Facebook insecure by design
joelja at bogus.com
Sun Oct 2 23:05:38 UTC 2011
On 10/2/11 15:43 , Joel jaeggli wrote:
> On 10/2/11 15:25 , Jimmy Hess wrote:
>> On Sun, Oct 2, 2011 at 4:53 PM, <Valdis.Kletnieks at vt.edu> wrote:
>>> On Sun, 02 Oct 2011 08:38:36 PDT, Michael Thomas said:
>>>> I'm not sure why lack of TLS is considered to be problem with Facebook.
>>>> The man in the middle is the other side of the connection, tls or otherwise.
>>> Ooh.. subtle. :)
>> Man in the Middle (MITM) is a technical term that refers to a rather
>> specific kind of attack.
>> In this case, I believe the proper term would be just "The man".
>> [Or "Man at the Other End (MATOE)"]; you either trust Facebook with
>> info to send to
>> them or you don't, and network security is only for securing the
>> transportation of that information
>> you opt to send facebook.
> alice sends charlie a message using bob's api, bob can observe and
> probably monetize the contents.
>> Yes, if Alice sends Bob an encrypted message that Bob can read, and
>> Bob turns out to
>> be untrustworthy, then Bob can sell/re-use the information in an
>> abusive/unapproved way for
>> personal or economic profit.
> charlie is probably untrustworthy, bob is probably moreso (mostly
> because bob has more to lose than charlie), alice isn't cognizant of the
> implications of running charlie's app on bob's platform despite the
> numerous disclaimers she blindly clicked through on the way there.
More information about the NANOG