[liberationtech] Did Syria replace Facebook's security certificate with a forged one?

Thu May 5 15:45:59 PDT 2011

https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook
A Syrian Man-In-The-Middle Attack against Facebook
Technical Analysis by Peter Eckersley
Yesterday we learned of reports that the Syrian Telecom Ministry had launched a man-in-the-middle attack against the HTTPS version of the Facebook site. The attack is ongoing and has been seen by users of multiple Syrian ISPs. We cannot confirm the identity of the perpetrators.

The attack is not extremely sophisticated: the certificate is invalid in user's browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account. The security warning is users' only line of defense.

EFF is very interested in collecting TLS/SSL certificates. Our SSL Observatory project has collected millions of them by scanning the public Internet. Thanks to the assistance of a Syrian citizen named Mohammad, we can also provide a copy of the fake Syrian Facebook certificate. Interested readers can find a copy in human readable and PEM encoded form.1

This is very much an amateur attempt at attacking Facebook's HTTPS site. The certificate was not signed by a Certificate Authority that was trusted by users' web browsers. Unfortunately, Certificate Authorities are under the direct or indirect control of numerous governments, and many governments therefore have the capability to perform versions of this attack that do not raise any errors or warnings.

1.Mohammad's machine resolved the s.static.ak.facebook.com domain to 195.59.150.24, and thewww.facebook.com domain to 66.220.153.11. These address appear legitimate to us, so the attack was probably implemented with routers or proxies rather than DNS tampering.

On May 5, 2011, at 3:11 PM, Jillian York wrote:

> I think perhaps the person misunderstood - it's the Syrian gov't (via its gov't-controlled ISP) faking the certs.  It is NOT Facebook doing the cert-faking.
> 
> On Thu, May 5, 2011 at 12:03 PM, <liberationtech at lewman.us> wrote:
> On Thu, May 05, 2011 at 08:45:05PM +0200, canconsulting at web.de wrote 5.4K bytes in 72 lines about:
> : Seriously: Can you name at least one advantage of the alleged
> : certificate faking for Syrian internet users?
> 
> Your question is confusing.  Using faked certs doesn't help Syrian
> citizens, rather it puts them at risk.
> 
> However, it does help the government.  The govt gets to
> machine-in-the-middle all ssl traffic to facebook, decrypt it,
> parse/record/store the unencrypted data, and then go arrest/kill people
> with proof of content against the state. Or the data can be used to
> unmask social networks of people friendly to the cause of protesting,
> etc.
> 
> This same mitm has happened in Tunisia, Iran, Burma, and suspected in
> many other countries.  In fact, you can buy hardware to do this from US
> companies, like Bluecoat or Packet Forensics.  Or just roll your own
> with one of the many mitmproxy projects out there, like
> http://mitmproxy.org/.
> 
> --
> Andrew
> pgp key: 0x74ED336B
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> 
> 
> 
> -- 
> Berkman Center for Internet and Society | https://cyber.law.harvard.edu/people/jyork
> jilliancyork.com | @jilliancyork | tel: +1-857-891-4244
> 
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110505/21d4529b/attachment.html>