Posting from Iran, Im really worried about the current security status. Iran's opposition mostly exists on internet these days and its very seriously flawed.
Man In The Middle attacks are increasing and users usually ignore error messages about them.
(Firefox throws an error dialog but it has an 'I understand the risks' button. People just ignore the error).
Also, last year many Iranian FriendFeed users were arrested and the goverment knew about all their private discussions on FriendFeed.
(FriendFeed has been censored since the beggining. But it suddenly became uncensored for a day or two. On the other hand, FriendFeed generates an 'auth' key for each user and lets him see his RSS feed using that key. And puts the auth key in every page: goverment probably collected auth keys and used it to read discussions of people they arrested)
Goverments using internet to spy on their civilians is not a myth. Anonymity, trusting the cloud and related issues seem far more important when you suddenly find out a friend of yours has been arrested and his location and charges is unknown.
"Man In The Middle attacks are increasing and users usually ignore error messages about them"
Note that the reported MiTM attack should not result in a popup warning, because the CA certificate used in the MiTM is supposedly technically valid. Does anybody know which browsers include this CA? Browser vendors should consider removing it based on ethical concerns, especially if this MiTM attack is being performed very broadly, at the country level.
Under such conditions it is obviously unsafe to trust any private communications on the open internet (including sites that use SSL to encrypt data on the wire). You should ONLY use systems that ensure your content is encrypted for a key that YOU (not your browser) explicitly trust. This means using GnuPG and exchanging keys in a reliable offline medium with anyone with whom you want to communicate, basically.
Alternatively, you can use i2p and i2p outproxies, but i2p may be vulnerable to similar poisoning attacks if the government had an interest in perpetrating them. That said, it's probably much safer to use an i2p outproxy for your browsing anyway, and definitely much safer to use eepsites.
How could one technical individual protect himself is one thing, having a secure-by-design communication channel is another thing. Whole country is being spied like that and most people dont even know/care about it. They just want to use Facebook or some 'cool' service.
Security and convenience will always be at odds with one another. If you aren't going to take the precautions, your alternatives are to watch what you write or go to jail. Anything that relies upon any unencrypted traffic for bootstrapping, etc., is unreliable when you're against a state-level player like this, because they can do just what they're doing now and replace the real response with a fake one.
As such, the only way to ensure your electronic communications are safe is to get the information necessary to bootstrap the crypto from a medium where the government has no ability to poison, which means offline transmission (CDs/USB disks). And then you still have to be careful because if the government gets the private key of your compatriot all of your conversations will be readable.
The only way to provide security for the people of Iran in a reasonable manner is to educate them on PGP and key exchange. This is not the time to talk about fairy dust, because it's not going to help anyone at this point. When you're transmitting information that will get you thrown in jail or worse, you don't dink around -- they need something tried and true, and need to understand the risks and costs associated with the communications platforms they're using.
If you want to dork with Facebook and see pictures of your neighbor's cat, that's fine, but in my opinion, it's not worth the risk (if any), and it's useless to want/expect meaningful security. I don't even know if seeing pictures of cats is a problem in Iran. :-)
If you want to communicate with other people securely, then, in my opinion, then everyone in that communications group needs to consider learning information security and operational security, and then applying it. It's not simple, it's not easy, but if you want to be secure, you're going to have to plan to be serious.
It's a catch 22 when it comes to repressive regimes. You've swapped keys and are communicating with all your friends on a perfectly secure network. Now you and your friends are in jail on charges of conspiracy.
The only solution I can think of is a false door method, where you send some fake communication over one channel and somehow hide the encrypted channel.
Image steganography? It's available to almost anyone, a plain-sight method with an expected amount of natural noise. If you use a small enough payload, it is essentially deniable and undetectable.
>The only solution I can think of is a false door method, where you send some fake communication over one channel and somehow hide the encrypted channel.
That's steganography, and there are some open source programs for that. Steghide[1], for example, can hide encrypted data in JPEG images.
Stego's actually great here. Stay on the insecure or 'fake-secure' (ala this MITM) links and put out a cover story for yourself. Then communicate for realsies on stego.
And.. if your cover gives reason for you to put out a lot of data in forms that are easily stego'd, you're in good shape.
Azizam, unless you actually know the players involved in every hop of the loop, do not put your precious life in danger. If you are looking to organize, like a smart bache Terani you should go asymmetric on the the goons. Think sneaker nets, etc. I further suggest that you do not put your trust in superficially maintained hostilities between the west and the flea ridden mullahs. Remember those two brothers handed to Iran from US embassy. In one of those Persian Gulf states. They were hanged if you recall. Stenography, never signaling overt use of crypt, etc. are recommended. Qorbanat.
If you expect that you would only get targeted if you actively communicate about things your government doesn't like, but not just because you use a VPN or similar, then you should get a VPN in a country somewhat less likely to cause you problems.
If you expect that the use of secure encryption at all would get you disappeared, you're screwed. And the previous situation can turn into this one on a whim.
Either way, the long-term solution does not involve technology; it involves emigration.
I don't know how is in Iran, but I can tell you how it was in Romania before 1989 (and I guess that's pretty close to what is happening there).
It was close to impossible to emigrate legally, they would use anything to stop you. They would make you lose your job (or even do that to members of your family), they would interrogate you and members of your family (and don't think about any human rights).
A friend of my father was shot on the spot when they saw he was using a boat to cross the Danube to Yugoslavia.
It's not that simple to escape, especially with your family. You're living in a different world.
I certainly would assume the same holds true, yes; I didn't intend to imply otherwise. It still seems like the right long-term solution, just a very difficult one.
Since you are posting from Iran, can you verify this certificate is indeed being presented?
Also, how are people sure this is being perpetuated by the Iranian government? I'm asking because I see no evidence in the pastebin dumps, yet many people here seem sure the Iranian government is behind this.
My brother works in a company that produces spying software for government. Days ago, he told me he himself has written several programs to spy on yahoo, hotmail and gmail but he thought they couldn't deploy the gmail program because of https. I guess, he should think again.
I am scared. My only hope was SSL and I can't trust that anymore?
Man In The Middle attacks are increasing and users usually ignore error messages about them. (Firefox throws an error dialog but it has an 'I understand the risks' button. People just ignore the error).
Also, last year many Iranian FriendFeed users were arrested and the goverment knew about all their private discussions on FriendFeed. (FriendFeed has been censored since the beggining. But it suddenly became uncensored for a day or two. On the other hand, FriendFeed generates an 'auth' key for each user and lets him see his RSS feed using that key. And puts the auth key in every page: goverment probably collected auth keys and used it to read discussions of people they arrested)
Goverments using internet to spy on their civilians is not a myth. Anonymity, trusting the cloud and related issues seem far more important when you suddenly find out a friend of yours has been arrested and his location and charges is unknown.