May 5, 2011 | By Peter Eckersley

A Syrian Man-In-The-Middle Attack against Facebook

UPDATE: If you are in Syria and your browser shows you this certificate warning on Facebook, it is not safe to login to Facebook. You may wish to use Tor to connect to Facebook, or use proxies outside of Syria.

UPDATE II: We have received reports that some Syrian ISPs are blocking Tor. If Tor is not working for you, you may try to connect through another ISP. It is still unsafe to connect to Facebook without using Tor or a proxy outside of Syria.

Yesterday we learned of reports that the Syrian Telecom Ministry had launched a man-in-the-middle attack against the HTTPS version of the Facebook site. The attack is ongoing and has been seen by users of multiple Syrian ISPs. We cannot confirm the identity of the perpetrators.

The attack is not extremely sophisticated: the certificate is invalid in user's browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account. The security warning is users' only line of defense.

EFF is very interested in collecting TLS/SSL certificates. Our SSL Observatory project has collected millions of them by scanning the public Internet. Thanks to the assistance of a Syrian citizen named Mohammad, we can also provide a copy of the fake Syrian Facebook certificate. Interested readers can find a copy in human readable and PEM encoded form.1

This is very much an amateur attempt at attacking Facebook's HTTPS site. The certificate was not signed by a Certificate Authority that was trusted by users' web browsers. Unfortunately, Certificate Authorities are under the direct or indirect control of numerous governments, and many governments therefore have the capability to perform versions of this attack that do not raise any errors or warnings.

  • 1. Mohammad's machine resolved the s.static.ak.facebook.com domain to 195.59.150.24, and the www.facebook.com domain to 66.220.153.11. These addresses appear legitimate to us, so the attack was probably implemented with routers or proxies rather than DNS tampering.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Come to EFF HQ on July 8 for a book talk with author of "Geek Heresy: Rescuing Social Change from the Cult of Tech" https://eff.org/r.i3fv

Jul 2 @ 4:57pm

EFF is turning 25! Here's the who, what, when, where, how, and—maybe most importantly—why of our celebration: https://eff.org/r.6dov

Jul 2 @ 4:51pm

After 28 years, the US is getting a new Librarian. @jessamyn lays out what to look for in the #nextloc: http://librarianofprogress.com/

Jul 2 @ 3:30pm
JavaScript license information