Another day....
....another Facebook scam....
Just sayin'
Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports. The rogue JavaScript, which was individually customized to steal passwords for each site, worked when …
but, unless there is something special about Tunisian browsers these certs are not in the main browsers default trusted lists so they cannot stealthily spoof the SSL.
Mind you, the fact that any CA can issue SSL certs for any site is pretty much the defining problem of SSL and the Internet (The introduction of "Extended validation" due to greedy companies cocking up the original goal non-withstanding.)
So, assume:
* the root cert that Tunisia controls is already on the trusted list and
* Tunisia uses it to sign a cert used to spy on https://facebook.com.
One would hope this would be noticed, probably fairly quickly in view of this story. The signed cert would be solid proof of misuse of the root cert. Bringing this to the attention of Microsoft, Mozilla, Google and Apple would hopefully have them remove the Tunisian root cert from their browser's trusted list. It's a real worry that there are so many dozens of root certs currently on the trusted list. The current facebook.com cert is signed by DigiCert Inc.
They probably don't turn on SSL by default for the whole world due to the additional overhead an SSL session places on the web browser.
An entire planet worth of overhead would require a not insignificant upgrade or expansion of the server farm to accomodate all the extra load. Not to mention the extra power used by the servers to operate and in cooling, then there is the extra carbon footprint.
Here:
http://en.wikipedia.org/wiki/Government_Communications_Headquarters
http://en.wikipedia.org/wiki/Nsa
http://en.wikipedia.org/wiki/Bundesnachrichtendienst
http://en.wikipedia.org/wiki/Defence_Signals_Directorate
They all want a convenient way of tracking people. And certainly "doing a Tunisian", when required.
The German Way Of "Tunisian":
http://de.wikipedia.org/wiki/Bundestrojaner
SSL makes this process a bit inconvenient and might compromise their filthy work's effectiveness. The cost of SSL is negligible for a major web company like facebook.