

Facebook doing MITM attack on your email. - spookylukey
http://blog.gerv.net/2012/06/facebook-email-mitm/

======
domador
I noticed this undesirable change on my profile, and promptly corrected it.

This is yet another of not-quite-shady but not-quite-agreeable adjustments
we've come to expect from Facebook. It will make it more difficult for me to
look up a friend's e-mail address when I want to (since many users won't
realize the address on their profile has silently changed). It consolidates
Facebook's grip on people's connections, moving Facebook's position closer to
a replacement for e-mail (rather than a complement). This is a position I will
always reject. Long live e-mail!

~~~
johndbritton
I also purposefully exposed my email address and it was replaced by an
@facebook.com address.

------
BruceIV
I've got to say, for me, Facebook has largely replaced personal email (you
never do know which of someone's three email addresses they actually use), but
hiding your personal email in favour of their own system? That's just sleazy.

------
Turing_Machine
If you want your real email address to be shown instead, this procedure seems
to work:

On your Timeline page go to Update Info, then click Contact Info. Set the fake
address to "Hidden from Timeline" and your real address to "Shown on Timeline"
(assuming you do want your real address visible, of course).

I hope this saves some time for others; it took a little while for me to
figure it out. Other things I tried: Deleting the fake address (you can't).
Setting the fake address as visible to only me (had no apparent effect, though
perhaps it made the fake address invisible to others).

------
presty
yup, it appears facebook is creating a "xxx@facebook.com" email address for
every profile..

~~~
RossM
You've actually had <username>@facebook.com available for receiving messages
and for logging in (I login with ross.masters for example) for at least a year
- what they've done here is to hide your displayed emails and only show this
one (which is way out of line).

------
jrockway
People send important email without encryption and digital signatures?

~~~
hollerith
I notice that your HN profile and your personal home page give an email
address, but no public key.

~~~
jrockway
On the other hand, a quick search on the MIT keyserver reveals:

[http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xD...](http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xDABC3E755BF3666D)

~~~
anigbrowl
...which 99% of the internet have never heard of. I was using PGP in 1992 and
I had either forgotten or never known there was a public keyserver at MIT.

~~~
jrockway
99% of the Internet has never heard of cryptography, either. But among the 1%
that has, the same 1% knows about keyservers. (The keyservers generally sync
with each other, so you don't have to use MIT's keyserver. It is just the one
that I happen to use.)

------
MrEnigma
Probably for the better, especially if your email/profile are public.

It makes sense for Facebook to do this because they want all Communication to
go through them. If you want people to connect to you directly, don't use
facebook. Or put your email in your abou section.

~~~
teilo
No. If I put my email address in my Facebook profile, it's because I _want_
people to be able to have my email address. For the same reason, if I put my
phone number in my Facebook profile, it is because I _want_ people to be able
to call me at that number.

I put the address there. It pisses me off that Facebook feels free to change
my profile behind my back. How many people actually look at their own content
information on Facebook? Precious few. Facebook is counting on this.

~~~
MrEnigma
I'm not arguing what is best for the customer. Just best for Facebook. It's
their service an they get to do what they want. It sucks, and I wish it
wouldn't happen but it does.

I know amazon does this for seller accounts, and I've run across it a few more
places as well (craigslist, etc). Although Craigslist gives you the option to
not obscure it.

I kind of saw the writing on the wall when the messaging platform was
announced. They are trying to replace email for most people.

~~~
Goronmon
_Just best for Facebook. It's their service an they get to do what they want._

This sentiment seems to be implied for pretty much any decision made by any
company, so is it even useful to mention? And if it's true, that's still not
going to stop me from complaining when a company makes a decision I don't
like.

So, why mention it?

------
akashshah
I fail to see how this is a MITM attack

~~~
tedunangst
If someone wanted to send you a top secret email (as opposed to a facebook
message), they'll send it to your email address, except now your email address
is listed as @facebook. The "attack" assumes someone doesn't already know your
email, has something top secret that they don't want facebook to know, _and_
are so retarded they don't look at the address they're sending to.

It's a MITM attack on one particular means of distributing your email
_address_ , but it's not an attack on your email at all.

~~~
noobiscus
Be fair; anyone who wants to send me a "top secret" email, but has to go to
facebook to find my email address; I don't want them sending me their
"secrets".

~~~
pavel_lishin
Right, but that's not a choice you get to make.

