Syrian Facebook: Low-tech threats and high-tech scrutiny

Journalists and online news-gatherers have been struggling to collect and distribute high-quality information about recent events in Syria. Foreign journalists have been turned away at the border; local online reporters have been detained. The quality of Internet and mobile phone connectivity has been extremely variable, with reports of Net and phone connections being cut off in selective areas, such as Deraa and Douma. The Wall Street Journal reported blocks on social-networking sites, and CPJ has received reports of consistent slowdowns of home Internet services such as Skype and Google Mail.

In the midst of such chaos, two more disturbing attacks on online reporters’ and readers’ information security. Earlier this month, CPJ encountered consistent reports that Syrian security officials were visiting activists and demanding they hand over their login and passwords to online social sites such as Facebook. They were also told not to change the passwords.

This week, Syrian users experienced strange errors when connecting to Facebook using its new https secure option. The errors were due to a “man in the middle” attack on the service. Someone was intercepting the Internet traffic in transit and masquerading as Facebook in order to spy on its traffic within Syria.

Such attacks can be trivially attempted by petty cybercriminals if you on a shared Internet connection, such as an open WiFi link or a cybercafe. This interception, however, was detected on a home Internet connection with a direct link to a Syrian ISP. This implies interception equipment or software deep within the Syrian telecoms infrastructure.

In some ways, the attack was clumsy. As the Electronic Frontier Foundation notes, the certificate used was not signed by a widely recognized authority. Without that key signature, web browsers will display an error warning that the site should not be trusted. Unlike most governments, the Syrian state does not have easy access to a certificate-signing authority.

Even without a valid certificate, however, the incident shows that Syria has modern Internet surveillance technology, and is prepared to use it to target Facebook posters and readers. And while https users see a warning, those using Facebook without the https option would have no warning at all as their passwords and private messages were skimmed from their browsing session.

Reporters and readers in the country must assume that less protected Net communications, like non-https Facebook access, and instant-messaging, are being pervasively monitored. Use a virtual private network (VPN), or a privacy-protective tool like Tor if you are communicating with sources or uploading content over the Syrian Net. And users and security professionals in other high-risk countries should take note too. If Syria, a country under heavy sanctions and without access to a certificate authority is already spying on SSL sessions, it is likely that other repressive states are attempting to do so too.