Hacker News new | ask | show | jobs
by dylan604 697 days ago
That's great for someone reading this forum to be aware of, but moms have no idea what any of the words you just wrote means. So if they were told they get a coupon for installing or some other bit of ridiculous things malware devs use, and yes I'm calling FB software malware. All of if it. Messenger, FB.app, everything. If it's from Meta, it's malicious.
3 comments
walrus01 697 days ago
That's a very good point. I have within recent memory installed my own internal CA that I run on Android devices that I own and trust, and the process on android 11+ is sufficiently daunting that 99.5% of peoples' moms could not do it in one or two clicks. You have to go deep into system settings and manually import the CA. This requires first file-transferring the CA file somewhere onto local /sdcard storage and possibly having a file system explorer app installed to be able to view its location on "disk" and pick it.

As is pointed out in the article, I would presume that Google saw the threat from allowing an app to install and trust a root CA as well, and removed the ability for a "one click" install of a root CA:

"KeyChain.createInstallIntent() stopped working in Android 7 (Nougat). A user would have to manually install the certificate. It would no longer be possible to have Facebook's CA cert installed directly in the app."

link
sadboi31 696 days ago
I would argue that everyone over the age of 8 can do it with sufficient motivation and quality documentation. $10-20 and the promise of more money doing some low-effort "consumer survey" or providing "extra analytics" is pretty enticing to a massive number of people really struggling in this country.

Despite being hard-up I don't think the vast majority of these low-income individuals would agree to being so egregiously wiretapped and data mined for future political ads on youtube or bundled into some other product without better compensation.

link
ahazred8ta 697 days ago
Try comparing P2P OTR E2EE vs Non-CA TOFU SSH
link
yjftsjthsd-h 697 days ago
Any app capable of installing a TLS CA is capable of writing to known_hosts (or authorized_keys, while we're at it).
link
dylan604 697 days ago
hell, even I don't know what the "words" you just used mean!
link
iam-TJ 697 days ago
That got me too for a few seconds whilst my brain cogs whirred... but the latter sounds tastier than the former for some reason!

For those wondering:

  P2P OTR E2EE == Peer to Peer, Off The Record, End to End Encryption
  Non-CA TOFU SSH == Non-Certificate Authority, Trust On First Use, Secure SHell
link
smcin 697 days ago
"the average parent"
link