Facebook insecure by design

steve pirk [egrep] steve at pirk.com
Sun Oct 23 12:43:26 CDT 2011


Just about everything on Google pages is https these days, even search if
you enable it.

If anybody on this thread uses gmail com a you really ought to take a look
at google plus. Compare the way user privacy is the primary objective,
versus the share everything by default of facebook.

I cannot think of anything that could do something like this in the Gmail or
Plus products.
 On Oct 19, 2011 11:22 PM, "Murtaza" <leothelion.murtaza at gmail.com> wrote:

> Going back to the initial security problem identified by Williams, I also
> experienced something today. I guess he is right about that. I am behind a
> proxy and I just disabled the proxy for "Secure Web" which means HTTPS.
> Now guess what I was still able to access facebook while I was not able to
> access google. That clearly means there is something wrong. What do you
> guys
> think?
> Ghulam
>
> On Wed, Oct 5, 2011 at 2:28 AM, Bill.Pilloud <bill.pilloud at gmail.com>
> wrote:
>
> > Is this not the nature of social media? If you want to make sure
> something
> > is secure (sensitive information), Why is it on social media. If you are
> > worried about it being monetised, I think Google has already done that.
> > ----- Original Message ----- From: "Joel jaeggli" <joelja at bogus.com>
> > To: "Jimmy Hess" <mysidia at gmail.com>
> > Cc: <nanog at nanog.org>
> > Sent: Sunday, October 02, 2011 4:05 PM
> > Subject: Re: Facebook insecure by design
> >
> >
> >
> >  On 10/2/11 15:43 , Joel jaeggli wrote:
> >>
> >>> On 10/2/11 15:25 , Jimmy Hess wrote:
> >>>
> >>>> On Sun, Oct 2, 2011 at 4:53 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> >>>>
> >>>>> On Sun, 02 Oct 2011 08:38:36 PDT, Michael Thomas said:
> >>>>>
> >>>>>> I'm not sure why lack of TLS is considered to be problem with
> >>>>>> Facebook.
> >>>>>> The man in the middle is the other side of the connection, tls or
> >>>>>> otherwise.
> >>>>>>
> >>>>> Ooh.. subtle. :)
> >>>>>
> >>>>
> >>>> Man in the Middle (MITM) is a technical term that refers to a rather
> >>>> specific kind of attack.
> >>>>
> >>>> In this case, I believe the proper term would be just "The man".
> >>>> [Or  "Man at the Other End  (MATOE)"];  you either trust Facebook with
> >>>> info to send to
> >>>> them or you don't, and network security is only for securing the
> >>>> transportation of that information
> >>>> you opt to send facebook.
> >>>>
> >>>
> >>> alice sends charlie a message using bob's api, bob can observe and
> >>> probably monetize the contents.
> >>>
> >>>  Yes, if Alice sends Bob an encrypted message that Bob can read, and
> >>>> Bob turns out to
> >>>> be untrustworthy,  then  Bob can sell/re-use the information in an
> >>>> abusive/unapproved way for
> >>>> personal or economic profit.
> >>>>
> >>>
> >>> charlie is probably untrustworthy, bob is probably moreso (mostly
> >>>
> >>                                                          ^
> >> trustworthy
> >>
> >>> because bob has more to lose than charlie), alice isn't cognizant of
> the
> >>> implications of running charlie's app on bob's platform despite the
> >>> numerous disclaimers she blindly clicked through on the way there.
> >>>
> >>>
> >>>
> >>>  --
> >>>> -JH
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
>


More information about the NANOG mailing list