In association with heise online

07 February 2011, 15:32

Facebook's crude https workaround

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Facebook Logo A few days ago, Facebook began offering the option of completely encrypted communication. While Facebook did say that encryption would not work with all applications from third-party vendors, it is nonetheless surprising how Facebook deals with this incompatibility.

If you click on a link to a Facebook app, Facebook asks whether you would like to switch to a regular connection (http) because the content you want cannot be displayed while Facebook uses a safe connection (https). If you then click to continue, you land on an unprotected http website, but the problem is that Facebook disables the https option in your account settings in the background. There is no indication given to the user that this switch is not a temporary change for a single app, but that Facebook is completely switching off encryption altogether.

Zoom This is the only indication that Facebook entirely turns off encryption for the account.

If you are worried about your account's security, you need either to click on "cancel" or once again enable the safe connection in your account settings manually. Only then is all Facebook content transmitted with encryption. If your data is not encrypted, a script kiddie in the same network, say, could sniff your session cookie and use it to take over other people's Facebook accounts. The problem has been known for a while, but only became widely known with the appearance of the easy-to-use tool called Firesheep.



Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit