[145245] in North American Network Operators' Group
Re: Facebook insecure by design
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Sun Oct 2 12:37:23 2011
In-Reply-To: <4E88857C.7040106@mtcc.com>
Date: Sun, 2 Oct 2011 11:36:20 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Michael Thomas <mike@mtcc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Oct 2, 2011 at 10:38 AM, Michael Thomas <mike@mtcc.com> wrote:
> I'm not sure why lack of TLS is considered to be problem with Facebook.
> The man in the middle is the other side of the connection, tls or otherwise.
That's where the X509 certificate comes in. A man in the middle
would not have the proper private key to impersonate the Facebook
server that the certificate was issued to.
Supporting TLS in their case is not good enough... they would need to
force all connections to be over TLS, to achieve security against
MITM.
As soon as an app causes the end user to switch to a non-TLS
connection, they are vulnerable.
>
> Mike
--
-JH
