On Tue, Oct 24, 2023 at 11:04:05AM +0200, Alessandro Vesely via mailop wrote: > On Tue 24/Oct/2023 06:53:37 +0200 Matt Palmer via mailop wrote: > > On Tue, Oct 24, 2023 at 03:11:06AM +0100, Richard Clayton via mailop wrote: > > > In message <07d58480-7dde-4d15-a5ca-5bb6c8e10...@mtasv.net>, Matt Palmer > > > via mailop <mailop@mailop.org> writes > > > > > > > The relative "noisiness" of the attack, in fact, is a fairly > > > > strong signal that it *isn't* lawful intercept; western law > > > > enforcement agencies are typically very hesitant to do anything > > > > that could "tip off" the target of their investigation. > > > > > > In my, perhaps jaundiced, view the revelation of the attack (an > > > expired cert) suggests that it was indeed LI ... it's the sort of > > > thing that goes wrong with ad hoc arrangements. > > > > I would contend that p(noisy hackers) >> p(noisy lawful intercept). > > It's not that the cops don't screw up now and then, but rather that > > their failures tend to have greater adverse consequences (media, > > politicians, blown investigations, abrupt career termination, etc), so > > they're more motivated to not make this sort of mistake. > > > > Meanwhile, hackers (and I include most of the non-western nation states > > here) don't have to worry about PR problems, so forgetting to clean up > > after themselves is less of a concern. The exception of course is opsec > > failures that lead to lengthy terms of incarceration, but forgetting to > > renew a cert isn't *that* kind of mistake. > > Is that the way it went? Let's Encrypt certificates get renewed > automatically, so it's hard to "forget" to do it.
That's not an inherent function of Let's Encrypt, but rather of the ACME client being used to request certificate issuance. > In order to get those > certificates, and to divert traffic toward their proxy, they must have had > access to a local router or something. When that was fixed, fake > certificates failed to renew. No? That is not my understanding of the timeline, based on the original article. The traffic interception was detected *because* the certificate expired, which caused investigation that ultimately found evidence of traffic redirection. In other words, the malicious certificate *could* have been renewed, however the attacker failed to do so. > I'm not clear what the role of an anonymous cipher would have been. My understanding from the article is that the only role that anonymous ciphers played was that it was evidence that TLS was not terminating at the correct location, because the genuine endpoint did not present anonymous ciphers as an option, while the intercepting endpoint did. - Matt _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
