Even Forced SSL is broken for Facebook Google Twitter
Update – See report card for various online services
This is precisely what happened to Google in 2008 when it was revealed that even full SSL mode for GMail would leak the cookie information that will allow someone to “sidejack” a GMail account. Facebook seems to have recently added support for full HTTPS SSL mode but there are many links that drop back to HTTP even if you run extensions designed to force Facebook to run SSL mode. But even running these force SSL extensions, the links within Facebook will still temporarily redirect to HTTP and then bounce to HTTPS. Even when I manually type HTTPS and never see an HTTP session, Facebook is still leaking the authentication cookies that allow Firesheep to sidejack the session based on my testing.
The same problem affects Twitter even when I manually type in https://twitter.com. Twitter will remain in https mode no matter what part of the site I click, but it will still leak authentication cookies to sidejacking tools like Firesheep. The effect is that anyone can still go into my Twitter account and post any embarrassing message they want. Even https://Google.com leaks my account so that people can see where I searched and where I live on maps.google.com. For that matter, just firing up the Chome browser without launching a single page will leak my Google account! Thanks a lot for caring about our privacy guys.
The force SSL mode also seems to be nearly useless in Google Chrome because it’s so stingy about what it will force into SSL. If it’s the first time you’ve visited the site or there are some additional non-sensitive image icons being loaded from some other non-SSL site, it will not force the site to go SSL.
Conclusion? Browser makers and website operators have a long way to go to secure people’s accounts and identities on the Internet.