[blcknight]

> This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.

This doesn't make sense, they wouldn't see the traffic before it was encrypted. They would see it encrypted, but using the MITM certificate instead of Snapchat's. Given the inaccuracies in the article, it makes me wonder what else they got wrong.

Using a VPN client to monitor how much, when, and where traffic is going is bad, but MITM'ing a user's connection is much, much worse. I'm really skeptical that's what happened, especially given TC's inability to articulate accurately what Facebook did.

[blakesterz]

That was pretty much the point of Onavo: https://techcrunch.com/2019/02/21/facebook-removes-onavo/

[blcknight]

> Onavo [...] would collect the “Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type.”

That's the former type of collection I was talking about. There's no evidence I can find that they installed a root CA certificate and were MITM'ing connections. That's a major accusation and one that is not accurate as far as I can tell.

Apple banned the app because it was inspecting underlying traffic not installing a fake root certificate: https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/

[snowwrestler]

You are quoting what Facebook claimed the app did.

The language in the lawsuit complaint is explicit that FB installed a root cert to MITM and decrypt traffic:

https://news.ycombinator.com/item?id=39835115

[blcknight]

Thanks, that's crystal clear that they were indeed doing this. Wow.