Feeds

back to article Fake certificate attack targets Facebook users in Syria

A man-in-the-middle attack is being run against users of the secure version of Facebook in Syria, the Electronic Frontier Foundation (EFF) warns. The semi-professional attack against the HTTPS version of the Facebook site relies on a digital certificate unsigned by any Certificate Authority and probable re-routing of traffic by …

COMMENTS

This topic is closed for new posts.
Silver badge
Flame

Or...

..maybe they could just stop using FakeBook.

0
4
Silver badge

What you didn't say

Was that website operators should refuse ssl connections that contain x-bluecoat header options, because they indicate that your connection has been proxied.

1
0
Stop

Re: What you didn't say

theodore,

Yeah but if you've got the domestic intelligence nous to configure a Blue Coat cluster to do that sort of thing you certainly couldn't manage to then strip the x-bluecoat header off before it hit FB, oh no. Nor would you have the savy to replicate what the Blue Coat was doing with an open source solution of say Pound and Apache (mod_proxy) clusters I'd guess, that having the benefit of not sending any vendor intrinsic fingerprints, probably being slightly more configurable at a very low level and being "more" scalable per buck than a Beowulf cluster of Blue Coats.

Just to note, I'm not saying Blue Coats aren't scalable, I'm not that familiar with their products but I'd guess even they'd wince at the technical difference between proxying a large company's worth of traffic (usual purpose) and an entire country's worth of FB connections. You'd also hope that they'd at least wince at the moral difference as well but they are a publicly listed business so...

And of course pro-revolutionary bloggers aren't your average Intersnizzle jockeys either, "Yeah, I'll except this random certificate whilst reporting from whatever repressive régime." is clearly the analogous chlorine in the pool of genetics.

Regards,

Phil

0
0
Silver badge
Black Helicopters

Lets see...

Fake democracy issues fake FB credentials.

At least they are consistent.

0
0
Boffin

"Real" certificates next time

Surprised there isn't a Syrian Internet Network Information Center already registered by default as a CA in my browser. The Chinese are well ahead of the curve here but I think the others will soon catch up.

0
0
Flame

Already happening in our FaceBook

A friend had a bad time on Richard Dawkins Official F.B page. It was made to look like a server data-base glitch; but the result was the same – she could not make her case for Evolution Vs Creationism. It seems sensitive issues are either being monitored to sabotaged.

0
0
Silver badge

title

This was in the US I assume?

0
0
Big Brother

Speaking of Eurovision

Did anyone notice that the Turkish entry in the 'facebOok' dictatorship to democracy saga is to propose (by national law in May2011) that the internet will become just 4 approved Apps: child, basic, special and unrestricted (available only on special request and has blacked-out holes) This news was seen today on a Greek language website. Presumably wouldn't be viewable next month!

0
0
Coat

Dumb question: How are they doing this?

Newb question! i was wondering if someone could explain how issuing a fake certificate could allow the attackers access to and control of peoples Facebook accounts. I thought that the Syrian Telecom Ministry could only get Facebook credentials if they spoofed the actual Facebook log-in page itself.

0
0
Troll

Silly question?

Why don't they just pay Facebook for access to user accounts like everyone else does?

0
0
This topic is closed for new posts.