On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
while not directly about email, recently was published details
about success MiTM attack against XMPP server, the attacker
was able to decrypt TLS communication without notice (from
both sides, the server and client) and was success for at least
three months, see
https://notes.valdikss.org.ru/jabber.ru-mitm/
In short: The attacker used valid LE certificate (requested by
self) to intercept traffic. The victims was services hosted on
Hetzner and Linode and it seems as Germany government's
action (not confirmed, but if true, it will never be).
Indeed: not directly related to mailops. But a very instructive example
of why monitoring C-T logs is a good idea.
IMO, that attack can be success on any TLS service (including
email) and for any place (clouds, own, ...), thus it is worth to be
aware of it, as your service can be not as private as one can
think.
ACME account/method binding would have made this attack considerably
more difficult to execute. (Neither of the two target domains are
DNSSEC signed though, so it would still have been possible.)
Note that, as far as email is concerned, plaintext downgrade attacks are
much more likely than fraudulent certificates.
Moral of the story: monitor all the things!
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
