Facebook HTTPS Now Works, but Forgot SSL Authentication
Facebook’s new full SSL feature finally works three years after it became widely known that web pages were passing authentication cookies in the clear which could lead to hijacked user accounts, and 3 months after an easy to use tool called “Firesheep” made this hacking method easy enough for anyone to use. Facebook users can now go to the Facebook Account Settings page and enable persistent HTTPS SSL protection for their Facebook sessions. Unfortunately, their update still won’t fully protect Facebook users.
The new update makes it so that “sidejacking” with tools like Firesheep can no longer steal access to your Facebook account. However, Facebook forgot one of the most important and basic components of web security which is to enable HTTPS when you’re logging into the system and not just while you’re surfing the website. Facebook might argue that even without HTTPS on their login page, they’re still encrypting your username and password. But the purpose of HTTPS has two purposes which is to encrypt data and to verify it’s authenticity to the user. Without HTTPS on the Facebook login page, users have no idea if they’re visiting Facebook or if they’re visiting a fake Facebook login page set up by someone on a wireless network hoping to snare some Facebook user accounts.
Because Facebook forgot this fundamental step to protecting Facebook usernames and passwords, they still get an “F” on the updated report card below until they match this fundamental error. The login page should automatically forward to an HTTPS page as soon as someone visits the site.
Online services security report card – Updated 2/4/2011
[Cross-posted at Digital Society]
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
