Meta's Onavo VPN removed SSL encryption of competitor's analytics traffic
Scope and Mechanism of the MITM / “SSL bump”
- Discussion centers on Meta’s Onavo VPN using a server-side SSL/TLS “bump” plus a client root certificate to MITM Snapchat, YouTube, and Amazon analytics traffic.
- Technique: install a root CA on the device, use a Squid-based proxy to generate fake certs for analytics endpoints, decrypt traffic, then forward it.
- Several ask how this bypassed protections like certificate pinning; others note likely unpinned analytics endpoints or app parts.
- Clarified that this applied only when users installed Onavo / “Facebook Research” apps, not to all Facebook app users or system Facebook installs.
Consent, Legality, and “Market Research” vs. Wiretapping
- Strong disagreement over whether this is legitimate “market research” or criminal wiretapping/CFAA violation.
- Some argue users “consented” via click-through agreements and even received payment; others say consent wasn’t informed, especially for decryption of encrypted communications, and minors were involved.
- A lawyer in the thread critiques Meta’s Wiretap Act defense: argues the cited consent exception is misused and that using intercepted data for potentially unlawful anticompetitive purposes could invalidate it.
- Debate on whether Snapchat et al. must also consent, since communications involve two parties.
- Many see this as a severe breach of trust that should attract criminal liability; others are pessimistic and expect only a “slap on the wrist.”
Comparisons to Other MITM and Filtering Practices
- Multiple comparisons:
- Corporate and religious content-filtering VPNs that install root certs and MITM traffic.
- Antivirus products and enterprise tools that do TLS interception on Windows.
- CDNs / Cloudflare, where websites explicitly outsource TLS termination.
- Some argue Onavo differs because it was framed as user-benefit (compression/security), not as explicit third-party interception for competitive intelligence.
Engineer Ethics and Professionalization
- Thread features debate on engineers’ moral responsibility:
- Claims that ethical engineers wouldn’t work at Meta; counterclaims that many people have morals but face strong institutional and immigration/visa pressures.
- Suggestions to license software engineers like civil engineers, with enforceable codes of ethics and personal liability, at least for software affecting many users.
- One participant claims direct involvement and describes raising internal ethical questions but encountering weak institutional support.
VPN Trust and Threat Models
- Broader tangent on VPNs:
- Skepticism that “no-log” commercial VPNs are uncompromised; reminder that VPNs simply shift trust from ISP to VPN provider.
- For many users, goals are censorship evasion or geo-unblocking, not state-level anonymity.
- Advice: avoid VPNs that analyze traffic, don’t install extra root CAs, prefer certificate pinning where possible.
Old News, Enforcement, and Platform Policies
- Some note this behavior has been known since ~2018–2019 but resurfaced due to new court filings.
- Mention that Apple previously reacted to similar programs (by Meta and Google) by tightening enterprise certificate and sideloading rules.
- Several expect public outrage to be brief and tangible consequences for Meta to be minimal, citing past cases like Google’s Street View Wi-Fi collection.