On Sun, Oct 22, 2023 at 12:48:26PM +0300, Mary via mailop wrote: > from what I understand, this is a government issued wiretapping against > that specific services/servers (hosted by Hetzner and Linode in Germany?) > and not a general TLS exploit.
On what evidence do you base that understanding? The cited article says "we believe this is lawful interception" and "we tend to assume this is lawful interception", but I can't see anything supporting evidence of this in the article, either. Government-mandated wiretapping is certainly plausible, but it's only one amongst several possible explanations. Given the association of the operating domains with a country currently at war with its neighbour, it's not implausible to imagine some "hacktivists" getting down-and-dirty for the lulz. The relative "noisiness" of the attack, in fact, is a fairly strong signal that it *isn't* lawful intercept; western law enforcement agencies are typically very hesitant to do anything that could "tip off" the target of their investigation. Dropping a bunch of faked certs into CT logs is *hella* noisy, and letting the certs expire without removing the traffic interception is basically guaranteed to expose the operation. It'd be a lot quieter to clone the systems (the Linode VMs would be trivial, at least) and extract the private key material from them, and reuse the existing certs, for example. - Matt _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
