card for internet data communication used in a mobile hotspot device. They never use that number for calls. They do not even know that phone number. Network traffic goes over a VPN through some trusted provider.

They obtain a phone number from a provider of phone numbers, eg, Google Voice, which they access over the internet. Their browsing device or phone use the hotspot.

Targets can switch hotspot devices, and SIM cards, frequently which makes geolocation more difficult.

This way, identity and location can be decoupled from the mobile phone providers and cell towers.

Clive Robinson October 29, 2023 11:46 AM

@ Winter, ALL,

Re : Points to fingerprints.

“I think it is an illusion to think the cell tower infrastructure can be made privacy secure.”

In it’s traditional usage, no you can not make it secure.

However you can lay another network on top of it that can make it secure in that respect[1]. I’ve kind of talked about it in the past with the “Fleet Broadcast System”.

“Those who handle security of the highly endangered targets have resorted to a decoupling of SIM, phone number and identity.”

It’s not enough as it does not “hide the graph” of temporal and geospatial points, that can be fairly easily found.

Those doing “close protection work” generally advise their VIPs that anything that is “regular kills”. So going to work at the same time every day, or using the same route are very definate “No No’s”.

The big issue generally with “targeting” is the start and end points of the journy when they are known to an adversary with resources. In that they can “stake-out” parts of the journy.

With any kind of cellular radio system every traversal of a cell is a journy and all start and end points are recorded. So it’s the equivalent of having an adversary with 100% “stake-out” coverage.

They need know nothing further because everything that happens in the cells is recorded. Getting a conputer to play “join the dots” then apply statistical matching pulls out even a frequently changed SIM and all the others that match.

You can obtain software and subscriptions to service provider data in effectively “real time” to find your target as long as anyone in their group has a mobile phone that is switched on…

So,

“This way, identity and location can be decoupled from the mobile phone providers and cell towers.”

Is not the case.

In the past we had “pager networks” that used a “broadcast” model in “Very Large Area Cells”.

In the past I’ve described how you remain in “running silent” mode as far as RF radiation is concerned. When you get a “page” you then head to a random location turn on the mobile make a brief non circuit switched connection then go back into running silent and get the heck away from the random location, and try not to use it again.

The way the POCSAG paging standard and systems worked was that all messages were sent in plaintext and all pagers received them the “received in promiscuous mode” but… Only displayed the message if the ID numbers matched. As people putting messages into the system were not authenticated, you could send a message to any pager number knowing that with high probability the “special pager” you had with the VIP would pick it up. All the “special pager” had to do was recognize the message. This could be done in a sinilar way to TAN lists used as onetime passwords.

Sadly wide area paging systems are rapidly becoming a thing of the past thanks to cell-phone SMS’s.

So that very useful channel is nolonger of use for covert low visability communications.

There are however other similar broadcast message systems out there, they are either “quite patchy” in coverage area, or they need more specialised equipment that has other disadvantages (like needing microwave antennas pointing at “birds in the sky” etc).

[1] I’ve talked about the basics when talking about how the Military go about solving “Traffic Analysis” issues. In essence you put up beacon repeaters that are connected to a digital network via a constant stream of data at a fixed rate they in turn transmitt a continuous stream of data in the VHF or UHF bands kind of like a digital version of an “HF Numbers Station” for low speed low data comms and signalling. They likewise receive and transmit burst type transmissions that are high speed high data comms for interactive communications. Thus just driving into range of one of the beacon-repeater locations and “connecting” gives a degree of anonymity. They use a “Packet Ring” type communications, such that you get a fixed rate of encrypted traffic regardless of how much actuall traffic is being carried.

Winter October 29, 2023 12:16 PM

@Clive

The big issue generally with “targeting” is the start and end points of the journy when they are known to an adversary with resources.

If these places are already known, why would you hide them?

And you can switch SIM devices as often as you want, or need.

Abel C. October 29, 2023 12:49 PM

Winter, re: “And you can switch SIM devices as often as you want, or need.”

How would that help? If it’s the same phone, it has the same IMEI to be tracked by carriers and governments, and probably still submits all the same data to Google or Apple. And we know from Snowden that there are spying programs to detect SIM-switching and phone-switching (e.g. phone B appears when phone A disappears), as well as phones that often move together.

Why’s it “an illusion to think the cell tower infrastructure can be made privacy secure”? As far as I know, the only serious proposal for that is Pretty Good Phone Privacy (PGPP), and there’s little illusion it’ll be supported by carriers or incorporated into mobile network standards anytime soon. But it seems like reasonable evidence that networks can be made secure (providing the IMEI is abolished or made zero-knowledge), if people care. Not 100% secure, on account of radio fingerprinting and the like, but enough to be called “pretty good”.

Winter October 29, 2023 1:00 PM

@Abel C.

