Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.technology/users/rysiek/statuses/109160228786528536">rysiek@mastodon.technology's status on Thursday, 13-Oct-2022 18:54:09 JST</a><a href="https://mastodon.technology/@rysiek" title="rysiek@mastodon.technology"><img src="https://gnusocial.jp/avatar/7098-48-20221022133901.webp" width="48" height="48" alt="rysiek" style="position: absolute; left: 0; top: 0;">rysiek</a></section><article><p>Looks like <a href="https://mastodon.technology/tags/Telegram" rel="tag">#Telegram</a> leaks usernames in <a href="https://mastodon.technology/tags/TLS" rel="tag">#TLS</a> SNI:<br><a href="https://nitter.it/fo0_/status/1580146963579740160" rel="nofollow noreferrer">https://nitter.it/fo0_/status/1580146963579740160</a> </p><p>?♀️ </p><p>TLS SNI is sent in *clear text*, because it is a mechanism that informs the server hosting multiple websites on a single IP address which TLS certificate to present to the client.</p><p>Putting username in SNI makes it *trivial* for anyone listening on the wire to track who and when is communicating with Telegram servers. Add some timing analysis and one can reason about who is talking to whom.</p><p>Metadata kills.</p><p><a href="https://mastodon.technology/tags/Infosec" rel="tag">#Infosec</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/255628#notice-452246">In conversation</a><time datetime="2022-10-13T18:54:09+09:00" title="Thursday, 13-Oct-2022 18:54:09 JST">Thursday, 13-Oct-2022 18:54:09 JST</time> <span>from <span><a href="https://mastodon.technology/@rysiek/109160228786528536" rel="external" title="Sent from mastodon.technology via ActivityPub">mastodon.technology</a></span></span><a href="https://mastodon.technology/@rysiek/109160228786528536">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://nitter.it/fo0_/status/1580146963579740160">https://twitter.com/fo0_/status/1580146963579740160</a></h5><div> from <span>fo0</span></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
rysiek@mastodon.technology's status on Thursday, 13-Oct-2022 18:54:09 JST rysiek
Looks like #Telegram leaks usernames in #TLS SNI:
https://nitter.it/fo0_/status/1580146963579740160
?♀️
TLS SNI is sent in *clear text*, because it is a mechanism that informs the server hosting multiple websites on a single IP address which TLS certificate to present to the client.
Putting username in SNI makes it *trivial* for anyone listening on the wire to track who and when is communicating with Telegram servers. Add some timing analysis and one can reason about who is talking to whom.
Metadata kills.
#Infosec
In conversationThursday, 13-Oct-2022 18:54:09 JST from mastodon.technologypermalink
Attachments
1. No result found on File_thumbnail lookup.
  https://twitter.com/fo0_/status/1580146963579740160
  from fo0

Public

Embed Notice

HTML Code

Corresponding Notice