Meta's Onavo VPN removed SSL encryption of competitor's analytics traffic

That is insane and I would be inclined to not believe it if someone had told me this. This is such an immense breach of trust that even for me, who has a very low opinion of Meta, it is unexpected. I hope this will blow up as much as it should

Can someone explain how exactly they were able to decrypt the SSL traffic, is it possible to install a root CA without huge warnings from the OS?

That's appalling to say at least. But Snapchat implemented certificate-pinning since 2015. Does that mean either the analytics endpoint was not covered or somehow the certificate-pinning is circumvented in this case?

My €5 VPN allows me to use 500 IPs in 50 countries. Give me the VPS that allows me to do that.

Not everyone is savvy enough to do it, even though the process has been simplified with many hosting providers providing preconfigured VPN servers.

And it doesn't anonymize you that well. When you post a message that draws the attention of law enforcement, the IP will lead them to a VPN provider that hopefully doesn't keep any logs.

But if it leads them to a specific server, the hosting provider will disclose your account and payment data, since it is linked to your private server. Unless they accept fully pseudonymous accounts and let you pay for your VPS in cash, Monero or tumbled Bitcoins, finding you is much easier now.

It really depends on why are you trying to do. It is not easy (or just impossible) to get the same amount of ip with that $5/mo or $10/mo VPN services by renting your own VPS at the same price.

https://news.ycombinator.com/item?id=9224

why people pay for 3rd party VPNs? It's far more secure to create your own wireguard/openvpn/whatever with a cheap VPS

Your comment seems to infer that you're unable to empathize with people who might think/understand differently than you. It also seems to negate that you avail of other services/non-self-controlled processes without worrying about the threat models, there.

Just hand-waiving with a "Why don't people just do 'x'?" is ironic - in the sense of "Why do you do your own medical care?" or "Why don't you grow your own food and slaughter your own animals?" or "Why don't you manufacture your own phone, it's operating system - oh, and the cellular tower closest to you?".

Threat models exist, _everywhere_, and it's impossible for someone to build all of the pieces, themselves, to prevent all threat models at every possible avenue/point.

In other words, at a non-arbitrary point, doing _everything_ yourself is untenable and that's precisely why services in society exist, today (that and ease of access, use, required foreknowledge, and - most notably - cost).

Oftentimes, it's not about security but about circumventing censorship. A cheap VPS comes with a fixed IP located in one fixed part of the world. Many VPN providers allow switching.

You have to trust someone somewhere. You're simply placing your trust in the VPS provider instead of a third party VPN provider.

Not to mention the other stuff the VPN providers give you as standard which you'd have to implement and maintain yourself.

Because most people are not techies.

Compared to the rest of the world, the number of people who even know what a VPS is is microscopically small.

And even those that do, the number of them with the time, desire, or skill, to do as you suggest, is even smaller.

I myself was into this sort of thing just 10 years ago. Now, as I start looking at hitting the big 6-0 in just a few years time, I’m already working on divesting myself of all this complexity,

I heard about this a few years ago. The trial participants were informed, consented, and paid. If you consent to a root cert being installed and analytics being proxied, well, that's that.

First, all VPNs spy on you, just don't believe these claims because they are forced by law to do it. Second, don't use a VPN that clearly states that they're analyzing your traffic data.

Certificate pinning and validation in apps for one. Onavo's VPN was really clear it collected market research data. It was as informed consent as a click-through could be.

Don’t install additional root certificates.

That’s what Facebook enticed users to do here. Without that root cert they wouldn’t have been able to see as much as they did.

Yes and No.

for TLS traffic you need to also install onavo.

But the app does scan your contact list every couple minutes and send diffs to their servers. Even if you have never opened the app. And on previous android versions all your recently open apps list too.

But again, if you install whatsapp you must give them the contact list permission anyway otherwise the app is intentionally broken and annoying.

Only when they used Onavo, it seems?

https://en.wikipedia.org/wiki/Onavo is slightly more readable than the legal document submitted as the link.

