nationwide interception of Facebook & webmail login credentials in Tunisia

Ian Batten igb at
Wed Jan 26 12:36:00 GMT 2011

On 26 Jan 11, at 1126, Brian Morrison wrote:

> On Wed, 26 Jan 2011 09:18:11 +0000
> Mark Lomas <ukcrypto at> wrote:
>> May I conduct an informal survey? Who on this mailing list has not
>> removed any of the CA certificates that were pre-installed by whoever
>> supplied your browser?
> Not me. All I have done is add the CACert root certificate so that
> some of my own certificates work.
> Having said that, I don't ignore any error or warning messages, and I
> do quite often check certificate fingerprints. In a widely rolled-out
> deployment of SSL the security you gain is there to raise the bar to
> compromise, not to eliminate it.

I've just written a quick analyser for my certificate store (Mac) to look for things that seems to be CAs, and pull out their country of origin.  It seems that for whatever reason the root store I have doesn't seem to have a wide range of countries of origin: I presume that the certificate authorities in those countries rely on a root certificate held by someone else.  My test for a CA is bad --- openssl x509 -purpose contains "CRL Signing CA : Yes" --- and I've attached my script in case anyone has a better suggestion of how to find CAs in the key store. But broken down by country code and whether or not the certificate is self-signed or signed by another key, we have:

  36 US signed
  13 US self
   7 DE signed
   4 GB self
   3 UK self
   3 GB signed
   3 FR self
   3 DE self
   2 ZA signed
   2 IL signed
   1 ZA self
   1 SE signed
   1 SE self
   1 NL signed
   1 IT signed
   1 FR signed
   1 BE signed

None of those countries leap off the page as places that would naturally assist the Tunisian government in doing bad stuff.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: certalyse
Type: application/octet-stream
Size: 1063 bytes
Desc: not available
URL: <>

More information about the ukcrypto mailing list