Facebook Security Still Lacking

In October I blogged about a Firesheep, a Firefox plugin that highlights the inherent vulnerabilities in the way that Facebook and other websites handle sessions. TL;DR – Install the extension and with a click of a button you can capture un-encrypted Facebook sessions of any user using a WiFi network you’re connected to (read the full post for all the details). For research purposes, when a friend of mine was at Pearson a few months ago he fired up Firesheep and instantly had access to several dozen Facebook accounts.

This is a bad, very bad.

To combat this security hole, Facebook enabled secure HTTP connections in January. Enabling this feature renders Firesheep useless.

Unfortunately, Facebook’s implementation has one serious flaw. When you use (almost) any Facebook app you’re required to switch back to un-encrypted HTTP mode! You’re presented with this dialog:

The wording used in the dialog may make you think the setting is temporary while you’re using the app. I don’t know if it’s designed that way or if it’s just poorly worded. But in fact clicking “continue” will permanently disable your HTTPS preference!


I suspect there’s probably a technical reason for this requirement, something about the way that apps include data from external domains. I haven’t looked into it. Facebook really needs to address this.

My suggestion would be to disable some sort of alert when navigate away from the app, which a one click solution for re-enabling HTTPS.

Canadian Tech Roundup 14: The one where we talk about iPad2

iTunes Link



Facebook Now More Secure

In a blog post today Facebook detailed some of their new security improvements:

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the “Account Security” section of the Account Settings page.

Enabling this option will effectively prevent you against Firesheep and similar account hijacking methods. I think it’s fairly safe to assume this feature is a direct response to Firesheep, even if it seems to have taken them 4 months to roll out. Though, it could also be a response to Zuckerburg’s account hack yesterday.

I’m going to go one step further than Facebook and say, you should absolutely enable this option as soon as it’s available to you.

This Week I Learned

Turns out being a dad and employed full time leaves little room for things like long blog posts. I came across a number of particularly fascinating things this week in my travels on the information super highway.

  • Monday: Protocol relative URLs
    Turns out, you can leave out the protocol (http, https, ftp, etc) when including a URL in html and browser will figure out what to do with it. This is particularly useful when including unsecured content on a secure page. I’m sure knowing this years ago would have saved me one or two headaches.
  • Tuesday: What Jason Calacanis Learned From Zuckerberg’s Mistakes
    In his weekly LAUNCH newsletter Calacanis talks about his take on rollout hiccups and privacy mistakes Facebook has make over the years. In his educated opinion “Facebook’s success — and mistakes — are based on its developer-driven culture, not because Zuckerberg is some evil mastermind.” Essentially, Facebook developers have historically been allowed to roll out new features with little to no oversight, allowing the site to iterate quickly, keep ahead of the competition and occasionally annoy foreign governments. He makes a convincing argument.
  • Wednesday: How a quartz watch works
    I already had a rough understanding of the piezoelectric effect as used inside digital watches, the video does an excellent job of explaining the concept. As usual reddit commentary filled in the gaps, explaining in detail exactly how the electronics translate the quartz vibration into time
  • Thursday: Google Bookmarks exists
    Someone leaked that Yahoo! would be shutting down delicious and the internet lost it’s ever-loving mind! Turns out there’s some hope for delicious. Anyways, I haven’t used delicious much since the days it was still called del.ico.us. As far as I can tell, Google Bookmarks has done a pretty good job of pulling out delicious’ most useful features, plus you get the added bonus of having your bookmarks appear at the top of Google results when your search is relevant – if you’ve ever starred something on a search results page you’ll already have some links in Google Bookmarks. I had actually been looking around for a good bookmark service, this discovery couldn’t have come at a better time.
  • Friday: Word Lense
    This iPhone(3GS+) app instantly text on-screen. As in, you point your iPhone at a Spanish sign and the words are replaced onscreen with the english translation. This is easily the most impressive augmented reality technology I’ve seen to date! We are truly living in the future.
    iTunes Link
  • Saturday: Boardgame Remix Kit
    I am a huge fan of the boardgame revival hitting nerdom over the past 10 years, as such, I’ve become quite bored of the classics like Monopoly, Clue(do), Trivial Pursuit and Scrabble. When I came across Boingboing’s post about the Boardgame Remix Kit I was absolutely blown away the creativity and simplicity. The kit is a set of tweaks, mashups and completely new games built on 4 classic board games. It’s available as a PDF for £2.99 on the official site or as an iPhone app for £2.99 ($4.99 in the Canadian store). Both are beautiful.

There you have it, my week in links. This post contains something like 13 links in addition to the main links, I really suggest you click them all.