Facebook Security Still Lacking

In October I blogged about a Firesheep, a Firefox plugin that highlights the inherent vulnerabilities in the way that Facebook and other websites handle sessions. TL;DR – Install the extension and with a click of a button you can capture un-encrypted Facebook sessions of any user using a WiFi network you’re connected to (read the full post for all the details). For research purposes, when a friend of mine was at Pearson a few months ago he fired up Firesheep and instantly had access to several dozen Facebook accounts.

This is a bad, very bad.

To combat this security hole, Facebook enabled secure HTTP connections in January. Enabling this feature renders Firesheep useless.

Unfortunately, Facebook’s implementation has one serious flaw. When you use (almost) any Facebook app you’re required to switch back to un-encrypted HTTP mode! You’re presented with this dialog:

The wording used in the dialog may make you think the setting is temporary while you’re using the app. I don’t know if it’s designed that way or if it’s just poorly worded. But in fact clicking “continue” will permanently disable your HTTPS preference!


I suspect there’s probably a technical reason for this requirement, something about the way that apps include data from external domains. I haven’t looked into it. Facebook really needs to address this.

My suggestion would be to disable some sort of alert when navigate away from the app, which a one click solution for re-enabling HTTPS.