Mutariri weJabber server jabber.ru (xmpp.ru) akacherechedza kurwiswa kwedecrypt user traffic (MITM), kwakaitwa kwemazuva makumi mapfumbamwe kusvika kumwedzi mitanhatu mumatanho evanopa veGerman vanopa Hetzner neLinode, iyo inotambira projekiti server uye yekubatsira VPS. nharaunda. Kurwiswa kwacho kunorongwa nekutungamirazve traffic kune yekufambisa node inotsiva TLS chitupa cheXMPP yekubatanidza yakavharidzirwa uchishandisa iyo STARTTLS yekuwedzera.
Kurwiswa uku kwakacherechedzwa nekuda kwekukanganisa kwevarongi vayo, vasina kuwana nguva yekuvandudza chitupa cheTLS chakashandiswa pakubira. Musi waGumiguru 16, maneja wejabber.ru, paachiedza kubatanidza kune sevhisi, akagamuchira meseji yekukanganisa nekuda kwekupera kwechitupa, asi chitupa chiri paserver hachina kupera. Nekuda kweizvozvo, zvakazoitika kuti chitupa chakagashirwa nemutengi chaive chakasiyana nechitupa chakatumirwa neseva. Chekutanga chitupa cheTLS chemanyepo chakawanikwa muna Kubvumbi 18, 2023 kuburikidza neLet Encrypt sevhisi, umo murwi, achikwanisa kubata traffic, akakwanisa kusimbisa kupinda kune masaiti jabber.ru uye xmpp.ru.
Pakutanga, pakanga paine fungidziro yekuti sevha yeprojekiti yakanga yakanganiswa uye kutsiva kwaiitwa parutivi rwayo. Asi ongororo yacho haina kuburitsa zvibodzwa zvekubira. Panguva imwecheteyo, mugogi pane sevha, kudzima kwenguva pfupi uye kuenderera kweiyo network interface (NIC Link iri Down / NIC Link iri Up) yakaonekwa, iyo yakaitwa muna Chikunguru 18 pa12:58 uye yaigona. ratidza manipulations nekubatanidza kweserver kune switch. Zvakakosha kuti zvitupa zviviri zvemanyepo zveTLS zvakagadzirwa maminetsi mashoma apfuura - muna Chikunguru 18 na12:49 na12:38.
Uye zvakare, kutsiva kwacho kwakaitwa kwete chete munetiweki yeHetzner mupi, iyo inobata iyo huru sevha, asiwo mune network yeLinode mupi, iyo yakabata VPS nharaunda neanobatsira proxies anotungamira traffic kubva kune mamwe maadhiro. Zvisina kunanga, zvakaonekwa kuti traffic kune network port 5222 (XMPP STARTTLS) mumatiweki evaviri vanopa yakadzoserwa kuburikidza nemumwe muenzi, izvo zvakapa chikonzero chekutenda kuti kurwiswa kwacho kwakaitwa nemunhu ane mukana kune vanopa' zvivakwa.
Sezvineiwo, kutsiva kwacho kungadai kwakaitwa kubva muna Kubvumbi 18 (zuva rekugadzirwa kwechitupa chekutanga chenhema chejabber.ru), asi nyaya dzakasimbiswa dzekutsiviwa kwechitupa dzakanyorwa chete kubva munaChikunguru 21 kusvika Gumiguru 19, nguva yese iyi yakavharidzirwa kuchinjana kwedata. with jabber.ru uye xmpp.ru inogona kunzi yakakanganiswa . Kutsiviwa kwakamira mushure mekuferefetwa kwatanga, bvunzo dzakaitwa uye chikumbiro chakatumirwa kune yerutsigiro sevhisi yevanopa Hetzner neLinode muna Gumiguru 18. Panguva imwecheteyo, imwe shanduko kana mapaketi ekufambisa anotumirwa kuchiteshi 5222 yeimwe yemaseva muLinode ichiri kucherechedzwa nhasi, asi chitupa hachichatsiviwa.
Zvinofungidzirwa kuti kurwiswa kwacho kwaigona kunge kwaitwa neruzivo rwevanopa pachikumbiro chemasangano ezvemitemo, semhedzisiro yekubira zvivakwa zvevaviri vanopa, kana nemushandi aikwanisa kuwana vese vanopa. Nekugona kubata nekugadzirisa traffic yeXMPP, munhu anorwisa anogona kuwana ruzivo rwese zvine chekuita neakaundi, senge nhoroondo yekutumira mameseji yakachengetwa paseva, uye anogona kutumira mameseji akamiririra vamwe nekuchinja mameseji evamwe vanhu. Mharidzo dzinotumirwa uchishandisa end-to-end encryption (OMEMO, OTR kana PGP) inogona kunzi haina kukanganisa kana makiyi ekunyorera akasimbiswa nevashandisi pamativi ese ekubatanidza. Vashandisi veJabber.ru vanorayirwa kuti vachinje mapassword avo ekupinda uye vatarise makiyi eOMEMO nePGP mumatura avo ePEP kuti agone kutsiva.
Source: opennet.ru