Reports are issuing from Syrian bloggers that the government-run Syrian Telecom Ministry is compromising the security of citizens’ Facebook accounts. In what appears to be a man-in-the-middle attack against the HTTPS version of Facebook, logging in triggers a browser warning like the one above, saying that the certificate is invalid not to be trusted.
The certificate on the left, issued to “Facebook, Inc.” is not real; the DigiCert one is. The EFF says that it’s a sign of the relative unsophistication of the alleged government attack that it raises a warning at all: However, there are plenty of people who don’t pay attention to browser warnings, especially if they’re attempting to log into a trusted site like Facebook. Logging in anyway would give the attackers behind the phony certificate “access to and control of their Facebook account,” so this is serious business.
(EFF via Boing Boing)
Published: May 6, 2011 02:10 pm