"Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks"
Isnt that what SSL / HTTPS is for?! VPNs are generally for privacy when used to access the internet. Tossers.
Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off. In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, …
VPNs are for accessing private networks remotely. It's only recent privacy concerns and ISP/country filters that have seen an increase in use for general internet access.
It's entirely within spec to have a VPN with no encryption. Obviously nobody does that, but it shows that VPNs were designed to provide access to something, not exclusively to hide that access from others.
Isnt that what SSL / HTTPS is for?! VPNs are generally for privacy when used to access the internet. Tossers.
HTTPS and SSL encrypt the traffic in your session with that particular site, but stuff like DNS lookups go out in the clear so everyone can see that you're visiting www.rule34.com. And with a bit of trickery the inattentive user might actually be visiting www.nottherealrule34.com instead.
VPNs establish an encrypted tunnel to what should be a trusted endpoint, from which your traffic goes to whatever sites you fancy.and no-one looking at the traffic between you and that endpoint should be able to determine what you're up to. That endpoint, however, is basically representing you, and you have to trust it's dealing with the information it can gather (connection logs, DNS lookups etcetera) in a way that you approve of.
Facebook is not on my list of entities I trust. In any way.
"Isnt that what SSL / HTTPS is for?!"
https can't be trusted on an untrusted wireless network.
Here's what could happen.
Someone sets up an open wifi hotspot - anyone can do that, it requires no special skills
They give it the name of a popular public wifi provider, maybe O2 Wifi for example - again anyone can do that, it is no more difficult than giving it any other name
Change the DNS settings on the network to point for example natwest.com at a different server - this isn't too difficult, if you know how to administer DNS servers, you should be able to do this
Obtain a SSL certificate for natwest.com and install it on your server. You shouldn't be able to do this, but it happens far too often. The only difficulty here is finding the supplier that will do it before everyone else does.
Setup fake hotspot with believable name. Check (although you forgot the de-auth packet flood to disconnect everyone on those other APs).
Poison the responses from DNS. Check
Obtain a SSL certificate for natwest.com
Yeah, no. Obtaining a fake certificate isn't completely impossible because CAs have and probably will in the future make mistakes. Some guy ended up with a github certificate a few months back due to a CA stuff up. But CAs have been distrusted for giving out fakes (Google diginotar). We have also seen the likes of Lenovo and Dell installing themselves as certificate authorities, and I believe in the Dell case this could have been used to sign a fake server.
Far more likely is someone registering natvvest.com and getting a legitimate certificate for that domain. Of course it natwest used* HSTS then the redirect page wouldn't be trusted by your browser. (A 302 is needed because the browser is expecting a certificate owned by natwest.com not natvvest.com. If the original request is http, it can be intercepted and responded to redirect your browser to the new domain)
The actual problem with https is that an observer can correlate who you are talking to and the response size and infer what you are doing. The Facebook image on this article is 13282 bytes. How many other el reg resources are exactly that size?
Tl;dr - https doesn't give you perfect security, but it is inarguably better than http.
*They may well. I didn't check.
... data use policy –explains that by using the app, "you choose to route all of your mobile data traffic through, or to, Onavo’s servers."
Obviously from the fact that to app continues to gather info while it is "turned off", it is collecting data about which other apps map be on your phone which use VPN services. Presumably, they are using this info to decide which other companies it may be worth slurping up. Alternatively they may use it to decide which areas it may be worth writing competing software for.
Let me spell it out by addressing Strafach's comments.
"They can easily clear things up by explaining more precisely why they collect certain data..."
- Because they are douchebags.
"...and what they do with it..."
- Whatever douchebags do with your data.
"...so I don’t understand why they are so vague about it..."
- Because douchebaggery!
"I do hope they are being respectful of user privacy..."
- You can hope in one hand, sir...
"... and it would be very nice if they clarified that I think."
- But they make more money being complete and total douchebags.
There is only one answer when the product does something other than what the author tells you it will by design. If you are being lied to, either through weasel words in a contract, through misdirection or omission as to how something works, or any other way for that matter, then you are dealing with a douchebag. Take appropriate and immediate action (see icon if this is not clear enough to work with).
"making more money for Facebook by selling even more data about you to anyone with a couple of quid/bucks/munnies"
User security? Data security? Yes - we keep our users data safe. Where safe == "we'll sell it to anyone who asks without enquiring too much what they want it for".