Home » CurrentHeader, Digital Insight, Internet

Even Forced SSL is broken for Facebook Google Twitter

By 29 October 2010 13 Comments

Update – See report card for various online services

There’s been a lot of constructive attention on Firesheep this week, which is a simple tool that lets anyone hijack other people’s web accounts with absolutely no skill required.  A lot of people are offering the suggestion that running their Firefox or Chrome web browser in forced SSL HTTPS mode, but I cautioned people that this isn’t that simple because many websites don’t fully support SSL.  But it’s even worse than this because even if a site supports SSL, it will frequently contain links that redirect to non-SSL portions of the site.  And even if all the links are rewritten to direct to an SSL page, there may be javascript code within the page that transmits authentication cookies in clear non-SSL HTTP mode.

This is precisely what happened to Google in 2008 when it was revealed that even full SSL mode for GMail would leak the cookie information that will allow someone to “sidejack” a GMail account.  Facebook seems to have recently added support for full HTTPS SSL mode but there are many links that drop back to HTTP even if you run extensions designed to force Facebook to run SSL mode.  But even running these force SSL extensions, the links within Facebook will still temporarily redirect to HTTP and then bounce to HTTPS.  Even when I manually type HTTPS and never see an HTTP session, Facebook is still leaking the authentication cookies that allow Firesheep to sidejack the session based on my testing.

The same problem affects Twitter even when I manually type in https://twitter.com.  Twitter will remain in https mode no matter what part of the site I click, but it will still leak authentication cookies to sidejacking tools like Firesheep.  The effect is that anyone can still go into my Twitter account and post any embarrassing message they want.  Even https://Google.com leaks my account so that people can see where I searched and where I live on maps.google.com.  For that matter, just firing up the Chome browser without launching a single page will leak my Google account!  Thanks a lot for caring about our privacy guys.

The force SSL mode also seems to be nearly useless in Google Chrome because it’s so stingy about what it will force into SSL.  If it’s the first time you’ve visited the site or there are some additional non-sensitive image icons being loaded from some other non-SSL site, it will not force the site to go SSL.

Conclusion?  Browser makers and website operators have a long way to go to secure people’s accounts and identities on the Internet.