Tunisia plants country-wide keystroke logger on Facebook
Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports. The rogue JavaScript, which was individually customized to steal passwords for each site, worked when …
This topic is closed for new posts.
Another day....
....another Facebook scam....
Just sayin'
They may be able to generate SSL certs
but, unless there is something special about Tunisian browsers these certs are not in the main browsers default trusted lists so they cannot stealthily spoof the SSL.
Mind you, the fact that any CA can issue SSL certs for any site is pretty much the defining problem of SSL and the Internet (The introduction of "Extended validation" due to greedy companies cocking up the original goal non-withstanding.)
hmmm
"That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate."
Well, only as long as you still have any root certificates on the 'trusted' list...
Not Trusted for Long
So, assume:
* the root cert that Tunisia controls is already on the trusted list and
* Tunisia uses it to sign a cert used to spy on https://facebook.com.
One would hope this would be noticed, probably fairly quickly in view of this story. The signed cert would be solid proof of misuse of the root cert. Bringing this to the attention of Microsoft, Mozilla, Google and Apple would hopefully have them remove the Tunisian root cert from their browser's trusted list. It's a real worry that there are so many dozens of root certs currently on the trusted list. The current facebook.com cert is signed by DigiCert Inc.
idea
"Facebook Chief Security Officer Joe Sullivan reportedly responded by programming his site to automatically establish an encrypted, HTTPS connection with anyone trying to view the site from inside Tunisia's borders."
Why stop at just the one country?
SSL Overhead
They probably don't turn on SSL by default for the whole world due to the additional overhead an SSL session places on the web browser.
An entire planet worth of overhead would require a not insignificant upgrade or expansion of the server farm to accomodate all the extra load. Not to mention the extra power used by the servers to operate and in cooling, then there is the extra carbon footprint.
Can someone please explain to me......
......why companies are reluctant to use HTTPS? I don't understand the mechanics/economics? Is there a cost to it?
Any explanation gratefully received.
Cheers:-)
Encryption/ decryption
is implemented as a big algorithm doing fun maths. it takes computer time to do it. So yes, there's a cost.
Bandwidth costs also increased
Encrypted traffic can't be compressed either (no pattern to the data) so there's also additional bandwidth required for HTTPS.
Quantifyng the cost
Yes, there is a cost, but it's not as big as you'd think. Google switched it on for gmail across the board, and it cost them 2% of CPU time.
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
@David Dawson: Justification
Here:
http://en.wikipedia.org/wiki/Government_Communications_Headquarters
http://en.wikipedia.org/wiki/Nsa
http://en.wikipedia.org/wiki/Bundesnachrichtendienst
http://en.wikipedia.org/wiki/Defence_Signals_Directorate
They all want a convenient way of tracking people. And certainly "doing a Tunisian", when required.
The German Way Of "Tunisian":
http://de.wikipedia.org/wiki/Bundestrojaner
SSL makes this process a bit inconvenient and might compromise their filthy work's effectiveness. The cost of SSL is negligible for a major web company like facebook.
Surely you aren't saying ...
.. that industry and goverment are in cahoots?
Crikey, my rose tinted view of the world is done in.
The question was whether SSL has a cost. The answer is yes, in both processor and dev time. It complicates things.
It might not be a lot, but its there.
javascript
It's a shame Facebook don't make their site usable without javascript. *
(Since the loggers are the man in the middle, they could have done a similar attack that didn't use JS, but I'm sure it would have taken more resources. )
* other than http://m.facebook.com
HTTP
If this is HTTP, why do they even need the JS injection? They can just record the POST headers...
I'm assuming, of course, that Fb doesn't do any client-side password hashing, which they may (can't be arsed to check).
The login submission is encrypted
So it's about the only bit of the site you can't just pull from over the wire
Login cookie
Presumably once logged in the FB cookie will appear on the wire in the clear periodically, a la Yahoo (and in the past Gmail)?
overload
@idea: perhaps the increased load for SSH will cripple/slow down things too much?
@poohbear: SSH and SSL are different
look it up on the wiki-intertube thing.
Umm, chaps...
Given the recent developments over there, might the past tense be more appropriate in the headline etc than the present?
My first thought was "Oh, blimey. What the...? That didn't take 'em long. Hmm. I wonder who..."
Do we care?
Since we routinely allow extraordinary rendition and torture at the behest of the Yankee overlords there's not much we can say to a bit of hacking now is there?
I refuse to enoble a simple forum post....
he's actually an ANTI security software, his job is to make sure that FB devs don't make anything MORE secure.
So Facebook is evil
The proof is reinforced every single day.
After all, this is England
It couldn't possibly happen here.
Why bother with passwords?
FB doesn't use security - it abuses it. THE problem IS Facebook.
Bank-level security
What if Facebook implemented a personal login page for each user over secure connection ... ?
1. You enter your email.
2. They display a custom image that the gov't of Tunisia likely cannot guess, and you enter your password.
Ta da!
cheers,
Xan
off topic
I'm aware of the verb 'to oust', but wasn't aware of the noun 'ouster' until now. http://en.wiktionary.org/wiki/ouster
This topic is closed for new posts.