I might be wrong but I think you need the onavo VPN installed

Then your YouTube, Snapchat analytics would get man in the middled

Why single out Cloudflare? They are not the only CDN or PaaS with SSL fronting.

That's different. I have a lot of problems with CF, but when you sign up for a service which requires to see the traffic and you configure it explicitly to see your traffic... what's the complaint here?

Given Snowden, I have to assume Cloudfare is under the thumb of at least the NSA.

For example, all the usual arguments against backdoors are going to be used by intelligence agencies to justify "providing assistance", which isn't even merely a euphemistic excuse given how incredibly valuable it would be for normal organised crime to spy on some of the encrypted data… but also is at least a bit of a euphemism, as I have to assume the controversies about terrorist groups using Cloudfare are only pemitted to happen because someone in US intelligence knows how to squeeze secrets from those groups.

In theory, messing with SSL is one of Cloudfare's features, not a secret; in practice I suspect most end users treat all this as magic — I've directly witnessed magical thinking with the padlock icon in browsers.

The difference is that people* know and accept that CloudFlare does this. They advertise it as a feature.

*most willing customers of CloudFlare.

So, your argument is that MITM/wiretapping is okay if you do it at a large enough scale?

That might have been true in the past, but nowadays at least macOS/Android/iOS can enforce several restrictions on the apps you install, like prevent them from changing OS settings/files, limit access to only specified/opt-in directories, limit the amount of background activity, etc.

I don't know about Windows or Linux though.

Here is a quote from Facebook/Meta's legal council to the Judge. In this document "Advertisers" refers to Snapchat, YouTube and Amazon.

"... the Wiretap Act provides that an interception is not unlawful if a party to the communication “has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). Advertisers conspicuously fail to mention—and apparently do not contest—that Meta obtained participants’ prior consent to participate in the Facebook Research App, and with good reason: Participants affirmatively consented to “Facebook … collecting data about [their] Internet browsing activity and app usage” to enable Facebook to “understand how [they] browse the Internet, how [they] use the features in the apps [they’ve] installed, and how people interact with the content [they] send and receive."

So users consented?

I mean, sure, you could also do “market research” by breaking into people’s homes, reading their mail, and listening in on all their phone calls. I hope some actual criminal prosecution results from this disclosure, as it’s very clearly “hacking” and “wiretapping” and “unauthorized access”.

Meta is a known state-actor. They likely have federal immunity to most wrong-doings.

(Source: https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-h...)

Bear in mind that they don’t applied this to everyone, which would be practically impossible.

They hired Snapchat users (via a testing services provider ) to let meta observe their usage of Snapchat.

Something akin to paying someone to let a meta researcher sit by your side and observe while you use the app.

This happens all the time (hiring the testing services to recruit users to use your own app and analyze the patterns with screen recordings and such).

The news here is paying for someone to “test” a competitors’ app.

I hope that the testers knew they had Snapchat analyzed and not that they were told they were testing only Onavo.

IT;S DMCA NOT DCMA

"May I direct your honor that my client is a wealthy tech billionaire who would otherwise be at risk of being slightly annoyed if they were sent to jail for intercepting private communications of competitors..."

Lame

Yes it's old news(1) but it has come up again in numerous HN and reddit posts for a few reasons (if you flick through HN you'll see various versions of this story holding lower ranks.)

Also noteworthy is that Google were also doing something similar at the time, both were side-stepping Apple's privacy protections in iOS by using enterprise certificates that allowed the side-loading of apps without Apple's overview. In response Apple more thoroughly restricted how these certificates can be used.

Interestingly I've noticed in the DMA threads people suggesting that a company exploiting side-loading to dodge Apple's privacy protections was nothing more than fear mongering. As if this is a red line developers won't cross.

To me, it's wild to think that people on HN don't know about this relatively recent history and are so naive to think that these protections were just pulled out of the air to frustrate developers, and not a reaction to an on-going arms war against consumer's right to privacy.

(1) https://www.extremetech.com/internet/284770-apple-kills-face...