Some quick links: Egypt, Tunisia, SSL, and the CA system.

In the context of the latest protest in the Middle East, we hear of governments launching man in the middle attacks against social network services — for example, we hear of JavaScript code injection on Facebook in Tunisia. Many of us are quick t…

In the context of the latest protest in the Middle East, we hear of governments launching man in the middle attacks against social network services — for example, we hear of JavaScript code injection on Facebook in Tunisia.

Many of us are quick to point at SSL as the defense of choice.

Alas, SSL is only as secure as the CAs you trust, and so this is the right time to recall Chris Soghoian’s and Sid Stamm’s work on certified lies (according to Soghoian and Stamm, Tunisia was (is?) one of the governments implicitly trusted by IE!), and the EFF’s SSL observatory.

Many — too many! — parties are trusted by today’s browsers, and the assumption that any particular government isn’t able to intercept your traffic just because the browser’s SSL indicators show up is, unfortunately, not always warranted.