Feeds

back to article Tunisia plants country-wide keystroke logger on Facebook

Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports. The rogue JavaScript, which was individually customized to steal passwords for each site, worked when …

COMMENTS

This topic is closed for new posts.
Silver badge
FAIL

Another day....

....another Facebook scam....

Just sayin'

2
3
RJ

They may be able to generate SSL certs

but, unless there is something special about Tunisian browsers these certs are not in the main browsers default trusted lists so they cannot stealthily spoof the SSL.

Mind you, the fact that any CA can issue SSL certs for any site is pretty much the defining problem of SSL and the Internet (The introduction of "Extended validation" due to greedy companies cocking up the original goal non-withstanding.)

1
0
Anonymous Coward

hmmm

"That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate."

Well, only as long as you still have any root certificates on the 'trusted' list...

0
0
Black Helicopters

Not Trusted for Long

So, assume:

* the root cert that Tunisia controls is already on the trusted list and

* Tunisia uses it to sign a cert used to spy on https://facebook.com.

One would hope this would be noticed, probably fairly quickly in view of this story. The signed cert would be solid proof of misuse of the root cert. Bringing this to the attention of Microsoft, Mozilla, Google and Apple would hopefully have them remove the Tunisian root cert from their browser's trusted list. It's a real worry that there are so many dozens of root certs currently on the trusted list. The current facebook.com cert is signed by DigiCert Inc.

0
0
Go

idea

"Facebook Chief Security Officer Joe Sullivan reportedly responded by programming his site to automatically establish an encrypted, HTTPS connection with anyone trying to view the site from inside Tunisia's borders."

Why stop at just the one country?

6
0
Flame

SSL Overhead

They probably don't turn on SSL by default for the whole world due to the additional overhead an SSL session places on the web browser.

An entire planet worth of overhead would require a not insignificant upgrade or expansion of the server farm to accomodate all the extra load. Not to mention the extra power used by the servers to operate and in cooling, then there is the extra carbon footprint.

3
1
Thumb Up

Can someone please explain to me......

......why companies are reluctant to use HTTPS? I don't understand the mechanics/economics? Is there a cost to it?

Any explanation gratefully received.

Cheers:-)

1
0
Headmaster

Encryption/ decryption

is implemented as a big algorithm doing fun maths. it takes computer time to do it. So yes, there's a cost.

2
0
Anonymous Coward

Bandwidth costs also increased

Encrypted traffic can't be compressed either (no pattern to the data) so there's also additional bandwidth required for HTTPS.

1
0

Quantifyng the cost

Yes, there is a cost, but it's not as big as you'd think. Google switched it on for gmail across the board, and it cost them 2% of CPU time.

http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

2
0
Flame

@David Dawson: Justification

Here:

http://en.wikipedia.org/wiki/Government_Communications_Headquarters

http://en.wikipedia.org/wiki/Nsa

http://en.wikipedia.org/wiki/Bundesnachrichtendienst

http://en.wikipedia.org/wiki/Defence_Signals_Directorate

They all want a convenient way of tracking people. And certainly "doing a Tunisian", when required.

The German Way Of "Tunisian":

http://de.wikipedia.org/wiki/Bundestrojaner

SSL makes this process a bit inconvenient and might compromise their filthy work's effectiveness. The cost of SSL is negligible for a major web company like facebook.

0
0

Surely you aren't saying ...

.. that industry and goverment are in cahoots?

Crikey, my rose tinted view of the world is done in.

The question was whether SSL has a cost. The answer is yes, in both processor and dev time. It complicates things.

It might not be a lot, but its there.

0
0
Anonymous Coward

javascript

It's a shame Facebook don't make their site usable without javascript. *

(Since the loggers are the man in the middle, they could have done a similar attack that didn't use JS, but I'm sure it would have taken more resources. )

* other than http://m.facebook.com

1
0

HTTP

If this is HTTP, why do they even need the JS injection? They can just record the POST headers...

I'm assuming, of course, that Fb doesn't do any client-side password hashing, which they may (can't be arsed to check).

0
0
Anonymous Coward

The login submission is encrypted

So it's about the only bit of the site you can't just pull from over the wire

0
0
Anonymous Coward

Login cookie

Presumably once logged in the FB cookie will appear on the wire in the clear periodically, a la Yahoo (and in the past Gmail)?

0
0

overload

@idea: perhaps the increased load for SSH will cripple/slow down things too much?

0
0
Stop

@poohbear: SSH and SSL are different

look it up on the wiki-intertube thing.

0
0
Stop

Umm, chaps...

Given the recent developments over there, might the past tense be more appropriate in the headline etc than the present?

My first thought was "Oh, blimey. What the...? That didn't take 'em long. Hmm. I wonder who..."

0
0

Do we care?

Since we routinely allow extraordinary rendition and torture at the behest of the Yankee overlords there's not much we can say to a bit of hacking now is there?

0
1
Silver badge
Grenade

Facebook Chief Security Officer?

Oxymoron

0
0
Stop

I refuse to enoble a simple forum post....

he's actually an ANTI security software, his job is to make sure that FB devs don't make anything MORE secure.

0
0
Grenade

So Facebook is evil

The proof is reinforced every single day.

0
1
Big Brother

After all, this is England

It couldn't possibly happen here.

0
0
Silver badge
FAIL

Why bother with passwords?

FB doesn't use security - it abuses it. THE problem IS Facebook.

1
0
Go

Bank-level security

What if Facebook implemented a personal login page for each user over secure connection ... ?

1. You enter your email.

2. They display a custom image that the gov't of Tunisia likely cannot guess, and you enter your password.

Ta da!

cheers,

Xan

0
0
Bronze badge

off topic

I'm aware of the verb 'to oust', but wasn't aware of the noun 'ouster' until now. http://en.wiktionary.org/wiki/ouster

0
0
This topic is closed for new posts.