nationwide interception of Facebook & webmail login credentials in Tunisia
passiveprofits at yahoo.com
Mon Jan 31 14:19:51 GMT 2011
So Cert Patrol just picked up an SSL certificate switch for encrypted.google.com; here's the new SHA1 fingerprint I've got...
Anyone confirm they've also had a switch - it's not impossible I'm under attack, having fairly recently discovered a MiTM attack in progress, some months ago (mainly due to a fluke; didn't have cert patrol then!).
TIA for any assistance on this matter.
"The man who owns a slave, or lives by exploiting others, whether slave or not, is not himself a free man. He is a man who must look over his shoulder all the time, in fear. True freedom lies in a deep concern for the freedom of others, and if this is accepted it should make every man, out of pure selfishness, the ardent devotee of the freedom of his neighbor." -Leonard Wibberly, 1776 - And All That (1975), p. 72.
--- On Tue, 1/25/11, Passive PROFITS <passiveprofits at yahoo.com> wrote:
> From: Passive PROFITS <passiveprofits at yahoo.com>
> Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia
> To: "UK Cryptography Policy Discussion Group" <ukcrypto at chiark.greenend.org.uk>
> Date: Tuesday, January 25, 2011, 8:18 AM
> That would not deal with the
> falsifying of certificates. Assuming the code-base of
> this is not intentional corrupt, the addition of an
> extension such as certpatrol is also required (a firefox
> extension), to notify one when the SSL cert swap by the
> government/ISP (using the browser accepted as 'true'
> passported C.A.(s) under their control) has taken place (a
> MiTM is in progress notification function). The other
> known way would be manual/local (each time) inspection of
> the cert fingerprint(s). e.g. you note Facebook's
> fingerprint then check each time it's got the same
> 'print. Then (once under notice the hack is under
> progress) you could retreat, or start playing your own
> pre-planned counter-measures ... depending on the peril of
> the situation, tactics, etc, call the government, depending
> on the nature of your business, etc.
> --- On Tue, 1/25/11, Richard W.M. Jones <rich at annexia.org>
> > From: Richard W.M. Jones <rich at annexia.org>
> > Subject: Re: nationwide interception of Facebook &
> webmail login credentials in Tunisia
> > To: "UK Cryptography Policy Discussion Group" <ukcrypto at chiark.greenend.org.uk>
> > Date: Tuesday, January 25, 2011, 3:35 AM
> > JGC's blog has the technical details:
> > http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html
> > Moral of the story is to use https:// URLs to fetch
> > initial form
> > (ie. https://facebook.com/). The Firefox
> > HTTPS-Everywhere extension
> > automates this completely (https://www.eff.org/https-everywhere) -- no
> > thought or technical skills required.
> > Rich.
> > --
> > Richard Jones
> > Red Hat
More information about the ukcrypto