← Back to context

Comment by dylan604

1 year ago

That's great for someone reading this forum to be aware of, but moms have no idea what any of the words you just wrote means. So if they were told they get a coupon for installing or some other bit of ridiculous things malware devs use, and yes I'm calling FB software malware. All of if it. Messenger, FB.app, everything. If it's from Meta, it's malicious.

7 comments

dylan604

Reply
walrus01  1 year ago

That's a very good point. I have within recent memory installed my own internal CA that I run on Android devices that I own and trust, and the process on android 11+ is sufficiently daunting that 99.5% of peoples' moms could not do it in one or two clicks. You have to go deep into system settings and manually import the CA. This requires first file-transferring the CA file somewhere onto local /sdcard storage and possibly having a file system explorer app installed to be able to view its location on "disk" and pick it.

As is pointed out in the article, I would presume that Google saw the threat from allowing an app to install and trust a root CA as well, and removed the ability for a "one click" install of a root CA:

"KeyChain.createInstallIntent() stopped working in Android 7 (Nougat). A user would have to manually install the certificate. It would no longer be possible to have Facebook's CA cert installed directly in the app."

  • sadboi31  1 year ago

    I would argue that everyone over the age of 8 can do it with sufficient motivation and quality documentation. $10-20 and the promise of more money doing some low-effort "consumer survey" or providing "extra analytics" is pretty enticing to a massive number of people really struggling in this country.

    Despite being hard-up I don't think the vast majority of these low-income individuals would agree to being so egregiously wiretapped and data mined for future political ads on youtube or bundled into some other product without better compensation.

ahazred8ta  1 year ago

Try comparing P2P OTR E2EE vs Non-CA TOFU SSH

  • yjftsjthsd-h  1 year ago

    Any app capable of installing a TLS CA is capable of writing to known_hosts (or authorized_keys, while we're at it).

  • dylan604  1 year ago

    hell, even I don't know what the "words" you just used mean!

    • iam-TJ  1 year ago

      That got me too for a few seconds whilst my brain cogs whirred... but the latter sounds tastier than the former for some reason!

      For those wondering:

        P2P OTR E2EE == Peer to Peer, Off The Record, End to End Encryption
  Non-CA TOFU SSH == Non-Certificate Authority, Trust On First Use, Secure SHell