As part of Facebook's ambitious program to bring free Internet to third-world countries, is the launch of a new secure proxy for browsing the Web for free called Discover.
While the erstwhile Free Basics service, available as a mobile web and Android app, allows users to browse the Internet using free daily data caps, similar to the new Facebook Discover currently being tested in Peru, that also rout all traffic through a proxy.
The main differentiator, however is that it treats all websites as the same, whereas Free Basics is limited to a handful of websites that meet some technical criteria set by Facebook.
Why A Web-Based Proxy?
Facebook Discover is a quite similar to its Free Basics program in that all traffic is routed through a proxy, but only the device interacts with the proxy servers, acting as a "client" to the requested website by users.
It runs in a whitelisted domain under same "freebasics.com" which the operator makes available for free (for instance, "https://example.com" is rewritten as "https://https-example-com.0.freebasics.com"), and fetches the webpage on behalf of the user and delivered to their device.
Additionally, the web cookies are stored encrypted on the server to prevent browsers from reaching a cookie limit. And the encryption key is stored on the client so that contents of the key can't be read without decoding by the user with the key.
How Secure is Facebook Discover?
Facebook Discover uses an authentication tag called "ickt" which is derived from the encryption key and a browser identifier cookie known as "datr", stored on the client.
And the tag is embedded in every proxy response, which is then compared against the 'ickt' on the client-side to check for signs of security tampering. If it mismatches, the cookies will be deleted. It makes use of a "two-frame solution" that embeds third-party site within an iframe secured by an outer frame, making use of the aforementioned tag to ensure the security of the content.
It thus prevent impersonation of the Discover domain by phishing sites, by blocking navigation attempts to such links through sandboxing the iframe, which prevents it from executing untrusted code.