Facebook insecure by design

Murtaza leothelion.murtaza at gmail.com
Thu Oct 20 01:22:40 CDT 2011


Going back to the initial security problem identified by Williams, I also
experienced something today. I guess he is right about that. I am behind a
proxy and I just disabled the proxy for "Secure Web" which means HTTPS.
Now guess what I was still able to access facebook while I was not able to
access google. That clearly means there is something wrong. What do you guys
think?
Ghulam

On Wed, Oct 5, 2011 at 2:28 AM, Bill.Pilloud <bill.pilloud at gmail.com> wrote:

> Is this not the nature of social media? If you want to make sure something
> is secure (sensitive information), Why is it on social media. If you are
> worried about it being monetised, I think Google has already done that.
> ----- Original Message ----- From: "Joel jaeggli" <joelja at bogus.com>
> To: "Jimmy Hess" <mysidia at gmail.com>
> Cc: <nanog at nanog.org>
> Sent: Sunday, October 02, 2011 4:05 PM
> Subject: Re: Facebook insecure by design
>
>
>
>  On 10/2/11 15:43 , Joel jaeggli wrote:
>>
>>> On 10/2/11 15:25 , Jimmy Hess wrote:
>>>
>>>> On Sun, Oct 2, 2011 at 4:53 PM,  <Valdis.Kletnieks at vt.edu> wrote:
>>>>
>>>>> On Sun, 02 Oct 2011 08:38:36 PDT, Michael Thomas said:
>>>>>
>>>>>> I'm not sure why lack of TLS is considered to be problem with
>>>>>> Facebook.
>>>>>> The man in the middle is the other side of the connection, tls or
>>>>>> otherwise.
>>>>>>
>>>>> Ooh.. subtle. :)
>>>>>
>>>>
>>>> Man in the Middle (MITM) is a technical term that refers to a rather
>>>> specific kind of attack.
>>>>
>>>> In this case, I believe the proper term would be just "The man".
>>>> [Or  "Man at the Other End  (MATOE)"];  you either trust Facebook with
>>>> info to send to
>>>> them or you don't, and network security is only for securing the
>>>> transportation of that information
>>>> you opt to send facebook.
>>>>
>>>
>>> alice sends charlie a message using bob's api, bob can observe and
>>> probably monetize the contents.
>>>
>>>  Yes, if Alice sends Bob an encrypted message that Bob can read, and
>>>> Bob turns out to
>>>> be untrustworthy,  then  Bob can sell/re-use the information in an
>>>> abusive/unapproved way for
>>>> personal or economic profit.
>>>>
>>>
>>> charlie is probably untrustworthy, bob is probably moreso (mostly
>>>
>>                                                          ^
>> trustworthy
>>
>>> because bob has more to lose than charlie), alice isn't cognizant of the
>>> implications of running charlie's app on bob's platform despite the
>>> numerous disclaimers she blindly clicked through on the way there.
>>>
>>>
>>>
>>>  --
>>>> -JH
>>>>
>>>>
>>>
>>>
>>
>>
>
>


More information about the NANOG mailing list