← Back to context

Comment by _flux

3 years ago

The point is probably the heading of the final chapter "Could you prevent or monitor this kind of attack?" which enumerates the ways how you could detect this attack.

lets say I opened account on hentzner, rented server, they sent me email with password, I SSH-ed to it and connection got wire tapped. What way you think could help me to detect this?

  • Well you could check the SSH server fingerprint that it matches what the SSH client sees. In principle if the SSH connection is MitM'd, they could change the output from the shell so that it would look like it wouldn't be changed. But ultimately they created the keys to begin with, so they can just keep another copy for the purpose of MitM. I doubt they do this nowadays, but they _could_.

    edit: I actually thought this story was about virtual machines, but I noticed it was about physical hosts, so those have a bit more hope; but ultimately you're still trusting devices that are not physically under your control, so they cannot be trusted.

    But let's say that in the case of virtual hosts: basically there is no way to ensure you have non-wiretapped connection to a virtual computer provided by hosting service. They don't even need to MitM it, they can just look at the memory of the virtual machine. The only attempt at trying to do that properly has been AMD's "Secure Encrypted Virtualization" https://www.amd.com/en/developer/sev.html, but I think it was broken by some researchers and I don't know if it could currently provide some means to do this safely. I suspect even in that case it might be challenging to install the initial operating systems so that it won't contain the MitM functionality in itself.

    And even then you would be trusting AMD's implementation of the security layer.

    Frankly that the wiretap was discovered this time is just a learning experience for the provider to do better next time. I doubt there are good reasons why it should be possible to detect it, if implemented competently.

    • > Basically there is no way to ensure you have non-wiretapped connection to a virtual computer provided by hosting service.

      so, I relied on market forces here, I hoped that major provider would protect their brand and do not do or allow to do such things, but looks like it is not the case for hetzner and linode.

      6 replies →