How would that help? If it’s the same phone, it has the same IMEI to be tracked by carriers and governments, and probably still submits all the same data to Google or Apple.

Devices! That is SIM+IMEI are changed.

To make things more interesting, you can use fixed hotspots at the endpoints. And all kinds of imaginary things like intermitedly streaming random stuff over your VPN at all fixed hotspots you use so your actual messages are hidden in the noise. Or you can consult a real expert, and not some random person on the internet.

Why’s it “an illusion to think the cell tower infrastructure can be made privacy secure”?

Because it costs money and 90% of people don’t care and most of the rest are violently against it.

Personally, I think strict legal protections should be introduced first and technical protections later.

Abel C. October 29, 2023 5:57 PM

Devices! That is SIM+IMEI are changed.

Maybe we’re getting into semantics, but when one talks about “switching” SIM cards I don’t normally interpret that to mean “smash the old one with a hammer, smash the device it was in, and start using a new device with a new card”. Nor using one of two devices, each of which has a different SIM that will never be removed except to destroy it.

Personally, I think strict legal protections should be introduced first and technical protections later.

I don’t know about “should”, but I don’t see legal protections being as effective as technical ones. Politicians always like to make “selfish” exceptions—for example, despite the GDPR, some European countries require hotels to scan identification documents of their guests and send them to police (whereas it was considered a scandal when Motel 6 provided guest names to U.S. law enforcement without requiring warrants). It’s the opposite when it comes to large companies such as Facebook, with Europeans objecting to Facebook providing that data to governments without warrants. In all cases, though, there are “unofficial exceptions”, by which spies ignore those laws and are never punished for it.

So, minor rant aside, some people already have seemingly-strict laws that should cover this. Is there evidence they’re working? For example, can mobile phone customers in Europe rest assured that their providers are not keeping any location data if they haven’t given explicit and specific consent? (If we don’t know, someone in Europe should request their own location records, and request a government investigation if there’s anything going back more than a few hours.) Are the providers pressuring the standards bodies and equipment manufacturers to reduce the amount of data even temporarily collected by the system?

I don’t think this is really and “first” and “later” type of thing. Yes, legal protections should be introduced, but it’s also necessary that they be enforced. Part of the enforcement should involve pushing back against “necessary” data collection that’s only necessary due to lack of effort. That, and significant penalties for data misuse (including “accidents”) would feed into technical efforts, which are needed now rather than “later”. If a company knows that any leak of their phone-location records could cost them billions of euros, it would make a lot of sense to spend tens of millions to ensure no such records could possibly ever exist. Which will make domestic spying more difficult—something the politicians would not explicitly require—and help foreigners with less democratic governments. And for those who remember the “U.S.A. P.A.T.R.I.O.T. Act”, technical protections are also a lot harder to roll back, and can be easier to get started (as with the librarians who decided to delete and stop storing historical checkout records, and post “warrant canaries”, when changing the law just wasn’t a realistic option).

Clive Robinson October 29, 2023 10:07 PM

@ Abel C., Winter,

“Maybe we’re getting into semantics, but when one talks about…”

More like getting into “economics”

Whilst you can still buy very cheap 2G phones at around 30 Euros/Dollars, the sort of person wanting this level of protection is going to want some degree of “capability” which means something more like 300 Euros/Dollars per get the hammer out cycle.

Whilst a cheaper option would be to use a “broadband dongle” and laptop or smart tablet, they fail on the convenience of use capability.

Whilst most can use a mobile phone as a passenger in a vehicle like a car, the number of those that can use a laptop in a car is considerably smaller, and cleaning puke out of a keyboard is no fun for anyone that I know of.

But also you have the “buy in bulk” issue. That is buying a months supply in one go whilst making your accountant slightly happier, it’s going to make a sufficiently knowledgable security advisor come down with a dose of the hives.

Because there are various equivalents of “serial numbers” including the likes of MAC Addresses that will share a common manufacturer code and probably seqiential equipment codes when purchased in bulk. Thus stand out like a regiment of red-coats marching down a road to an adversary.

Then you need a certain type of tech support person who has indepth knowledge of what not to use. Because nearly all software these days assumes an Internet connection and dials home with a unique ID as well as puke bucket loads of information that will fingerprint the device and the user. Earlier software used to hide it in files, and that still goes on. Oh and as for modern OS’s some are absolutly outrageous…

I’m With Tim October 30, 2023 9:19 PM

@Clive

I’m with Tim. You should start your own blog. You clog up these comments every day with long winded, wordy monstrosities of a comment,

We can hear for Bruce. Go write a book.

Clive Robinson October 31, 2023 2:31 AM

@ I’m with Tim.

I suspect from style you are actually a sock puppet.

But still not actually contributing anything of worth, nor I suspect ever will do.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.