Back in February, I wrote that the Syrian government’s decision to free up access to Facebook and other sites was a risky move, potentially designed to entrap Syrians.
In the nearly three months since, it seems like I was right: First came the reports of activists and non-activists being detained, their Facebook and other passwords demanded by authorities for the purpose of monitoring accounts and spying on contacts; now, as the EFF (where I’m now based) discovered yesterday (with help from one very brave Syrian contact), the government appears to be handing Facebook users fake SSL certificates on the HTTPS version of the site in order to conduct a man-in-the-middle attack and get ahold of users’ personal information.
Additionally, as Jake Appelbaum has tweeted, Tor seems to be blocked on some Syrian ISPs (Syrians on other ISPs have reported more recently that it’s working fine).
Without HTTPs and Tor, Syrians are not safe using Facebook. And when using any other HTTPS version of a site, users should inspect the SSL certificate very carefully.