[baby]

There's a lot of confusion around these stories these days, which reminds me of the "Gmail is looking at your emails" stories[1].

First, this is not wiretapping, come on. There's targeted man-in-the-middle (MITM) attacks, and then there's this. This is plainly "we are using advanced powers to analyze your traffic".

This is not even Superfish[2] type of stuff, where Lenovo had preinstalled root certs onto laptops to display ads. This is "if you opt in we will analyze your data".

Every program you install on your laptop can basically do WHATEVER it wants. This is how viruses work. When you install a program, you agree to give it ALL power. This is true on computers generally, and this is true on phones when you side-load programs. The key is that when we install something we understand the type of program we're installing, and we trust that the program doesn't do more than what it _claims to be doing_.

So the question here is not "how does Onavo manage to analyze traffic that's encrypted", it's "does Onavo abuses the trust and the contract it has with its users?"

[1]: https://variety.com/2017/digital/news/google-gmail-ads-email...

[2]: https://www.virusbulletin.com/blog/2015/02/lenovo-laptops-pr...

[jasonvorhe]

That might have been true in the past, but nowadays at least macOS/Android/iOS can enforce several restrictions on the apps you install, like prevent them from changing OS settings/files, limit access to only specified/opt-in directories, limit the amount of background activity, etc.

I don't know about Windows or Linux though.

[felixg3]

Windows applications can easily install TLS root certificates, which essentially all „anti virus“ tools (i.e. snake oil) do. On Linux, it’s obvious; if you’re installing something as root, you can add certificates. In that context, apple is doing something right and makes it rather tedious to install root certs

[skywhopper]

So, your argument is that MITM/wiretapping is okay if you do it at a large enough scale?

[xvector]

If someone consents to your clear request to read their data in the plain, then it's not evil. Still not my cup of tea, but if you clearly explain and obtain consent, it's shady but fine.

[cycomanic]

So how is that relevant in the context here. FB did not clearly request to be able to read all traffic (encrypted and nonencrypted) so how could they get consent. Unless you're arguing, "we will monitor your Internet usage", clearly means we will man-in-the-middle all your connections. Which would be a weird take.

[hiatus]

> FB did not clearly request to be able to read all traffic (encrypted and nonencrypted) so how could they get consent.

I can't find the consent page/legalese shown to users, do you have a link?

[renaudg]

Yes they did. Participants were even compensated for it IIRC

[baby]

Is little snitch on mac a virus?