[UPDATE, later on 10/12: the weird cert error for my SSH login to the web server (yes, this one) went away today sometime today. No apparent changes to relevant certs/files on either side since January. Which looks exactly like a discontinued MitM attack. Interesting…no conclusions here; just a mystery. Plus, you know, a need to move my stuff elsewhere just in case.]
I’ve heard back from Rackspace, multiple times. They say they can’t replicate the cert issues with their Java applet. Perhaps that’s a browser misconfiguration issue–though of course I used multiple browsers on two computers.
Treating my SSH login-via-cert troubles as a separate matter, they suggest perhaps my servers have been compromised, or my desktop & laptop have been compromised, as they don’t have a pattern of similar complaints. I say this: that sort of server-side compromise (changing the server’s certificates) would be just plain silly, as it lets me know the server has been modified…the attacker would already need access to be able to pull it off. However, this is exactly how a “Man in the Middle” attack works. And if the desktop and laptop were compromised, booting into a LiveCD (which I’ve done) would not produce the same results unless it were a hardware issue.
So I’m left with two possibilities: (1) Somebody hacked both my servers simultaneously (aiming this at me specifically–one server is in Dallas; the other is in Chicago) via some other means and thought it would be funny/helpful to make it look like a MitM attack for some reason–assuming I noticed it, and the cert error on Rackspace’s side combined with the restored access on the box I actually logged into via their Java applet is mere coincidence, or (2) Rackspace knows exactly what’s going on but won’t tell me. Oh, okay, (3) some super-secret spy types broke into my house and secretly installed hardware into all my computers. Er…I ain’t gonna buy that one, but feel free to have fun with it if you like.
If (2), that could be a corporate decision on their part to use a product like Blue Coat (as used by Iran and Syria…heh), and of course they wouldn’t tell me about it ’cause that’d lead to customers deserting them en masse. Though if they’re using Blue Coat messing with their own cert is kind of silly. OR it could be some sort of semi-competent government-required action that they’re not allowed to disclose to me. There’s been a lot of that in the news lately.
Now…the fact that things happened at the same time does not mean they’re otherwise related. It could be a series of strange exercises in hackery and misconfiguration. Personally I’m going with Occam’s Razor on this one but YMMV.
No matter what…I view my servers on Rackspace as compromised. And I am permanently suspicious of the company & all other servers hosted with them. Since my email goes through one of those, please don’t send me anything sensitive unless you encrypt it. Not that you were going to before, right? {8′>
Have fun out there! {8′>
Be First to Comment