Facebook Finally Adds HTTPS, but Still Broken

Facebook announced that they’ve finally added secure web browsing for Facebook 2 months after the release of the Firesheep tool that made it trivially easy to hack Facebook accounts.  That prompted me to give them an “F” in security which was widely cited in the media.  But there are some major problems with this update from Facebook.  First, the feature doesn’t work yet even though they’re saying it’s available as of today, and I can’t enable the always enable HTTPS whenever possible option under account settings.  Second, the feature should be turned on for everyone automatically because most people won’t even know about this.

Right now if I manually type in HTTPS, it seems to be secure until I click on any of the links which revert me back to HTTP.  Once reverted, my Facebook credentials are instantly leaked to Firesheep.  What’s even more bothersome to me is that when I posted a comment on the Facebook announcement, my critical comment was removed and I caught a screenshot of the error below.

A few minutes later, my comment magically reappeared so it looks like they had second thoughts about removing my comment.  Even so, I have 4 up votes which would have placed the comment up top but they somehow knocked it down to 3 votes so it’s not showing on the first page of their security announcement.

I’ll have to try this feature again tomorrow to see if it’s finally working.  It’s funny that Facebook claims “That’s why we’ve developed a number of complex systems that operate behind the scenes to keep you secure on Facebook.”  The fact is that they haven’t even gotten the basics of security right all this time and it’s still not right.

[Cross-posted at Digital Society]