This is a bad, very bad.

To combat this security hole, Facebook enabled secure HTTP connections in January. Enabling this feature renders Firesheep useless.

Unfortunately, Facebook’s implementation has one serious flaw. When you use (almost) any Facebook app you’re required to switch back to un-encrypted HTTP mode! You’re presented with this dialog:

The wording used in the dialog may make you think the setting is temporary while you’re using the app. I don’t know if it’s designed that way or if it’s just poorly worded. But in fact clicking “continue” will permanently disable your HTTPS preference!

Sad.

I suspect there’s probably a technical reason for this requirement, something about the way that apps include data from external domains. I haven’t looked into it. Facebook really needs to address this.

My suggestion would be to disable some sort of alert when navigate away from the app, which a one click solution for re-enabling HTTPS.

iTunes Link

RSS

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the “Account Security” section of the Account Settings page.

Enabling this option will effectively prevent you against Firesheep and similar account hijacking methods. I think it’s fairly safe to assume this feature is a direct response to Firesheep, even if it seems to have taken them 4 months to roll out. Though, it could also be a response to Zuckerburg’s account hack yesterday.

I’m going to go one step further than Facebook and say, you should absolutely enable this option as soon as it’s available to you.

• Monday: Protocol relative URLs
  Turns out, you can leave out the protocol (http, https, ftp, etc) when including a URL in html and browser will figure out what to do with it. This is particularly useful when including unsecured content on a secure page. I’m sure knowing this years ago would have saved me one or two headaches.
• Tuesday: What Jason Calacanis Learned From Zuckerberg’s Mistakes
  In his weekly LAUNCH newsletter Calacanis talks about his take on rollout hiccups and privacy mistakes Facebook has make over the years. In his educated opinion “Facebook’s success — and mistakes — are based on its developer-driven culture, not because Zuckerberg is some evil mastermind.” Essentially, Facebook developers have historically been allowed to roll out new features with little to no oversight, allowing the site to iterate quickly, keep ahead of the competition and occasionally annoy foreign governments. He makes a convincing argument.
• Wednesday: How a quartz watch works
  I already had a rough understanding of the piezoelectric effect as used inside digital watches, the video does an excellent job of explaining the concept. As usual reddit commentary filled in the gaps, explaining in detail exactly how the electronics translate the quartz vibration into time. 
• Thursday: Google Bookmarks exists
  Someone leaked that Yahoo! would be shutting down delicious and the internet lost it’s ever-loving mind! Turns out there’s some hope for delicious. Anyways, I haven’t used delicious much since the days it was still called del.ico.us. As far as I can tell, Google Bookmarks has done a pretty good job of pulling out delicious’ most useful features, plus you get the added bonus of having your bookmarks appear at the top of Google results when your search is relevant – if you’ve ever starred something on a search results page you’ll already have some links in Google Bookmarks. I had actually been looking around for a good bookmark service, this discovery couldn’t have come at a better time.
• Friday: Word Lense
  This iPhone(3GS+) app instantly text on-screen. As in, you point your iPhone at a Spanish sign and the words are replaced onscreen with the english translation. This is easily the most impressive augmented reality technology I’ve seen to date! We are truly living in the future.
  iTunes Link
• Saturday: Boardgame Remix Kit
  I am a huge fan of the boardgame revival hitting nerdom over the past 10 years, as such, I’ve become quite bored of the classics like Monopoly, Clue(do), Trivial Pursuit and Scrabble. When I came across Boingboing’s post about the Boardgame Remix Kit I was absolutely blown away the creativity and simplicity. The kit is a set of tweaks, mashups and completely new games built on 4 classic board games. It’s available as a PDF for £2.99 on the official site or as an iPhone app for £2.99 ($4.99 in the Canadian store). Both are beautiful.
  

There you have it, my week in links. This post contains something like 13 links in addition to the main links, I really suggest you click them all.

As you can see in the screenshot. Firesheep gives you a nice list of all user logins you’ve collected, including their profile pictures for your convience; clicking one logins you in to the social network as that user, giving you full access to everything they have access to.

