Twitter acquired Threader! Learn more

So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys...

This is running on localhost (with an /etc/hosts entry), but it's what a MitM attempt would look like.
Of course, if the key was used before it had expired, there would be no warnings...

And someone just mentioned to me that past encrypted sessions may be able to be decrypted, which is a much bigger issue!

OpenVPN keys were leaked as well as the expired * TLS cert. I haven't researched enough about OpenVPN to know if it's using forward secrecy, though you'd hope so

For those of you wanting a source:

Apparently it's "been floating around mostly unnoticed", so I don't know where it's originally from.

Here's the cert that matches the private key: 

With the cert + key you can verify for yourself

Some useful info (3 tweets):

Apparently other VPN providers were also compromised:

I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it).

Why was this never detected?

I've also confirmed that that TorGuard was compromised, this TLS certificate for * was leaked:  (expired Oct 2018).
There's also an OpenVPN server key.
(Again, someone gained root access on the server)

You can follow @hexdefined.


Tip: mention @threader on a Twitter thread with the keyword “compile” to get a link to it.

Follow Threader