Comment by costco

3 years ago

This is almost certainly related to some sort of Russian cybercrime investigation. If you ever read Krebs or peruse some of the seedier Russian forums, xmpp.ru will sound familiar to you, because it is. Not imputing anything to the operator, that's just the nature of operating an anonymous service.

https://ddanchev.blogspot.com/2021/03/exposing-currently-act...

https://ddanchev.blogspot.com/2019/07/profiling-currently-ac...

https://blog.talosintelligence.com/picking-apart-remcos/

https://flashpoint.io/wp-content/uploads/Plea-Agreement-USA-...

Really interesting writeup though. I guess it's a practical example of why everyone should get a CT monitoring service!

Drug gangs widely use XMPP as a secure communication channel in combination with Tor. Hydra (the darknet market) has been taken down by German police in 2022 after trying to extend their "service" to the EU; something similar might or might not have happened here.

Yes, I tend to believe that as well. My guess it's either related to Genesis Market or Qakbot takedowns.

[flagged]

  • This criticism/argument was, in fact, made against domain validation (DV) when it was first introduced by earlier CAs. It's not an unreasonable criticism, but the economics of PKI mean that we would have much, much less encryption and authentication on the web today without DV.

    DV represents a security trade-off, and Let's Encrypt took this and ran with it, with the net effect of much much much much less web traffic interception overall, albeit with known non-Let's-Encrypt-specific vulnerabilities to attackers who can manipulate infrastructure sufficiently.

    As other people in this thread have noted, there are also other mechanisms that can help mitigate those vulnerabilities. Maybe we can come up with more over time!

  • what? nothing to do with Let's Encrypt, if someone gets to large-scale MITM your traffic then they can get anyone to issue a DV cert.

    • So for example, if traffic to Google goes through a Huawei router somewhere, then Huawei can issue a Let's Encrypt certificate for Google, right? And any large national ISP can use MitM to issue fake certificates for any site hosted within that country?

      To me it looks like SSL cert infra is completely compromised and unreliable.

      3 replies →

  • > This shows that Let's Encrypt security is a joke because now any large national ISP can use same MiTM to issue a certificate for any site hosted within a country. The SSL infrastructure is completely compromised.

    the information available right now are too vague to come to a conclusion this bold.

    Instead, I find it something like the following more plausible:

    jabber.ru and xmpp.ru seem to use "exotic" DNS servers (at least as I checked right now).

    https://uk.godaddy.com/whois/results.aspx?itc=dlp_domain_who...

    All it then takes is an exploit there in the DNS server, or a badly set-up ACME DNS-01 there, in order for Let's Encrypt to grant an SSL certificate.

    https://letsencrypt.org/docs/challenge-types/#dns-01-challen...

    The moment you're able to write a (TXT) record for some domain name, you have proven to be eligible for getting an SSL certificate for that domain name.

    • Both you and the grandparent are correct in that both propose viable attacks; it is a known fact (and not news to any expert in the space) that "domain validation" certificates are vulnerable to "global" MitM in which an attacker can intercept all traffic to a domain (and therefore intercept the validation probes). A situation in which a service's hosting company is sitting on their "front door" (so to speak) and MitMing all traffic that goes their way is exactly such a situation (hence my recommended mitigation).

      2 replies →

    • ns2.jabber.ru is hosted at Akado (ordinary Russian ISP) in Moscow, as for ns1.jabber.ru it looks like it is hosted at Linode. So maybe ns1 was compromised as well, as for ns2 I doubt that.

      2 replies →