It seems as though the recent uprising in Tunisia has prompted the Tunisian government to start taking control over the country’s internet communications. Many websites were blocked outright, while a large percentage of Facebook login pages were routed through a hidden proxy in order to execute a man-in-the-middle attack, stealing the passwords of many Facebook users in Tunisia. Because Facebook allows unencrypted logins, and the homepage is unencrypted, all that needs to be done is to disrupt HTTPS connections and sniff all traffic going over HTTP. I believe that in this particular event, JavaScript was injected into the Facebook home page that forwarded login information. Once Facebook realized this was happening, they forced HTTPS connections for Tunisian IP addresses.
I mean, Facebook is putting your personal information up for sale anyway… but the Tunisian government got it for free. They should have to pay for it first.
The Tunisian government also has their own certificate authority, certification.tn. The scary thing is that their CA cert comes preloaded by Microsoft into Internet Explorer as a trusted root authority, and they are not restricted to signing for just .tn TLDs. This means that Microsoft can compromise your security by adding random CAs like this to your trusted list. Fortunately, other browsers don’t seem to be affected.
This is just one more reason to always encrypt logins with an end-to-end protocol like HTTPS and take extreme caution when trusting certificates and certificate authorities. An unscrupulous or subpoenaed certificate authority could be compelled to sign a certificate that is not authentic, allowing the encrypted connection to be broken.
However… HTTPS does have its share of security issues as well. Encrypted HTTPS traffic can be transparently forwarded using sslstrip, and valid certificates are faked. Most people won’t be able to notice anything. Some serious damage could be done with this attack, as it comes with a false sense of security and can be run on local area networks, wireless access points, and Tor exit nodes.
Because of the internet’s impending IPv4 address shortage, the push will soon be made to migrate networks over to IPv6, likely sometime this year. When IPv6 becomes mainstream in networks, IPsec will hopefully be in widespread usage. Since IPsec is part of the IPv6 standard, devices will be required to support IPsec in order to be standards-compliant. This might also promote network hardware manufacturers to add hardware encryption support to their Ethernet/WiFi chipsets, which would be quite useful in offloading encryption duties from the CPU.
Luckily, the servers at Minousoft.com already have several public IPv6 addresses, so when the time comes I should be able to switch everything over relatively painlessly.
January 25th, 2011 | 
Written by 
Category: Uncategorized |
Tunisian government executes man-in-the-middle attack on Facebook, steals passwords and identities http://t.co/4eXV7pB