Reports are issuing from Syrian bloggers that the government-run Syrian Telecom Ministry is compromising the security of citizens’ Facebook accounts. In what appears to be a man-in-the-middle attack against the HTTPS version of Facebook, logging in triggers a browser warning like the one above, saying that the certificate is invalid not to be trusted.
The certificate on the left, issued to “Facebook, Inc.” is not real; the DigiCert one is. The EFF says that it’s a sign of the relative unsophistication of the alleged government attack that it raises a warning at all: However, there are plenty of people who don’t pay attention to browser warnings, especially if they’re attempting to log into a trusted site like Facebook. Logging in anyway would give the attackers behind the phony certificate “access to and control of their Facebook account,” so this is serious business.