Mastodawn

charlag

@dangillmor it seems liks the article is inaccurate, the traffic between the app and Snapchat is servers is still encrypted with TLS, whether it goes over (additional) encrypted VPN tunnel or not, unless I'm missing some detail somewhere

It's not an additional tunnel it's a different network stack that gives the opportunity to encrypt the traffic and siphon off what's wanted before that happens.

I don't know why it's a class action, if there's evidence there's sufficient criminal law to go after the corporate officers.

charlag Mar 27, 2024

@simon_lucy @dangillmor okay I still don't get how VPN provider or app would read TLS encrypted traffic

https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf

"In order to SSL bump Snapchat—and later YouTube and Amazon—Facebook employees created custom client- and server-side code based on Onavo’s VPN proxy app and server stack. This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices." They replicated all of the certificates.

charlag Mar 27, 2024

@simon_lucy @dangillmor thank you, this makes much more sense now

Andrew Wigglesworth Mar 27, 2024

@charlag

and surely criminal?

In other words, they created a client app which intercepted both ends of the connection.

Daniel Gibson Mar 27, 2024

@simon_lucy @charlag @dangillmor
In other words, it's not a normal VPN, it's (also?) an SSL-proxy that breaks up the encrypted connection

@simon_lucy @charlag @dangillmor

TopKnot Mar 27, 2024

This explanation of how Meta might do evil with a VPN is exactly why most regular users give up and just say, "Make money off of my habits on your social platform." I have not a clue what the post means. But it sounds like the only way to win the game is to not play the game. And if that's the explanation, then just say that.

shom 🐧📷🤿🏔️🪚✊🏽Mar 27, 2024

@TopKnot actually the explanation is literally analogous to the meme posted above: https://mastodon.social/@christerk/112166240851496258
Where the players are:
Coconut: Snapchat
Woman: Facebook's VPN
Man: User
Straws: encrypted tunnels so both Snapchat and User feel they're using the proper method.

Facebook's VPN client is doing a Man-In-The-Middle (MITM) attack. In this case woman, person in the middle.

@simon_lucy @charlag @dangillmor

shom 🐧📷🤿🏔️🪚✊🏽Mar 27, 2024

@TopKnot and you're right, in general with these surveillance capitalism monopolies, the only way to win is not to play.
@simon_lucy @charlag @dangillmor

@TopKnot @charlag @dangillmor

Someone asked a very reasonable question, how could a VPN 'man in the middle' a secure end to end encryption. I quoted the relevant part of the case papers.

I summarised it in the next comment.

This is a technical issue with ethical, legal and trust concerns there will be technical language. Not explaining it would be worse.

There's a second major point to make, if Meta can and did do this then any govt can do the same. And they already want to.

Artemesia Mar 27, 2024