Syria's man-in-the-middle attack on Facebook


7 Responses to “Syria's man-in-the-middle attack on Facebook”

  1. Anonymous says:

    I don’t know many supposedly “sophisticated” users that would have correctly deduced which one was valid, and which one was invalid. The fact that the writeup got it confused, illustrates this point.

    Fingerprints are great, but no one knows what they should be. Seriously. I ssh into a machine and it throws a warning saying, “This machine has the fingerprint [big-long-hex-string]. Do you trust it?” Everyone says yes. No one confirms. Hell, not many people even know how to confirm this.

    I’ve rejected perhaps two certificates in my entire time on the Internet. Both of which were essentially blank. (e.g. “Organization: Some Organization” It litterally said, “Some Organization.” I took a screenshot.)

    I don’t know who issues certificates, and I don’t know what a valid certificate looks like from these places. This is a problem if we expect users to know this stuff.

  2. sineWAVE says:


  3. sineWAVE says:

    The *valid* certificate is from Digi-Cert.

  4. Anonymous says:

    Pretty big mistake in this post: The certificate issued by “DigiCert High Assurance CA-3″ is the REAL certificate. You can check for yourself when you connect to

    It’s the certificate that is not signed by a trusted authority.

  5. Anonymous says:

    “Dear US intelligence. You didn’t actually get Bin-Laden. He is actually in Syria under the alias “President Assad”. Please get him asap.”

  6. ocschwar says:

    Yikes. I hope the Facebook admins are paying attention. People will be raped, tortured and killed based on their FB data. It might be best simply to cut Syrian IP addresses off from Facebook access for the moment.

  7. Anonymous says:

    Interestingly, I’ve been getting certificate errors from this site, for the first time in four years. It complains about * or something similar.

    Is he here too?


Leave a Reply