It is not necessary.
If you have a VPN, DNS traffic also goes through that VPN (unless it is “leaked”). The VPN server's DNS server now says that the “that guy in the middle” server is now snapchat.com.
Facebook creates a certificate for snapchat.com. Snapchat is now available to the man in the middle of Facebook.
It seems that Snapchat did not check if the certificate used was valid (signed by a public CA, or even better. A certificate known from SnapChat itself.), but only checked that that certificate.
Facebook decrypts the traffic, analyzes it, encrypts it back to the real Snapchat, etc.
This will not work easily with a browser, because it has a number of standard CAs (which your browser software has checked for you and found to be safe/trusted.) In order for it to work, your browser must be granted a new CA.
You often see this construct among employers. They send an “internal CA” to browsers (for internal sites), but they also have a transparent proxy server. TLS request to www.willekeurigewebsite.nl Begins. The proxy creates a certificate for that website “on the fly” and transmits it to the Internet. This way, the employer can check whether the websites in question are safe/allowed, and can still monitor when necessary.
What you see in practice is that it doesn't work for “extended security” sites like banks and the like to find a balance with ensuring employee privacy.
In any case. The fact that this happened with the Snapchat app also means that Snapchat itself has made mistakes as well. If they had maintained order, this would not have happened. (However, this was another even more ridiculous prank by the obnoxious Facebook)
“Coffee buff. Twitter fanatic. Tv practitioner. Social media advocate. Pop culture ninja.”
More Stories
Strong increase in gas export pipeline from Norway to Europe
George Louis Bouchez still puts Julie Tatton on the list.
Thai Air Force wants Swedish Gripen 39 fighter jets