UPDATED 14:08 EST / FEBRUARY 04 2011

Facebook HTTPS Now Works, but Forgot SSL Authentication

Facebook’s new full SSL feature finally works three years after it became widely known that web pages were passing authentication cookies in the clear which could lead to hijacked user accounts, and 3 months after an easy to use tool called “Firesheep” made this hacking method easy enough for anyone to use.  Facebook users can now go to the Facebook Account Settings page and enable persistent HTTPS SSL protection for their Facebook sessions.  Unfortunately, their update still won’t fully protect Facebook users.

The new update makes it so that “sidejacking” with tools like Firesheep can no longer steal access to your Facebook account.  However, Facebook forgot one of the most important and basic components of web security which is to enable HTTPS when you’re logging into the system and not just while you’re surfing the website.  Facebook might argue that even without HTTPS on their login page, they’re still encrypting your username and password.  But the purpose of HTTPS has two purposes which is to encrypt data and to verify it’s authenticity to the user.  Without HTTPS on the Facebook login page, users have no idea if they’re visiting Facebook or if they’re visiting a fake Facebook login page set up by someone on a wireless network hoping to snare some Facebook user accounts.

Because Facebook forgot this fundamental step to protecting Facebook usernames and passwords, they still get an “F” on the updated report card below until they match this fundamental error.  The login page should automatically forward to an HTTPS page as soon as someone visits the site.

Online services security report card – Updated 2/4/2011

[Cross-posted at Digital Society]


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU