Tunisia plants country-wide keystroke logger on Facebook
Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports. The rogue JavaScript, which was individually customized to steal passwords for each site, worked when …
....another Facebook scam....
Just sayin'
but, unless there is something special about Tunisian browsers these certs are not in the main browsers default trusted lists so they cannot stealthily spoof the SSL.
Mind you, the fact that any CA can issue SSL certs for any site is pretty much the defining problem of SSL and the Internet (The introduction of "Extended validation" due to greedy companies cocking up the original goal non-withstanding.)
"That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate."
Well, only as long as you still have any root certificates on the 'trusted' list...
So, assume:
* the root cert that Tunisia controls is already on the trusted list and
* Tunisia uses it to sign a cert used to spy on https://facebook.com.
One would hope this would be noticed, probably fairly quickly in view of this story. The signed cert would be solid proof of misuse of the root cert. Bringing this to the attention of Microsoft, Mozilla, Google and Apple would hopefully have them remove the Tunisian root cert from their browser's trusted list. It's a real worry that there are so many dozens of root certs currently on the trusted list. The current facebook.com cert is signed by DigiCert Inc.
"Facebook Chief Security Officer Joe Sullivan reportedly responded by programming his site to automatically establish an encrypted, HTTPS connection with anyone trying to view the site from inside Tunisia's borders."
Why stop at just the one country?
They probably don't turn on SSL by default for the whole world due to the additional overhead an SSL session places on the web browser.
An entire planet worth of overhead would require a not insignificant upgrade or expansion of the server farm to accomodate all the extra load. Not to mention the extra power used by the servers to operate and in cooling, then there is the extra carbon footprint.
......why companies are reluctant to use HTTPS? I don't understand the mechanics/economics? Is there a cost to it?
Any explanation gratefully received.
Cheers:-)
is implemented as a big algorithm doing fun maths. it takes computer time to do it. So yes, there's a cost.
Encrypted traffic can't be compressed either (no pattern to the data) so there's also additional bandwidth required for HTTPS.
Yes, there is a cost, but it's not as big as you'd think. Google switched it on for gmail across the board, and it cost them 2% of CPU time.
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
Here:
http://en.wikipedia.org/wiki/Government_Communications_Headquarters
http://en.wikipedia.org/wiki/Nsa
http://en.wikipedia.org/wiki/Bundesnachrichtendienst
http://en.wikipedia.org/wiki/Defence_Signals_Directorate
They all want a convenient way of tracking people. And certainly "doing a Tunisian", when required.
The German Way Of "Tunisian":
http://de.wikipedia.org/wiki/Bundestrojaner
SSL makes this process a bit inconvenient and might compromise their filthy work's effectiveness. The cost of SSL is negligible for a major web company like facebook.
.. that industry and goverment are in cahoots?
Crikey, my rose tinted view of the world is done in.
The question was whether SSL has a cost. The answer is yes, in both processor and dev time. It complicates things.
It might not be a lot, but its there.
It's a shame Facebook don't make their site usable without javascript. *
(Since the loggers are the man in the middle, they could have done a similar attack that didn't use JS, but I'm sure it would have taken more resources. )
* other than http://m.facebook.com
If this is HTTP, why do they even need the JS injection? They can just record the POST headers...
I'm assuming, of course, that Fb doesn't do any client-side password hashing, which they may (can't be arsed to check).
So it's about the only bit of the site you can't just pull from over the wire
Presumably once logged in the FB cookie will appear on the wire in the clear periodically, a la Yahoo (and in the past Gmail)?
@idea: perhaps the increased load for SSH will cripple/slow down things too much?
look it up on the wiki-intertube thing.
Given the recent developments over there, might the past tense be more appropriate in the headline etc than the present?
My first thought was "Oh, blimey. What the...? That didn't take 'em long. Hmm. I wonder who..."
Since we routinely allow extraordinary rendition and torture at the behest of the Yankee overlords there's not much we can say to a bit of hacking now is there?
he's actually an ANTI security software, his job is to make sure that FB devs don't make anything MORE secure.
The proof is reinforced every single day.
It couldn't possibly happen here.
FB doesn't use security - it abuses it. THE problem IS Facebook.
What if Facebook implemented a personal login page for each user over secure connection ... ?
1. You enter your email.
2. They display a custom image that the gov't of Tunisia likely cannot guess, and you enter your password.
Ta da!
cheers,
Xan
I'm aware of the verb 'to oust', but wasn't aware of the noun 'ouster' until now. http://en.wiktionary.org/wiki/ouster
Sign up, sign up for The Register's weekly IT security newsletter - click here
