Under such conditions it is obviously unsafe to trust any private communications on the open internet (including sites that use SSL to encrypt data on the wire). You should ONLY use systems that ensure your content is encrypted for a key that YOU (not your browser) explicitly trust. This means using GnuPG and exchanging keys in a reliable offline medium with anyone with whom you want to communicate, basically.
Alternatively, you can use i2p and i2p outproxies, but i2p may be vulnerable to similar poisoning attacks if the government had an interest in perpetrating them. That said, it's probably much safer to use an i2p outproxy for your browsing anyway, and definitely much safer to use eepsites.
How could one technical individual protect himself is one thing, having a secure-by-design communication channel is another thing. Whole country is being spied like that and most people dont even know/care about it. They just want to use Facebook or some 'cool' service.
Security and convenience will always be at odds with one another. If you aren't going to take the precautions, your alternatives are to watch what you write or go to jail. Anything that relies upon any unencrypted traffic for bootstrapping, etc., is unreliable when you're against a state-level player like this, because they can do just what they're doing now and replace the real response with a fake one.
As such, the only way to ensure your electronic communications are safe is to get the information necessary to bootstrap the crypto from a medium where the government has no ability to poison, which means offline transmission (CDs/USB disks). And then you still have to be careful because if the government gets the private key of your compatriot all of your conversations will be readable.
The only way to provide security for the people of Iran in a reasonable manner is to educate them on PGP and key exchange. This is not the time to talk about fairy dust, because it's not going to help anyone at this point. When you're transmitting information that will get you thrown in jail or worse, you don't dink around -- they need something tried and true, and need to understand the risks and costs associated with the communications platforms they're using.
If you want to dork with Facebook and see pictures of your neighbor's cat, that's fine, but in my opinion, it's not worth the risk (if any), and it's useless to want/expect meaningful security. I don't even know if seeing pictures of cats is a problem in Iran. :-)
If you want to communicate with other people securely, then, in my opinion, then everyone in that communications group needs to consider learning information security and operational security, and then applying it. It's not simple, it's not easy, but if you want to be secure, you're going to have to plan to be serious.
It's a catch 22 when it comes to repressive regimes. You've swapped keys and are communicating with all your friends on a perfectly secure network. Now you and your friends are in jail on charges of conspiracy.
The only solution I can think of is a false door method, where you send some fake communication over one channel and somehow hide the encrypted channel.
Image steganography? It's available to almost anyone, a plain-sight method with an expected amount of natural noise. If you use a small enough payload, it is essentially deniable and undetectable.
>The only solution I can think of is a false door method, where you send some fake communication over one channel and somehow hide the encrypted channel.
That's steganography, and there are some open source programs for that. Steghide[1], for example, can hide encrypted data in JPEG images.
Stego's actually great here. Stay on the insecure or 'fake-secure' (ala this MITM) links and put out a cover story for yourself. Then communicate for realsies on stego.
And.. if your cover gives reason for you to put out a lot of data in forms that are easily stego'd, you're in good shape.
Alternatively, you can use i2p and i2p outproxies, but i2p may be vulnerable to similar poisoning attacks if the government had an interest in perpetrating them. That said, it's probably much safer to use an i2p outproxy for your browsing anyway, and definitely much safer to use eepsites.