Hacker News new | ask | show | jobs
by blcknight 814 days ago
The TC article leaves that a little unclear: were they actually looking at the plaintext or just gathering metrics about snapchat usage? The latter wouldn't require decrypting the session.

If Onavo did install a certificate and MITM the connections and send private user data to Meta... that's beyond the pale. That's far more worthy of a cover story than Bloomberg's debunked secretive tiny chips story from a few years ago. It's equally as bad if not worse.

Hopefully the technical details will come out.
2 comments
thejefflarson 814 days ago
See page two of the document: https://storage.courtlistener.com/recap/gov.uscourts.cand.36...

Seems pretty clear that they could decrypt the traffic they were interested in, they also talk about 5 years of retention of all traffic that they can decrypt at anytime. Sound familiar?

Looks like they used a squid feature: https://wiki.squid-cache.org/Features/SslBump

link
rpdillon 814 days ago
This is the first sentence of the article:

> In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers.

I read the rest of the article as well, and saw only confirmation:

> Given that Snapchat encrypted the traffic between the app and its servers, this network analysis technique was not going to be effective. This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.

Where do you see the ambiguity? Other than the weasel words about proposing these programs (versus actually running them), it seems clear that they were decrypting the traffic (or reading it before it was encrypted). Did I miss a piece?

link
blcknight 814 days ago
> This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.

This doesn't make sense, they wouldn't see the traffic before it was encrypted. They would see it encrypted, but using the MITM certificate instead of Snapchat's. Given the inaccuracies in the article, it makes me wonder what else they got wrong.

Using a VPN client to monitor how much, when, and where traffic is going is bad, but MITM'ing a user's connection is much, much worse. I'm really skeptical that's what happened, especially given TC's inability to articulate accurately what Facebook did.

link
blakesterz 814 days ago
That was pretty much the point of Onavo: https://techcrunch.com/2019/02/21/facebook-removes-onavo/
link
blcknight 814 days ago
> Onavo [...] would collect the “Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type.”

That's the former type of collection I was talking about. There's no evidence I can find that they installed a root CA certificate and were MITM'ing connections. That's a major accusation and one that is not accurate as far as I can tell.

Apple banned the app because it was inspecting underlying traffic not installing a fake root certificate: https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/

link
snowwrestler 814 days ago
You are quoting what Facebook claimed the app did.

The language in the lawsuit complaint is explicit that FB installed a root cert to MITM and decrypt traffic:

https://news.ycombinator.com/item?id=39835115

link
blcknight 811 days ago
Thanks, that's crystal clear that they were indeed doing this. Wow.
link