Towards Secure Facebook Usage (Part 2)

INTRODUCTION

Before I go on to discuss ways of making all communication with Facebook encrypted (using HTTP over SSL, commonly referred to HTTPS), there are a few points you should be aware of:

  • Although HTTPS is widely used for internet banking and purchases online, there is a big difference between that and the security provided by the solutions below. For a start, we are trying functionality that is not offered by default on Facebook, and whatever you use (such as browser extentions) in order to add that functionality can have flaws, and may not be extensively tested.
  • There is no such thing as perfect security. If you believe you are secure (on any sort of absolute scale, even “very”, “quite”, or “reasonably”), then you’ve simply missed a possible way you could be attacked.
  • Even if you trust the encryption (and more importantly, its implementation in the software you are using), there are many other ways that you can be attacked that don’t involve directly breaking the encryption. After all, here is a simple example: what happens when information about you appears in a friend’s News-feed on Facebook, and your friend doesn’t use HTTPS to connect to Facebook? You are back to square one.

WHAT I’VE FOUND

With that out of the way, let’s get on to discussing solutions.

  1. As I was writing this article, I found out about https://ssl.facebook.com. I then thought I’d have to completely rewrite my article, and apologize for claiming that Facebook doesn’t already offer SSL capabilities. Well, sort of. This encrypts your home page, and appears to load images on that page via HTTPS. However, you have to look really closely at the URLs of the links on your homepage: clicking on most of the links (for example, any of the navigation at the very top) will drop you back into HTTP communications. Not cool. So here’s the apology: I was wrong to say that Facebook doesn’t support HTTPS without client-side solutions. I should have said that the default HTTPS support offered is poor! (Not to mention that this wasn’t the FIRST solution I found – and I didn’t find out about it from any official Facebook site).
  2. If you are using Firefox, you can get the NoScript extension (which is unofficial – not developed by Mozilla, Facebook, etc): http://noscript.net/ In addition to loads of script-blocking functionality, it also offers forcing  SSL on websites specified by the user (Options > Advanced Tab > HTTPS Subtab – it accepts wildcards as well, e.g. *.facebook.com). The HTTPS appears to “stick”, and it appears to load photos via HTTPS. You may or may not want the script-blocking functionality: it definitely is a good idea to block scripts on websites until you trust, but it can also stop stuff from working. Fortunately the script-blocking can be allowed on websites you trust by using the intuitive user-interface bar that appears when scripts are blocked.
  3. For browsers supporting user-javascript*, there are at least a couple such applications that will rewrite the links in the Facebook page to link to use HTTP instead of HTTPS. (I will not include a direct link to such a solution, because the two scripts I have seen do not support loading images via HTTPS. Moreover, Facebook’s login system involves a redirect that by default causes you to get dumped on a standard HTTP version of the homepage. The required interception of HTTP headers is beyond what can be done with Javascript, unfortunately. The NoScript solution above appears to handle this correctly)

* Opera and Chrome do this out of the box, and Firefox can do this with the Greasemonkey extension.

So those are my solutions. I’d love to hear what you’ve found. I haven’t seen Facebook Chat working with any of the above solutions.

WHAT ARE FACEBOOK’S MOTIVES IN NOT OFFERING THIS BY DEFAULT?

This article is getting a bit long, but I did promise. So I’ll try to be concise. I don’t claim to be able to see inside the heads of the people working at Facebook, but I can at least speculate. Mainly, it boils down to this: encryption takes computing power and network bandwith, and thus money. If the number of users demanding site-wide HTTPS isn’t large enough, Facebook will of course want to get away with providing as little encryption as possible. So if you want it, demand it!

References:

Advertisements

Comments are closed.