[UPDATE, later on 10/12: the weird cert error for my SSH login to the web server (yes, this one) went away today sometime today. No apparent changes to relevant certs/files on either side since January. Which looks exactly like a discontinued MitM attack. Interesting…no conclusions here; just a mystery. Plus, you know, a need to move my stuff elsewhere just in case.]
I’ve heard back from Rackspace, multiple times. They say they can’t replicate the cert issues with their Java applet. Perhaps that’s a browser misconfiguration issue–though of course I used multiple browsers on two computers.
Treating my SSH login-via-cert troubles as a separate matter, they suggest perhaps my servers have been compromised, or my desktop & laptop have been compromised, as they don’t have a pattern of similar complaints. I say this: that sort of server-side compromise (changing the server’s certificates) would be just plain silly, as it lets me know the server has been modified…the attacker would already need access to be able to pull it off. However, this is exactly how a “Man in the Middle” attack works. And if the desktop and laptop were compromised, booting into a LiveCD (which I’ve done) would not produce the same results unless it were a hardware issue.
So I’m left with two possibilities: (1) Somebody hacked both my servers simultaneously (aiming this at me specifically–one server is in Dallas; the other is in Chicago) via some other means and thought it would be funny/helpful to make it look like a MitM attack for some reason–assuming I noticed it, and the cert error on Rackspace’s side combined with the restored access on the box I actually logged into via their Java applet is mere coincidence, or (2) Rackspace knows exactly what’s going on but won’t tell me. Oh, okay, (3) some super-secret spy types broke into my house and secretly installed hardware into all my computers. Er…I ain’t gonna buy that one, but feel free to have fun with it if you like.
If (2), that could be a corporate decision on their part to use a product like Blue Coat (as used by Iran and Syria…heh), and of course they wouldn’t tell me about it ’cause that’d lead to customers deserting them en masse. Though if they’re using Blue Coat messing with their own cert is kind of silly. OR it could be some sort of semi-competent government-required action that they’re not allowed to disclose to me. There’s been a lot of that in the news lately.
Now…the fact that things happened at the same time does not mean they’re otherwise related. It could be a series of strange exercises in hackery and misconfiguration. Personally I’m going with Occam’s Razor on this one but YMMV.
No matter what…I view my servers on Rackspace as compromised. And I am permanently suspicious of the company & all other servers hosted with them. Since my email goes through one of those, please don’t send me anything sensitive unless you encrypt it. Not that you were going to before, right? {8′>
Have fun out there! {8′>
yanno what also popped into my head reading all this?
Someone’s making you look like a loon.
NOT good.
Heather, unencrypted *grin*
Ha. This strikes you as loony? Strikes me as malfeasance by Rackspace or one of their employees…or the federal gov’t. My personal opinion: somebody at Rackspace installed something he/she shouldn’t have, possibly without understanding its implications…I mentioned it…and it got turned off. That’s the most charitable interpretation, and I think it’s probably about right. But the situation could easily be worse than that.
A friend wrote to tell me the state of Alaska & a corporation he worked for had both tried the same sort of thing on users of their networks (only intercepting/decrypting/logging outbound traffic, rather than inbound–and yes, using Blue Coat). And here’s Bruce Schneier on how the NSA has done this very thing, only vs. Google rather than Rackspace: https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html
The stuff I pointed out is business-as-usual for a certain crowd of folks. Rackspace itself failed to react with reasonable concern, which leads me to conclude they know all about it. They also failed to explicitly deny knowledge.
There’s a reason people log in to their servers a certain way (using both encryption and certificates to validate both sides): it’s a defense against MitM attacks. Attacks like this happen all the time. What was interesting about this one in particular is that it almost has to be local to Rackspace…’cause if it’s not, that’s worse. If Rackspace admitted to doing this sort of thing on their own initiative they’d probably go out of business pretty quickly. So it’d be fun to know exactly what was going on, but I don’t think I ever will.