nationwide interception of Facebook & webmail login credentials in Tunisia

Brian Morrison bdm at
Wed Jan 26 13:24:26 GMT 2011

On Wed, 26 Jan 2011 11:58:13 +0000
Mark Lomas <ukcrypto at> wrote:

> Perhaps I should have been more explicit about the reason for my
> question.
> It is alleged that somebody is interfering with traffic to Facebook.
> The suggested countermeasure is to insist upon an SSL connection from
> the outset
> - not to trust the standard HTTP page.

I use https: as a matter of course, I have the HTTPS-Everywhere
extension in Firefox and otherwise will choose it in preference to http
if available. Oh, and I don't have an FB account....

> If those same attackers can persuade *any *of the CAs trusted by the
> browser to issue a duplicate Facebook certificate then they can
> interfere with SSL connections as well. Most browsers will not
> display any warning message in such circumstances.

True. That's one reason why, after some thought, I've decided I don't
really trust anyone, or any organisation that doesn't have my
interests at heart ;-)

> You can reduce (but not eliminate) this risk by paring down the list
> of trusted CAs.

True, but are any CAs already present *really* more trustworthy than
the others? I suspect not.

> Now consider which SSL sites you visit. Perhaps your e-mail service
> or your bank. Are you happy that *all* of the CAs trusted by your
> browser are permitted to sign certificates purporting to represent
> your e-mail service or bank?

My bank has gone along with the Chip'n'PIN fiction, so to be honest I
don't really trust them much anyway. All they want is to move the
responsibility for their mistakes to me, and seeing as I'm part of a
group of taxpayers that have provided them with tens of billions to
prop up their broken finances, I don't see that fighting them for a few
quid if something goes wrong with their broken system makes much
difference alongside that bail-out.

Apologies if my cynicism is showing.

>         Mark
> On 26 January 2011 11:26, Brian Morrison <bdm at> wrote:
> > On Wed, 26 Jan 2011 09:18:11 +0000
> > Mark Lomas <ukcrypto at> wrote:
> >
> > > May I conduct an informal survey? Who on this mailing list has not
> > > removed any of the CA certificates that were pre-installed by
> > > whoever supplied your browser?
> >
> > Not me. All I have done is add the CACert root certificate so that
> > some of my own certificates work.
> >
> > Having said that, I don't ignore any error or warning messages, and
> > I do quite often check certificate fingerprints. In a widely
> > rolled-out deployment of SSL the security you gain is there to
> > raise the bar to compromise, not to eliminate it.
> >
> > --
> >
> > Brian Morrison
> >
> >


Brian Morrison

More information about the ukcrypto mailing list