- Feb 24, 2019
Read the full Twitter thread here
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys...
This is running on localhost (with an /etc/hosts entry), but it's what a MitM attempt would look like. Of course, if the key was used before it had expired, there would be no warnings...
And someone just mentioned to me that past encrypted sessions may be able to be decrypted, which is a much bigger issue!
OpenVPN keys were leaked as well as the expired *.nordvpn.com TLS cert. I haven't researched enough about OpenVPN to know if it's using forward secrecy, though you'd hope so
I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it). Why was this never detected?