fsebugoutzone.org:9999

       Post AaySrdqFTIP2tyaAwC by nicoco@pouet.pas.la
 (DIR) More posts by nicoco@pouet.pas.la
 (DIR) Post #Aaxwzrap21tZKlF9uK by ge0rg@chaos.social
       2023-10-20T13:52:40Z
       
       1 likes, 1 repeats
       
       Detailed and credible looking report of #LawfulInterception #MitM on an #xmpp server hosted at #Hetzner in Germany: http://notes.valdikss.org.ru/jabber.ru-mitm/Looks like a transparent bridge was deployed in front of the actual server, obtained dedicated certificates from #LetsEncrypt and MitMed all incoming client connections since July. It was discovered because the LE certificate expired 🤦
       
 (DIR) Post #AaxwztQGEGdT0aJkiu by ge0rg@chaos.social
       2023-10-20T14:27:30Z
       
       0 likes, 0 repeats
       
       Another way to prevent this sort of #MitM with #LetsEncrypt is setting a strict CAA record with an accounturi (thanks @zash): https://letsencrypt.org/docs/caa/#the-accounturi-parameter
       
 (DIR) Post #Aaxx0fBiddWZ9Nsoim by jabberati@social.anoxinon.de
       2023-10-20T14:18:46Z
       
       0 likes, 0 repeats
       
       @ge0rg Super interesting read. I will definitely use Cert Spotter for my server now. @zash Would Prosody channel binding have prevented this from happening? Do I need to enable something to use channel binding?
       
 (DIR) Post #Aaxx0fvnsIO5SJRcYK by zash@fosstodon.org
       2023-10-20T15:36:51Z
       
       0 likes, 0 repeats
       
       @jabberati @ge0rg Channel Binding (e.g. the SASL SCRAM-*-PLUS mechanisms) would have made login fail, making it more noticeable that something is not right.
       
 (DIR) Post #Aay0eLkwbXVEKTyWCe by blue@quietplace.xyz
       2023-10-20T16:28:19.499Z
       
       0 likes, 0 repeats
       
       @zash@fosstodon.org @jabberati@social.anoxinon.de @ge0rg@chaos.social interesting, is there any xmpp group that could audit for example my server? I see people writing about some measures like if they are obvious, may be I could ask someone to do a crash course for me?
       
 (DIR) Post #AaySra6PNGx7Iw71ZQ by mathieui@piaille.fr
       2023-10-20T14:04:03Z
       
       0 likes, 0 repeats
       
       @ge0rg That looks like an incentive for more DANE deployments to me
       
 (DIR) Post #AaySrbDXEGFOlKSEJk by ge0rg@chaos.social
       2023-10-20T14:14:05Z
       
       0 likes, 0 repeats
       
       @mathieui all the practical aspects aside, with DANE you are trading &quot;trust in a hundred &#39;trusted&#39; CAs&quot; for &quot;trust in the owners of the DNS hierarchy above you&quot;, which would be the Russian government in the case of xmpp.ru. Of course you could reasonably argue that there is no entity that can legally subvert both the Russian DNS and a German datacenter.
       
 (DIR) Post #AaySrcWiMRBQp6R3qq by jssfr@zombofant.net
       2023-10-20T15:35:09Z
       
       0 likes, 0 repeats
       
       @ge0rg @mathieui It&#39;s not that simple, is it? At least in this scenario.Here, the MitM was placed on the server side. If I&#39;m not missing something, owning a DNSSEC-protected TLSA record is much more effort than sitting on the path to a single (or in this case, pair of) server(s).You need to ensure that *all* DANE-validating clients (either s2s or c2s connections) are getting a result which makes them believe your forged TLSA records are authentic (or absent).For that, you need to either be on the path between the clients and the DNS servers they use or in front (or inside) of all authoritative servers responsible for the domain, *in addition* to being able to forge DS record responses in the parent zone and *in addition* to whatever hoops they had to jump through in this case already.And this type of attack is much easier to detect, because it&#39;ll be hard for the attacker to distinguish between traffic attempting to detect an attack (your monitoring comparing TLSA records against expected values via public recursors and/or for instance infrastructure like RIPE Atlas) and the target client traffic.Or am I missing a more simple way which is not immediately obvious to anything monitoring your DNS?
       
 (DIR) Post #AaySrdqFTIP2tyaAwC by nicoco@pouet.pas.la
       2023-10-20T21:44:26Z
       
       0 likes, 0 repeats
       
       @jssfr @ge0rg @mathieui Sometimes I wonder if I should try and turn my friends and family (federated though) prosody instance into a server with open registrations, to help decentralization. But since I only understand some of the words in this post, it&#39;s probably more reasonable that my instance stays at the scale it is. ^^
       
 (DIR) Post #AayUhTdAmRgSFIkOS8 by ge0rg@chaos.social
       2023-10-20T22:05:04Z
       
       0 likes, 0 repeats
       
       @nicocoOpening registrations will convert your family server into a spam relay in just a few weeks. @jssfr @mathieui