Update: It was pointed out to us that the word ‘wide-spread’ below is misleading since the cumulative exit probability of those nodes was probably below .5%. What we wanted to say instead is that the number of domains affected was large, when a bad exit was involved.

We saw some wide-spread XMPP man-in-the-middle via malicious tor exit nodes during the last 24h. The attacks where only targeting starttls connections on port 5222. The mitm served forged self-signed certificates for various Jabber domains, one of them being our imsg.ch. The attack was orchestrated between multiple exit nodes acting in sync. All of them served the same set of forged certificates, allegedly created around midnight March 2nd to 3rd, using common names tailored to various XMPP servers.

We tried a small sample of XMPP servers. Out of which we recorded the following domains being intercepted:

freifunk.im

jabber.ccc.de

jabber.systemli.org

jappix.org

jodo.im

pad7.de

swissjabber.ch

tigase.me

For a handful other domains the connection attempts where dropped and google xmpp was the only one we found to be unaffected.

The exit nodes involved in this attack were reported to the tor project and seem to be dysfunctional by now. The ones we know of are:

FAFE24D8CF973BC38B54500DA666EEE44F02C642

6269E9B3549012C44F518D2D123E41A4F320157E

04DDEEAB315956AD956AF046338FB8E5B52B2DAF

DB213B8BD383A955CC383CAB76F8DD71A7198F47

0276C54A43ABF27AB0247AF377952A306605FB8A

A1B3C065339D11AC361D85B0A3F9B59A23BD818A

CAD72B06527F8534640E8E47AEE38E2A3321B2D4

5CBDC2AB702784154E7EFE7E6F87645EB107E8FA

BAB1FA3492162DB8058F464AD99203144F2AAF87

187C2945109982516002FE6620E46A94B9B81A6E

6269E9B3549012C44F518D2D123E41A4F320157E

FAFE24D8CF973BC38B54500DA666EEE44F02C642

FB134ED5DEE131B707270D9E99D72201CC96D668

E46021F7921EBB836B318863BDD432982BAA7BD0

Here is the certificate which was presented when you tried to access imsg.ch:

Certificate: Data: Version: 1 (0x0) Serial Number: 12273528369637281981 (0xaa54550634e8d0bd) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=imsg.ch Validity Not Before: Mar 3 12:08:43 2016 GMT Not After : Jan 10 12:08:43 2026 GMT Subject: CN=imsg.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) [...] SHA1 Fingerprint=2C:F2:07:E8:19:ED:4E:CA:81:59:6E:3F:D8:59:52:B8:12:22:88:DB

What was curious is that the mitm SSL endpoint was sending a TLS session ticket. Does anybody have an idea if that could lead to an additional attack being carried out, or if it was merely an artifact of their SSL stack. E.g. one explanation we have is that the SSL terminator might have seen all packets originating from the same local tor daemon IP.

Here’s more log, for your convenience: