nationwide interception of Facebook & webmail login credentials in Tunisia
bdm at fenrir.org.uk
Wed Jan 26 13:24:26 GMT 2011
On Wed, 26 Jan 2011 11:58:13 +0000
Mark Lomas <ukcrypto at absent-minded.com> wrote:
> Perhaps I should have been more explicit about the reason for my
> It is alleged that somebody is interfering with traffic to Facebook.
> The suggested countermeasure is to insist upon an SSL connection from
> the outset
> - not to trust the standard HTTP page.
I use https: as a matter of course, I have the HTTPS-Everywhere
extension in Firefox and otherwise will choose it in preference to http
if available. Oh, and I don't have an FB account....
> If those same attackers can persuade *any *of the CAs trusted by the
> browser to issue a duplicate Facebook certificate then they can
> interfere with SSL connections as well. Most browsers will not
> display any warning message in such circumstances.
True. That's one reason why, after some thought, I've decided I don't
really trust anyone, or any organisation that doesn't have my
interests at heart ;-)
> You can reduce (but not eliminate) this risk by paring down the list
> of trusted CAs.
True, but are any CAs already present *really* more trustworthy than
the others? I suspect not.
> Now consider which SSL sites you visit. Perhaps your e-mail service
> or your bank. Are you happy that *all* of the CAs trusted by your
> browser are permitted to sign certificates purporting to represent
> your e-mail service or bank?
My bank has gone along with the Chip'n'PIN fiction, so to be honest I
don't really trust them much anyway. All they want is to move the
responsibility for their mistakes to me, and seeing as I'm part of a
group of taxpayers that have provided them with tens of billions to
prop up their broken finances, I don't see that fighting them for a few
quid if something goes wrong with their broken system makes much
difference alongside that bail-out.
Apologies if my cynicism is showing.
> On 26 January 2011 11:26, Brian Morrison <bdm at fenrir.org.uk> wrote:
> > On Wed, 26 Jan 2011 09:18:11 +0000
> > Mark Lomas <ukcrypto at absent-minded.com> wrote:
> > > May I conduct an informal survey? Who on this mailing list has not
> > > removed any of the CA certificates that were pre-installed by
> > > whoever supplied your browser?
> > Not me. All I have done is add the CACert root certificate so that
> > some of my own certificates work.
> > Having said that, I don't ignore any error or warning messages, and
> > I do quite often check certificate fingerprints. In a widely
> > rolled-out deployment of SSL the security you gain is there to
> > raise the bar to compromise, not to eliminate it.
> > --
> > Brian Morrison
More information about the ukcrypto