Syria's man-in-the-middle attack on Facebook

Someone in the Syrian telcoms authority is running a clumsy man-in-the-middle attack against Facebook; activists who try to access the site in Syria using SSL get a message saying that the certificate doesn't match. ~~The forged certificate that the telcoms authority is attempting to insert comes from Digi-Cert High Assurance CA-3~~. I got this wrong -- this is the correct cert; the bogus one is issued by "Facebook Inc". Though the attack is clumsy (it sends up a security warning), many unsophisticated users probably won't understand the warning and could be in danger.

The attack is not extremely sophisticated: the certificate is invalid in user's browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account. The security warning is users' only line of defense.

A Syrian Man-In-The-Middle Attack against Facebook

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: activism

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

Anonymous

I don’t know many supposedly “sophisticated” users that would have correctly deduced which one was valid, and which one was invalid. The fact that the writeup got it confused, illustrates this point.

Fingerprints are great, but no one knows what they should be. Seriously. I ssh into a machine and it throws a warning saying, “This machine has the fingerprint [big-long-hex-string]. Do you trust it?” Everyone says yes. No one confirms. Hell, not many people even know how to confirm this.

I’ve rejected perhaps two certificates in my entire time on the Internet. Both of which were essentially blank. (e.g. “Organization: Some Organization” It litterally said, “Some Organization.” I took a screenshot.)

I don’t know who issues certificates, and I don’t know what a valid certificate looks like from these places. This is a problem if we expect users to know this stuff.
sineWAVE

\
sineWAVE

The *valid* certificate is from Digi-Cert.
Anonymous

Pretty big mistake in this post: The certificate issued by “DigiCert High Assurance CA-3″ is the REAL http://www.facebook.com certificate. You can check for yourself when you connect to http://www.facebook.com.

It’s the s.static.ak.facebook.com certificate that is not signed by a trusted authority.
Anonymous

“Dear US intelligence. You didn’t actually get Bin-Laden. He is actually in Syria under the alias “President Assad”. Please get him asap.”
ocschwar

Yikes. I hope the Facebook admins are paying attention. People will be raped, tortured and killed based on their FB data. It might be best simply to cut Syrian IP addresses off from Facebook access for the moment.
Anonymous

Interestingly, I’ve been getting certificate errors from this site, for the first time in four years. It complains about *.fmpub.net or something similar.

Is he here too?

–GimpWii