In Syria and Iran, among other places, social media users are lulled into a dangerously false sense of security
Jillian C. York
Syrians supporting the opposition have had their Facebook accounts hacked [GALLO/GETTY]
If there’s one thing that net-savvy activists from Tunisia to Bahrain are aware of, it’s that the Internet isn’t always safe. From the constant threat of surveillance to the knowledge that posting the wrong picture on Facebook can get you arrested – or worse – activists have for a long time taken measures to mitigate risks, censoring themselves, using special tools like Tor, or staying off certain networks altogether.
Unfortunately, not only do some activists lack the necessary savvy, but even the best can fall victim to savvier regimes. Back in December, for example, just as the Tunisian uprising began to take root, activists within the country noticed that their Facebook accounts had been compromised. Some reported information missing from their accounts, leading Facebook to investigate and, in the end, re-route users to a secure HTTPS version of the site.
The incident may have prompted Facebook to make the decision to roll out HTTPS to all of its users. By the end of February, users of the site could opt in for increased security; but as two incidents from this week illustrate, their sense of security may have been premature. The latest in a series of events to take advantage of Facebooking dissidents, the two exploits demonstrate a seemingly perpetual cat-and-mouse game between users of social media living under authoritarian regimes and the regimes themselves.
Syrian Facebookers targeted
For months, the Syrian regime and its supporters have been devising and implementing new ways of targeting social media users who express favour toward the opposition, from flooding Twitter hashtags with unrelated links to hacking and defacing opposition sites. While various incidences of Facebook manipulation have been reported, none have been confirmed.
Today, the Information Warfare Monitor reports on a new attempt to mount an attack on pro-opposition Syrians. Though the perpetrators remain unknown, the attacks were launched on Twitter, targeting users of Facebook. According to the report, the culprits tweeted a link in an attempt to lure followers to a video posted to Facebook, whereupon those clicking on the link would be redirected to a fake Facebook page. Then, if the user then logged in, their credentials would be captured and their account information compromised.
This type of attack, whether launched by the regime or third-party actors, is basic in scope but can be devastating to a user who hasn’t backed up his or her Facebook data (a feature made available in the Account Settings), and outright dangerous to an activist whose account contains private information or sensitive contacts. Still, this type of attack pales in comparison to one discovered this week in neighbouring Iran.
In the wake of the Arab Spring and the development of tools like Firesheep, escalating risks have led to increased pressure on social media platforms to offer encrypted HTTPS connections to their sites, providing users with a safer, less vulnerable way of accessing their platforms. In the wake of the aforementioned Tunisian attack, Facebook rolled out opt-in encryption services to its users, while Twitter is in the early stages of offering it by default (it’s already available as an opt-in service). Most webmail programmes offer secure browsing as well.
When a user visits such sites, they are relying upon Certificate Authorities (CAs), hundreds of companies that sign the certificates that supposedly guarantee secure browsing. But what happens if just one of these CAs is tricked into issuing a fraudulent certificate? That certificate can be used to compromise sites that people believe they are browsing securely.
On Monday, an Iranian Gmail user reported a warning from the Google Chrome browser that indicated the presence of a fake certificate. A statement from Google acknowledges that primarily Iranian users were affected, and that the fraudulent certificate was issued by a CA called DigiNotar nearly two months ago, on July 10. While critics of the CA system have long feared that such an attack could be possible, this is the first time such an attack has been seen “in the wild”.
For the last two months, Iranians who tried to access encrypted Google websites, including Gmail, may have been vulnerable to surveillance, their user data (including passwords and any activity conducted while logged into a site) available to the attacker.
For its part, Google has released a statement reminding users to be vigilant about keeping software up-to-date and pay attention to browser warnings. Mozilla, which produces the Firefox browser, and Microsoft have communicated the situation to users as well.
Different methods, same purpose
Although the Iranian attack was significantly more sophisticated than that perpetrated against Syrian Facebook users, both serve the same ends: to grab hold of user data in an attempt by malicious actors to silence or endanger those with whom they disagree.
Syrian authorities have used the Facebook accounts of detainees, for example, to track down other activists. The same has occurred in Bahrain, while in Iran, deep packet inspection – used to snoop on email, VoIP calls, and other online activity – has been reported. Activists in all three countries have been arrested, jailed, and in some cases, tortured.
Critics of the encryption and CA systems have long focused on the threats to average users. The Electronic Frontier Foundation (where I am employed) has voiced concerns that such incidents may be widespread, noting that the CA system was created decades ago, “in an era when the biggest online security concern was thought to be protecting users from having their credit card numbers intercepted”.
These latest attacks shed light on just how serious the ramifications can be for users in countries like Iran and Syria, where authorities regularly use social media to silence dissenters. When a regime gains the capability to conduct surveillance on large swaths of users, it need not rely on traditional, cost-heavy methods of identifying and spying on individuals.
It is therefore imperative that the security community, and the Certificate Authorities in particular, become aware of the global implications of their technologies: there are lives at stake.
Jillian York is director for International Freedom of Expression at the Electronic Frontier Foundation in San Francisco. She writes a regular column for Al Jazeera focusing on free expression and Internet freedom. She also writes for and is on the Board of Directors of Global Voices Online.
The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’s editorial policy.