4d2.su: 4d2 dot org Proof of Security

What's broken: We've recently seen privacy-oriented services come under attack in several ways, from privacy-compromising efforts like the EU's Chat Control initiative to an extremely concerning Man-in-the-Middle TLS attack where major hosting companies were most likely compelled to cooperate with law enforcement to violate the privacy of jabber.ru users. In the case of that attack against jabber.ru, the two providers involved—Akamai Technologies, Inc. and Hetzner Online GmbH— also host parts of our infrastructure.

In the jabber.ru attack, fake SSL/TLS certificates were successfully generated for jabber.ru services and secretly used to create an intermediate termination point for secure traffic. So, although both users and site admins saw that connections were encrypted, all of that communication was actually being decrypted and funneled to a third party – likely legal authorities, since it's hard to imagine any innocuous reason for this kind of configuration change. This may have continued for as much as three months before it was noticed that the fingerprints of certificates stored on the server and of those presented to users were different.

We won't blather about whether these kinds of government operations are worthwhile to society or necessary to geopolitics – what we know for sure is that they represent an unknown security and privacy risk to many hundreds/thousands of innocent users.

How we're defending ourselves: We already take some precautions against this kind of attack, like DNS CAA records, that jabber.ru didn't, but this site attempts to close the security gaps that still exist. Our strategy is to monitor our own certificates using as many mututally uncooperative parties as possible, making it as difficult as we can for an adversary to launch a MitM attack against us without being noticed. Here's how it works:

1. This site uses a domain name registered in the .su top-level domain, which was originally created for the USSR in 1990. Although no TLD is immune from tampering, .su is a small TLD (~100k domains registered) that receives very little attention compared to .ru, current economic sanctions make these domain names very difficult to register or modify, and the .su TLD's operators are not usually cooperative with non-Russian government agencies.
2. The virtual machine serving this page is hosted with a provider in the Republic of Moldova who is not directly answerable to US, European or Russian authorities.
3. Every few minutes, the servers hosting our public services (email, Matrix, web hosting, etc.) export the SHA256 fingerprint and validity dates of all their TLS certificates. This data comes from the local copies of these certificates on each application server. These fingerprints and validity dates are pushed to this machine via SSH using mutual authentication (i.e., not a vector for a MitM attack itself).
4. Every few minutes, one or more client machines we control makes a TLS client connection to each of our (sub)domain names that supports TLS, and requests the same SHA256 fingerprint and validity date, this time acting as a client preparing to exchange traffic. The results are then sent to this machine using mutual auth as described above.
5. We compare the data received by these two mechanisms. If the certificate fingerprints or validity dates for any name don't match, we assume a MitM attack.

This is not absolute protection from a MitM attack, or anything close. It simply tries to make executing such an attack without being noticed as hard as possible. To avoid tripping the alarm, an attacker would need to compromise servers in multiple jurisdictions well in advance, and would then need to deploy several covert changes in a very small time window. This is well within the known capabilities of state actors, but since we are a privacy-oriented service and not criminals (see TOS), we don't see ourselves as a worthwhile target for that kind of expensive operation.