Facebook HTTPS now works but forgot SSL authentication
UPDATE 2/28/2011 - Facebook’s new feature now shows up and I’ve confirmed that it secures the cookies. However, some of the applications still don’t function if SSL security is turned on. The other problem is that the feature is still only on when a user opts in which is very unlikely for the vast majority of users.
Facebook’s new full SSL feature finally works three years after it became widely known that web pages were passing authentication cookies in the clear which could lead to hijacked user accounts, and 3 months after an easy to use tool called “Firesheep” made this hacking method easy enough for anyone to use. Facebook users can now go to the Facebook Account Settings page and enable persistent HTTPS SSL protection for their Facebook sessions. Unfortunately, their update still won’t fully protect Facebook users.
The new update makes it so that “sidejacking” with tools like Firesheep can no longer steal access to your Facebook account. However, Facebook forgot one of the most important and basic components of web security which is to enable HTTPS when you’re logging into the system and not just while you’re surfing the website. Facebook might argue that even without HTTPS on their login page, they’re still encrypting your username and password. But the purpose of HTTPS has two purposes which is to encrypt data and to verify it’s authenticity to the user. Without HTTPS on the Facebook login page, users have no idea if they’re visiting Facebook or if they’re visiting a fake Facebook login page set up by someone on a wireless network hoping to snare some Facebook user accounts.
Because Facebook forgot this fundamental step to protecting Facebook usernames and passwords, they still get an “F” on the updated report card below until they match this fundamental error. The login page should automatically forward to an HTTPS page as soon as someone visits the site.
Online services security report card – Updated 2/4/2011