A secret program called "Project Ghostbusters" saw Facebook devise a way to intercept and decrypt the encrypted network traffic of Snapchat users to study their behavior.
Are you under the impression that Facebook owns Snapchat? Because they don’t. Nothing about this little “blame people for using proprietary services” rant is actually relevant to what happened. At all.
You should read the article because you clearly didn’t. Hell, all you’d have to do is read the first paragraph to understand they were spying on the users of a competitor.
The spying was done by a proprietary service (Facebook’s VPN). Blaming the users for anything on that scale is dumb and futile, but it still reinforces the idea of avoiding proprietary services as much as possible, especially anything on the client side.
The article didn’t explain how the attack worked though. Did the Snapchat client not use anything like TLS to connect to the Snapchat server? Did the Facebook VPN somehow still intercept it, e.g. with a certificate that Snapchat trusted but that Facebook used for spying? Die that cert also work in browsers and did it somehow pass a third party audit, that at least Mozilla requires? I do know Mozilla looks very askance at such things, and they booted out at least one cert vendor over something like that a few years ago.
If Snapchat used some kind of device-wide TLS stack that Facebook managed to subvert, that should be treated as an OS vulnerability (assuming we’re talking about mobile devices). There’s a bunch of stuff that apps simply cannot do unless the user first goes through some complex procedure to root the phone. Messing with the TLS stack should be one of them.
The spying was done by a proprietary service (Facebook’s VPN). Blaming the users for anything on that scale is dumb and futile, but it still reinforces the idea of avoiding proprietary services as much as possible, especially anything on the client side.
The article didn’t explain how the attack worked though. Did the Snapchat client not use anything like TLS to connect to the Snapchat server? Did the Facebook VPN somehow still intercept it, e.g. with a certificate that Snapchat trusted but that Facebook used for spying? Die that cert also work in browsers and did it somehow pass a third party audit, that at least Mozilla requires? I do know Mozilla looks very askance at such things, and they booted out at least one cert vendor over something like that a few years ago.
If Snapchat used some kind of device-wide TLS stack that Facebook managed to subvert, that should be treated as an OS vulnerability (assuming we’re talking about mobile devices). There’s a bunch of stuff that apps simply cannot do unless the user first goes through some complex procedure to root the phone. Messing with the TLS stack should be one of them.