|Quietly this morning customers of AT&T browsing Facebook did so by way of China then Korea. Typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.|
This morning’s route to Facebook from AT&T:
route-server>show ip bgp 126.96.36.199 (Facebook's www IP address) BGP routing table entry for 188.8.131.52/20, version 32605349 Paths: (18 available, best #6, table Default-IP-Routing-Table) Not advertised to any peer 7018 4134 9318 32934 32934 32934
The AS path (routing path) translates to this:
- AT&T (AS7018)
- Chinanet (Data in China AS4134)
- SK Broadband (Data in South Korea AS9318)
- Facebook (Data back to US 32934)
Current route to Facebook via AT&T:
route-server>sho ip bgp 184.108.40.206/20 BGP routing table entry for 220.127.116.11/20, version 32743195 Paths: (18 available, best #6, table Default-IP-Routing-Table) Not advertised to any peer 7018 3356 32934 32934, (received & used)
Translated: Your data goes from AT&T’s network to US based Level3 Communications to Facebook’s servers.
What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chineese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc? One could only speculate, however it’s possible.
This brings up a lot of questions:
- Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?
- Should Facebook enable SSL on all accounts by default?
- Was this actually a privacy breach or just the way the Internet functions?
- Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?
- Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?
This happens all the time — the Internet is just not a trusted network. Yet, I prefer to know that when I am on AT&T’s network, going to US located sites, my packets are not accidentally leaving the country and being subject to another nation’s policies. I guess that’s why you should not use Facebook in “bareback” mode and use HTTPS (SSL) any time you can.
Food for thought.
Thanks to Tom Scholl for the head’s up and thoughtful commentary on this subject.