So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys...

This is running on localhost (with an /etc/hosts entry), but it's what a MitM attempt would look like.
Of course, if the key was used before it had expired, there would be no warnings...

And someone just mentioned to me that past encrypted sessions may be able to be decrypted, which is a much bigger issue!

OpenVPN keys were leaked as well as the expired * TLS cert. I haven't researched enough about OpenVPN to know if it's using forward secrecy, though you'd hope so

For those of you wanting a source:

Apparently it's "been floating around mostly unnoticed", so I don't know where it's originally from.

Here's the cert that matches the private key: 

With the cert + key you can verify for yourself

Some useful info (3 tweets):

Apparently other VPN providers were also compromised:

I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it).

Why was this never detected?

I've also confirmed that that TorGuard was compromised, this TLS certificate for * was leaked:  (expired Oct 2018).
There's also an OpenVPN server key.
(Again, someone gained root access on the server)

You can follow @hexdefined.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.

Follow Threader