Internet.org opens to developers, but won’t support encryption over the web – The Verge
Internet.org opened for third-party developers today, offering a clear path for any company that wants to build an app on top of the free-internet service, but the new openness comes with serious restrictions. The most obvious restriction is simple: Internet.org gets to manage and approve apps, akin to the Apple App Store. If you want to build an app that reaches Internet.org users, you’ll have build it according to Facebook’s rules, utilizing as little data as possible and staying away from bandwidth-intensive services like VOIP. But some of the new platform rules go far beyond the previous net neutrality concerns, including technical measures that rule out encryption like HTTPS for users connecting over the web.
Unfortunately for users, the HTTPS issues seem to be baked into the core of how Internet.org is designed. The service works as a proxy, directly managing all traffic to and from the user. According to the developer guidelines, the proxy is designed “to create a standard traffic flow so that operators can properly identify and zero rate your service” — but it also gives Internet.org a clear view of all the traffic on the network. Low-bandwidth services like Twitter routinely require HTTPS as a way to secure the connection between the user and the service, but that security would be impossible under Internet.org’s current web proxy setup, creating real concerns for banking or private messaging apps.
An Internet.org graphic describing the proxy setup
Reached for comment by The Verge, Facebook said Internet.org would address the problem through an HTTPS-enabled Android app, to be released in June. “Starting with the Android app, we are working to support the type of encrypted services that we know people want with the right protections in place,” a company representative said. “We’re also investigating ways that we could provide the same security for web-based access to Internet.org, but currently we don’t have a solution that avoids ‘man-in-the-middle’ techniques.”
“We are dependent on existing browsers.”
In the meantime, web access to Internet.org will represent a real problem for secure services attempting to take root on the service. Any web-based traffic to Internet.org will be visible not just to the Internet.org proxy but to all the intermediaries between Internet.org and the remote server, a necessity of the current proxy setup. “We are dependent on existing browsers on people’s phones that are not aware of the Internet.org proxy,” the representative said.
Beyond security concerns, the platform continues to draw fire from net neutrality advocates in India, with MediaNama describing it as “a fundamental, permanent change in the way the internet works.” In response, Mark Zuckerberg has insisted that neutrality principles could coexist with a zero-rated platform. “If a local fisherman gets access to free internet services he couldn’t otherwise afford to help him sell more fish and support his family, then that’s good,” Zuckerberg says in the accompanying video, “and we shouldn’t have rules that prevent that.”