from mistermodal@lemmy.ml to privacy@lemmy.ml on 02 Nov 07:34
https://lemmy.ml/post/38394952
In October 2023, Jabber.ru, “the largest Russian XMPP messaging service”, discovered that both Hetzner and Linode had been targeting them with Machine-In-The-Middle (MITM) attacks for up to 6 months. MITM attacks are when an unauthorised third party intercepts traffic intended for someone else. At the point of interception, the attacker can inspect and even modify that traffic. TLS was created to mitigate this; all communication between the two parties is encrypted, so the third party sees nothing but gibberish (ciphertext).
TLS is great, but it’s actually not enough when the attacker owns your network, as in Jabber.ru’s situation. Jabber.ru rented servers from Hetzner and Linode, who altered their network’s routing setup to obtain TLS certificates for Jabber.ru’s domains and successfully carry out a MITM. When connecting to an XMPP server, most clients are only configured to look for a valid certificate. A valid certificate matches the service’s domain name, is not expired, and is authorised by a known and trusted Certificate Authority (CA). If the client sees a certificate that’s signed by an unknown CA or whose expiry has passed or the domain in the cert doesn’t match the service domain or any combination of those, it’s considered invalid; the client should terminate the connection before transmitting sensitive data, such as the user’s password.
Because Hetzner and Linode controlled Jabber.ru’s network, they were able to meet all of those conditions. XMPP clients would just accept the rogue (but valid!) certificates and continue along as normal, unaware that they were actually connecting to a rogue server that forwarded their traffic (possibly with modifications) to the proper server.
A fairly straightforward mitigation involves DNS-based Authentication of Named Entities, or DANE. This is just a standard way to securely communicate to clients what certificate keys they should expect when connecting. When clients initiate a connection to the XMPP server, they receive a TLS certificate that includes a public key. If the server admin has implemented DANE, the client can verify that the public key they received matches what the server administrator said they should receive. If they don’t match, the client should terminate the connection before transmitting sensitive data.
[…]
Some posts here indicate people don’t know the basics & are still feverishly explaining why they are so smart that they gave an NED-funded app their phone number like this is somehow defensible. Or worse posting that blog where “Soatok” argues stickers + ease of use trump technical concerns in the end. Please do not let some niche skill monopoly turn you into an egomaniac, if you are even really part of one 🤨
threaded - newest
What is your comment on the article talking about? I’m out of the loop
Oh god you don’t want to know, it was this dude arguing abt stuff solely from the perspective of people who go to furry conventions (im not being glib this is seriously what he used to reason abt which messenger is best), trying to get furries to stop using Telegram and switch to Signal. I can’t believe people take that guy seriously. I saw him get on an alt pretending to be his furry wife to go “grrrr back off” at people in Github threads who tried to point out issues with Signal or problems with his arguments against using XMPP.
My overarching issue is that Delta Chat and XMPP and the only ones using proper fucking W3C standards like Lemmy but people want to go mucking about with stuff dependent on US fed funding. Why do we only get offended at Firefox taking shady NGO funding? They’re all that bad and switching to the EU won’t fix anything
The only real solution is to use E2EE, which there are plenty of options for with XMPP.
Yes I thought it was interesting that I got browbeaten by stuck up IT guys both on here and Xiaohongshu about not using Windows as a server and insisting TLS encryption is fine (when in modern scenarios its like locking your car door but leaving your windows open lol)
I guess even in posting heaven there is strife. Good. Love me strife