This is running on localhost (with an /etc/hosts entry), but it's what a MitM attempt would look like.
Of course, if the key was used before it had expired, there would be no warnings...
And someone just mentioned to me that past encrypted sessions may be able to be decrypted, which is a much bigger issue!
OpenVPN keys were leaked as well as the expired *.nordvpn.com TLS cert. I haven't researched enough about OpenVPN to know if it's using forward secrecy, though you'd hope so
For those of you wanting a source:
Apparently it's "been floating around mostly unnoticed", so I don't know where it's originally from.
Here's the cert that matches the private key:
With the cert + key you can verify for yourself
Some useful info (3 tweets):
Apparently other VPN providers were also compromised:
I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it).
Why was this never detected?
I've also confirmed that that TorGuard was compromised, this TLS certificate for *.torguardvpnaccess.com was leaked: https://crt.sh/?id=241227763 (expired Oct 2018).
There's also an OpenVPN server key.
(Again, someone gained root access on the server)
You can follow @hexdefined.
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.
Enjoy Threader? Sign up.
Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.