Security researchers have uncovered a suspected government attempt to secretly wiretap Jabber.ru, the largest Russian XMPP service, hosted in Germany. The attempt was exposed when Jabber.ru’s administrator received a TLS certificate expiry notification, although no expired certificates were found on the server.
Instead, an expired certificate was discovered on a single port used for encrypted Transport Layer Security (TLS) connections, potentially allowing someone to decrypt the exchanged traffic. The wiretap may have lasted up to six months, compromising communications, but it remains unclear if this was a lawful government intercept or a criminal intrusion.
The researchers suggest that the servers weren’t hacked by criminals but were reconfigured to facilitate wiretapping following a government request. They believe hosting providers Hetzner and Linode were forced to set up lawful interception mechanisms. Contacted for comment, neither company nor Germany’s domestic intelligence agency, BfV, had responded to clarify whether the incident was a criminal act or a government-sanctioned intercept.
The administrators of Jabber.ru, founded in 2000, had moved their hosting infrastructure to Germany to mitigate the risk of government surveillance in Russia. Jabber.ru caters to a wide range of users, from technology enthusiasts to cybercriminals.
Many European countries, including Germany, have laws enabling intelligence services and law enforcement to intercept telecommunications messages in bulk, raising concerns about potential abuse. The incident also raises the possibility of an intrusion on the internal networks of Hetzner and Linode specifically targeting Jabber.ru. Regardless of whether this was a government wiretap or criminal intrusion, both hosting providers could face privacy-related backlash from their users.
