The TC article leaves that a little unclear: were they actually looking at the plaintext or just gathering metrics about snapchat usage? The latter wouldn't require decrypting the session.
If Onavo did install a certificate and MITM the connections and send private user data to Meta... that's beyond the pale. That's far more worthy of a cover story than Bloomberg's debunked secretive tiny chips story from a few years ago. It's equally as bad if not worse.
Seems pretty clear that they could decrypt the traffic they were interested in, they also talk about 5 years of retention of all traffic that they can decrypt at anytime. Sound familiar?
> In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers.
I read the rest of the article as well, and saw only confirmation:
> Given that Snapchat encrypted the traffic between the app and its servers, this network analysis technique was not going to be effective. This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.
Where do you see the ambiguity? Other than the weasel words about proposing these programs (versus actually running them), it seems clear that they were decrypting the traffic (or reading it before it was encrypted). Did I miss a piece?
> This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.
This doesn't make sense, they wouldn't see the traffic before it was encrypted. They would see it encrypted, but using the MITM certificate instead of Snapchat's. Given the inaccuracies in the article, it makes me wonder what else they got wrong.
Using a VPN client to monitor how much, when, and where traffic is going is bad, but MITM'ing a user's connection is much, much worse. I'm really skeptical that's what happened, especially given TC's inability to articulate accurately what Facebook did.
> Onavo [...] would collect the “Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type.”
That's the former type of collection I was talking about. There's no evidence I can find that they installed a root CA certificate and were MITM'ing connections. That's a major accusation and one that is not accurate as far as I can tell.
If Onavo did install a certificate and MITM the connections and send private user data to Meta... that's beyond the pale. That's far more worthy of a cover story than Bloomberg's debunked secretive tiny chips story from a few years ago. It's equally as bad if not worse.
Hopefully the technical details will come out.