Feeds

Fake certificate attack targets Facebook users in Syria

al-Assad family suspected of spying on its subjects

Intelligent flash storage arrays

A man-in-the-middle attack is being run against users of the secure version of Facebook in Syria, the Electronic Frontier Foundation (EFF) warns.

The semi-professional attack against the HTTPS version of the Facebook site relies on a digital certificate unsigned by any Certificate Authority and probable re-routing of traffic by the Syrian Telecom Ministry. The ongoing attack has been detected against multiple Syrian ISPs.

The EFF doesn't name the perpetrators of the attack, but the ruse bears the hallmarks of an operation by the Syrian government, which is in the midst of cracking down on a popular uprising against the autocratic rule of the al-Assad dynasty. It amounts to an unsubtle attempt to snoop on Facebook posts and updates.

The use of an unsigned certificate as part of the attack means that the certificate is treated as invalid by modern browsers, raising a security warning. Unfortunately many users ignore such warnings, which can be generated for a variety of reason, such as attempting to visit a secure site via a Wi-Fi hotspot connection that requires an initial log-in.

Surfers in Syria are advised to use either Tor or proxies outside the country in order to access Facebook. The EFF has obtained a copy of the unsigned certificate used in the ruse via contacts in Syria, which it has published in an alert here.

The Facebook fake certificate ruse follows a problem that prevented Syrian surfers from accessing the encrypted version of Hotmail. Microsoft blamed a bug for what it characterised as a glitch, which it said had been limited to first-time users of the encrypted Hotmail who signed in from several countries. Webmail users in the Bahamas, Cayman Islands, and Fiji were also affected by the snafu. ®

Beginner's guide to SSL certificates

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.