While this type of attack has always been a vague hypothetical possibility and there have always been tools available to take advantage of this sort of exploit, it is has never been this simple. It’s the equivalent of putting a “give me money” button on the side of an ATM. Facebook, Twitter and friends are going to have to take notice.

What Not To Worry About

• Private WiFi. If you know and trust everyone on the WiFi network you’re connected to at home or at work, you probably shouldn’t worry too much. You’re still just as vulnerable to the attack on a private or encrypted WiFi connection. But without open access to the general public, it’s a lot easier to catch the person messing with your account.
• Passwords. This exploit works without ever knowing your password. No respectable website stores your password in plain text and even if someone gets into your account, most websites will not allow a user to change the password without entering the current password.

How To Protect Yourself

Firesheep is taking advantage of the fact that your session data is being sent over wifi in plain unencrypted text. The only effective protection against this is full end-to-end encryption using HTTPS aka SSL. A lot of websites like banks or government services enforce HTTPS connections due to the sensitive nature of the transactions. Most social networks may offer HTTPS if you type it into the address bar (ex. https://facebook.com/ or https://twitter.com/), but since encryption slows down connections somewhat and is a little more taxing on server hardware, no social networks require you to connect with HTTPS. I suspect this will change within the next couple of weeks, if not sooner. In the mean time there are some steps you can take to make your browser use https.

• If you use gmail, they provide a handy setting to force gmail to always use a secure connection. Details here. Enable this if you haven’t already. This is not necessary, gmail went 100% SSL earlier this year.
• For other sites always include the ‘s’ after https when logging on to a website. This should work with any major website. Update your bookmarks now.
• Right now, I’m serious…
• ….
• Unfortunately, updating your bookmarks is not enough. Even when you log in via a secured connection Facebook and many others do not continue to send your traffic over secured links as you click around the site. Meaning, as soon as you leave that first httpS page, your may begin to expose your session details.
• If you use Firefox, Techcrunch has an article on configuring Force-TLS an add-on that forces sites to use HTTPS. Details Here.
• If you use Chrome or Safari, there are a few Greasemonkey extensions you can install that do similar things. This one covers a lot of sites. Take a look at the directory for more.
• Do not user Internet Explorer.

That said…

If you’re wondering who that neighbour with open WiFi has been messaging on Facebook, it’s never been easier to find out. Download the extension (disclaimer: don’t actually do this, it might be illegal).

I wanted to deactivate my account for the day in solidarity. When I attempted to do so, I was presented with this error.

ZUCKED! Note that the error does not tell me which application I need to delete or re-assign, it could be multiple applications for all I know. After deleting the 1 offending application, I was still unable to deactivate the account. So much for that.

Quit Facebook Day Links:

• Direct link to Facebook’s “deactivate” page.
• Direct link to DELETE your Facebook account. Note: you must wait 14 days before Facebook will delete your account, if you log in at anytime within those 14 days your account will not be deleted.
• Openbook

My only question is, where are you going to go? Friendster?

I must say, when I first saw the screenshots of the new layout posted on the official Facebook blog a few weeks ago I was rather optimistic. The FB crew seemed to be embracing the new “real-time” web that’s become popular with the rise of Twitter. I really like the way that all your friends’ updates just appear in one big long list. It’s a major improvement over the old “news feed” which was entirely broken! There would be times when I’d see a “story” 2 times on the same day, or the story would appear one day, then re-appear the next for no apparent reason. It was frustrating.

I haven’t run across it yet, but I imagine they the real-time feed could easily become incredibly busy and equally unusable. The filters along the left-hand side should help to alleviate this problem. But it’s possible that at certain times of the day, for heavy users, there is going to be too much junk to weed through.

I’m really not sure how I feel about the overal design itself. They left the header and (floating) footer alone. Those two elements have have always been the least useful, most confusing elements of the site (like why does the “Inbox” drop down menu have a link to “view message inbox” that takes you to the same place as clicking “inbox” – baffling!). It’s lacking something I can’t quite put my finger on. It’s empty and busy at the same time, if that’s possible.