Category: News

  • What we’re doing in response to the jabber.ru MITM attack

    As you may have heard, jabber.ru, a popular XMPP service discovered a sophisticated MITM attack against their service that may have lasted for up to 6 months. They published a great blog post, going over all the details of the attack and measures to prevent this sort of attack from happening on other services.

    From reading the post, it was apparent that the same attack could also happen on XMPP.is, and potentially other Unredacted services. We’ve confirmed in multiple ways that this attack is not currently happening on XMPP.is infrastructure. However, it’s important for us to take precautions and be alerted to this sort of attack if it were to happen in the future.

    What we’ve done

    • We have utilized CertWatch, a service by xmpp.net to alert us to the potential fact that there is an ongoing MITM attack against our XMPP service. At the time of this post, there is no ongoing MITM attack according to their service.
    What it looks like if no MITM is active when manually checking CertWatch
    • To subscribe to CertWatch alerts for XMPP.is, you can open either link in your XMPP client:
    • We have verified that our XMPP.is certificate fingerprint transparency automation is working as intended.
      • If you wish to manually check that the certificate presented to your XMPP client is valid, we have a script that has been running for many years that outputs the fingerprints from newly issued certificates. The output can be found here and is automatically updated.
    A screenshot of the current fingerprints as of this blog post
    • We have signed up for Cloudflare’s Certificate Transparency Monitoring on all important domains, so that admins can be notified when new certificates get issued for Unredacted services. This allows us to have 2 sources in which we could be notified of a potential MITM attack.
    • We have double checked and ensured that we utilize CAA records across all domains.

    What we will explore

    • We are considering automating the monitoring of default gateway MAC address changes across our dedicated hardware infrastructure. We already ingest metrics via Prometheus node_exporter that allow us to track this historically.
    • We are planning on setting up Cert Spotter, and monitoring all important domains so that we can be notified of certificate changes when they happen.
    • We plan to ensure that all existing XEPs that are mentioned in this blog post (which are supported by Prosody) get implemented on XMPP.is. This will help support channel binding and other existing SASL issues.

    Our final thoughts

    It is concerning that any attack like this can go unnoticed, and it’s unfortunately something that’s easy to miss. People think as valid certificates as automatically trustworthy. However, in cases where someone has access to your physical infrastructure a lot of things are possible, including what happened with jabber.ru (issuing Let’s Encrypt certificates from their DNS A/AAAA record IP). It’s also equally worrying that there are many certificate authority failures. When they are the root of trust, and they are not trustworthy it creates the potential for many problems with TLS on the internet.

  • Crypto World is now Unredacted!

    Crypto World was an organization founded in 2015 by a group of friends to advocate for privacy, cryptography and security on the internet. We had a great community and forum, although we had decided to shut it down the forum due to life events. The community unfortunately died off as well. It held several projects under its name, such as XMPP.is a free and open XMPP/Jabber server. While there has been many changes, and people have come and gone, it’s an ever-evolving creature.

    The creature still lives, and we’re breathing new life into it. That creature is now Unredacted, evolved into its new form. Unredacted is a special project that picks up from where Crypto World left off and continues its legacy in advocacy.

    We’re excited with our new name, and excited for what the future could bring. These past few years have been tough, and I think everyone can agree. It has put stress on all of us and bogged us down. Regardless, we push forward and continue working on our weaknesses and striving for our goals.

    Welcome, to Unredacted!

    Zach

  • Unredacted, a new Tor relay operator

    Unredacted is a new and special project. We’re focused on operating resilient, automated and security focused infrastructure. We’re dedicated to giving back to the community through open source and privacy focused projects. We’ve ran projects such as XMPP.is, a free and open XMPP/Jabber server and other projects under the Crypto World label for quite some time.

    We’ve maintained and operated Tor relays in the past, however, never under our own network. As an ARIN member, recently expanding our IP space we registered an ASN, AS399532. Putting it to good use, we established a BGP session with BuyVM who provides our bandwidth and connectivity. We love stability, so inbound traffic to our network is DDoS protected by Path.

    We have 3 locations in which we operate Tor relays:

    • Las Vegas, NV
    • New York, NY
    • Roost, LU

    All of which can be seen on our status page.

    As a start, we currently run 6 Tor exit relays and plan to add more: metrics.torproject.org

    • Our relays are named after whistleblowers, activists and people who uphold the values that we hold dear to our hearts.
    • For the configuration management of these Tor relays, we use Ansible, which makes it extremely flexible and easy to maintain a consistent configuration across all of our relays.
    • Along with a collection of our own custom Ansible roles and playbooks, we use a fantastic role called ansible-relayor which allows for easy config management and offline keys for our relays.
    • For monitoring we use UptimeRobot, Prometheus and AlertManager, all of which give us different levels of metrics and insight into performance and network latency.

    We hope that you enjoy our project! We’re proud to provide netizens of the world with stable and fast access to and from the Tor network through our relays.

    Til next time 🙂

    Zach

Donate