[145768] in North American Network Operators' Group
Re: Facebook insecure by design
daemon@ATHENA.MIT.EDU (Murtaza)
Thu Oct 20 02:24:23 2011
In-Reply-To: <093055FBC670440881925307C4117BF2@digitpc>
Date: Thu, 20 Oct 2011 17:22:40 +1100
From: Murtaza <leothelion.murtaza@gmail.com>
To: "Bill.Pilloud" <bill.pilloud@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Going back to the initial security problem identified by Williams, I also
experienced something today. I guess he is right about that. I am behind a
proxy and I just disabled the proxy for "Secure Web" which means HTTPS.
Now guess what I was still able to access facebook while I was not able to
access google. That clearly means there is something wrong. What do you guys
think?
Ghulam
On Wed, Oct 5, 2011 at 2:28 AM, Bill.Pilloud <bill.pilloud@gmail.com> wrote:
> Is this not the nature of social media? If you want to make sure something
> is secure (sensitive information), Why is it on social media. If you are
> worried about it being monetised, I think Google has already done that.
> ----- Original Message ----- From: "Joel jaeggli" <joelja@bogus.com>
> To: "Jimmy Hess" <mysidia@gmail.com>
> Cc: <nanog@nanog.org>
> Sent: Sunday, October 02, 2011 4:05 PM
> Subject: Re: Facebook insecure by design
>
>
>
> On 10/2/11 15:43 , Joel jaeggli wrote:
>>
>>> On 10/2/11 15:25 , Jimmy Hess wrote:
>>>
>>>> On Sun, Oct 2, 2011 at 4:53 PM, <Valdis.Kletnieks@vt.edu> wrote:
>>>>
>>>>> On Sun, 02 Oct 2011 08:38:36 PDT, Michael Thomas said:
>>>>>
>>>>>> I'm not sure why lack of TLS is considered to be problem with
>>>>>> Facebook.
>>>>>> The man in the middle is the other side of the connection, tls or
>>>>>> otherwise.
>>>>>>
>>>>> Ooh.. subtle. :)
>>>>>
>>>>
>>>> Man in the Middle (MITM) is a technical term that refers to a rather
>>>> specific kind of attack.
>>>>
>>>> In this case, I believe the proper term would be just "The man".
>>>> [Or "Man at the Other End (MATOE)"]; you either trust Facebook with
>>>> info to send to
>>>> them or you don't, and network security is only for securing the
>>>> transportation of that information
>>>> you opt to send facebook.
>>>>
>>>
>>> alice sends charlie a message using bob's api, bob can observe and
>>> probably monetize the contents.
>>>
>>> Yes, if Alice sends Bob an encrypted message that Bob can read, and
>>>> Bob turns out to
>>>> be untrustworthy, then Bob can sell/re-use the information in an
>>>> abusive/unapproved way for
>>>> personal or economic profit.
>>>>
>>>
>>> charlie is probably untrustworthy, bob is probably moreso (mostly
>>>
>> ^
>> trustworthy
>>
>>> because bob has more to lose than charlie), alice isn't cognizant of the
>>> implications of running charlie's app on bob's platform despite the
>>> numerous disclaimers she blindly clicked through on the way there.
>>>
>>>
>>>
>>> --
>>>> -JH
>>>>
>>>>
>>>
>>>
>>
>>
>
>
