back to article Tunisia plants country-wide keystroke logger on Facebook

Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports. The rogue JavaScript, which was individually customized to steal passwords for each site, worked when …

COMMENTS

This topic is closed for new posts.
  1. Winkypop Silver badge
    FAIL

    Another day....

    ....another Facebook scam....

    Just sayin'

  2. RJ

    They may be able to generate SSL certs

    but, unless there is something special about Tunisian browsers these certs are not in the main browsers default trusted lists so they cannot stealthily spoof the SSL.

    Mind you, the fact that any CA can issue SSL certs for any site is pretty much the defining problem of SSL and the Internet (The introduction of "Extended validation" due to greedy companies cocking up the original goal non-withstanding.)

  3. Anonymous Coward
    Anonymous Coward

    hmmm

    "That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate."

    Well, only as long as you still have any root certificates on the 'trusted' list...

    1. James Ashton
      Black Helicopters

      Not Trusted for Long

      So, assume:

      * the root cert that Tunisia controls is already on the trusted list and

      * Tunisia uses it to sign a cert used to spy on https://facebook.com.

      One would hope this would be noticed, probably fairly quickly in view of this story. The signed cert would be solid proof of misuse of the root cert. Bringing this to the attention of Microsoft, Mozilla, Google and Apple would hopefully have them remove the Tunisian root cert from their browser's trusted list. It's a real worry that there are so many dozens of root certs currently on the trusted list. The current facebook.com cert is signed by DigiCert Inc.

  4. borkbork
    Go

    idea

    "Facebook Chief Security Officer Joe Sullivan reportedly responded by programming his site to automatically establish an encrypted, HTTPS connection with anyone trying to view the site from inside Tunisia's borders."

    Why stop at just the one country?

    1. Robert Heffernan
      Flame

      SSL Overhead

      They probably don't turn on SSL by default for the whole world due to the additional overhead an SSL session places on the web browser.

      An entire planet worth of overhead would require a not insignificant upgrade or expansion of the server farm to accomodate all the extra load. Not to mention the extra power used by the servers to operate and in cooling, then there is the extra carbon footprint.

    2. It wasnt me
      Thumb Up

      Can someone please explain to me......

      ......why companies are reluctant to use HTTPS? I don't understand the mechanics/economics? Is there a cost to it?

      Any explanation gratefully received.

      Cheers:-)

      1. David Dawson
        Headmaster

        Encryption/ decryption

        is implemented as a big algorithm doing fun maths. it takes computer time to do it. So yes, there's a cost.

        1. Anomalous Cowherd Silver badge

          Quantifyng the cost

          Yes, there is a cost, but it's not as big as you'd think. Google switched it on for gmail across the board, and it cost them 2% of CPU time.

          http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

          1. Ubuntu Is a Better Slide Rule
            Flame

            @David Dawson: Justification

            Here:

            http://en.wikipedia.org/wiki/Government_Communications_Headquarters

            http://en.wikipedia.org/wiki/Nsa

            http://en.wikipedia.org/wiki/Bundesnachrichtendienst

            http://en.wikipedia.org/wiki/Defence_Signals_Directorate

            They all want a convenient way of tracking people. And certainly "doing a Tunisian", when required.

            The German Way Of "Tunisian":

            http://de.wikipedia.org/wiki/Bundestrojaner

            SSL makes this process a bit inconvenient and might compromise their filthy work's effectiveness. The cost of SSL is negligible for a major web company like facebook.

            1. David Dawson

              Surely you aren't saying ...

              .. that industry and goverment are in cahoots?

              Crikey, my rose tinted view of the world is done in.

              The question was whether SSL has a cost. The answer is yes, in both processor and dev time. It complicates things.

              It might not be a lot, but its there.

      2. Anonymous Coward
        Anonymous Coward

        Bandwidth costs also increased

        Encrypted traffic can't be compressed either (no pattern to the data) so there's also additional bandwidth required for HTTPS.

  5. Anonymous Coward
    Anonymous Coward

    javascript

    It's a shame Facebook don't make their site usable without javascript. *

    (Since the loggers are the man in the middle, they could have done a similar attack that didn't use JS, but I'm sure it would have taken more resources. )

    * other than http://m.facebook.com

  6. Ian Yates

    HTTP

    If this is HTTP, why do they even need the JS injection? They can just record the POST headers...

    I'm assuming, of course, that Fb doesn't do any client-side password hashing, which they may (can't be arsed to check).

    1. Anonymous Coward
      Anonymous Coward

      The login submission is encrypted

      So it's about the only bit of the site you can't just pull from over the wire

      1. Anonymous Coward
        Anonymous Coward

        Login cookie

        Presumably once logged in the FB cookie will appear on the wire in the clear periodically, a la Yahoo (and in the past Gmail)?

  7. poohbear

    overload

    @idea: perhaps the increased load for SSH will cripple/slow down things too much?

    1. Ubuntu Is a Better Slide Rule
      Stop

      @poohbear: SSH and SSL are different

      look it up on the wiki-intertube thing.

  8. Anonymous Coward
    Stop

    Umm, chaps...

    Given the recent developments over there, might the past tense be more appropriate in the headline etc than the present?

    My first thought was "Oh, blimey. What the...? That didn't take 'em long. Hmm. I wonder who..."

  9. Stephen Gray

    Do we care?

    Since we routinely allow extraordinary rendition and torture at the behest of the Yankee overlords there's not much we can say to a bit of hacking now is there?

  10. Dave Murray
    Grenade

    Facebook Chief Security Officer?

    Oxymoron

    1. IsJustabloke
      Stop

      I refuse to enoble a simple forum post....

      he's actually an ANTI security software, his job is to make sure that FB devs don't make anything MORE secure.

  11. Anonymous Coward
    Grenade

    So Facebook is evil

    The proof is reinforced every single day.

  12. Anonymous Coward
    Big Brother

    After all, this is England

    It couldn't possibly happen here.

  13. JaitcH
    FAIL

    Why bother with passwords?

    FB doesn't use security - it abuses it. THE problem IS Facebook.

  14. xantastic
    Go

    Bank-level security

    What if Facebook implemented a personal login page for each user over secure connection ... ?

    1. You enter your email.

    2. They display a custom image that the gov't of Tunisia likely cannot guess, and you enter your password.

    Ta da!

    cheers,

    Xan

  15. John 62

    off topic

    I'm aware of the verb 'to oust', but wasn't aware of the noun 'ouster' until now. http://en.wiktionary.org/wiki/ouster

This topic is closed for new posts.

Other stories you might like