pskl.us

Facebook HTTPS setting is borked

by on Feb.07, 2011, under Reviews, Security, Whining

We are all so busy applauding facebook for adding an “always use HTTPS” setting (thanks for finally responding to firesheep, folks), but maybe we should look a little more closely at it before telling the moms of the world to just set it and forget it. The stupid thing turns itself off (and doesn’t turn itself back on) when you go to a non-HTTPS facebook page.

In case you haven’t seen it described on 50,000 websites at this point, here’s the deal with the new “feature:”

Click on “Account” at the upper right of your facebook page and choose “Account Settings” … you’ll get something like this:

facebook-01

Click on “Account Security” and you’ll be able to check the new https box, illustrated here:

facebook-02b

note that it says “whenever possible” … this implies that there are some parts of the facebook site that are NOT capable of being served up via https. I have no idea why this is still the case, but it clearly is. The wording would also imply that once you check this box, you will get a https connection “whenever possible” and a http connection when https is not possible. What it DOESN’T say is that the first time you view a non-https page, the box will simply uncheck itself and next time you go to a https-capable page, it’ll be back in vanilla http mode.

So what are these non-https-capable pages? I can’t speak for all of them, but I’d be willing to bet that most of them are “facebook applications.” The only facebook app I use is Scrabble. After checking the https box, I tried to go to Scrabble and I got this page first:

facebook-04

Excellent, right? It is warning me that I’m leaving the safe-and-cozy https-zone. What this warning SHOULD say is “if you hit ‘continue,’ you are permanently turning off the https option.”

Yes, that’s right, once I’m done playing my turn in the http-only-danger-zone of the Scrabble application, I go back to facebook home and I’m back to http.

facebook-05

I went back to check my account settings and I see this:

facebook-02

Well, that’s just fantastic.¬†What’s the point of saying “whenever possible” when it means “until impossible?” This has to be a mistake, and I hope they fix it… then we can all tell our moms to go and re-check the box as it has probably been turned off when they went to play farmville or whatever the hell other pages are non-https.


Update:
This was discussed on Tech News Today (first 5 minutes)


:, , , ,

11 Comments for this entry

  • purelogic

    it says very clearly that you need to switch to an unsecured connection. Facebook is not the only website that does this. in fact, most secure sites, once u elect to drop out of the secure zone, don’t automatically go back to a secure site. banking apps being an exception altho I have yet to run into one with links that dump you out of the secure connection without automatically logging off the secure connection first or opening a separate unsecured window.

    it also doesn’t say, “temporarily,” either. nor does it say you’re leaving a secure area. it says very plainly that you must switch to a regular connection to continue.

    what you CAN do is open the continue link in another tab or window. that will maintain your secure connection to the main site the same way other sites do so automatically with javascript.

    • jeremy

      Nope, I don’t buy it.
      The only way you should be able to turn off the https setting is by going back to the config page and unchecking the box, period.
      This is a mistake on facebook’s part, pure and simple. Excuses and workarounds for the mistake do not make it less of a mistake…especially for a website that is meant for everybody, not just people who know how to open links in new tabs. After all, people like us already knew we could force https on facebook before this setting existed. This setting is supposed to be for OTHER people. Moms, Dads, Grandmothers, etc. Set it for them and know that they are now more secure. This is not the case, and it is a mistake.
      As I said in the original post, their words are “https whenever possible.” That means that https will be used when https is possible, http will be used when only http is possible. There is absolutely no reason for them to not switch to http for apps.facebook.com, then back to https for facebook.com.
      Actually, there is no reason for apps.facebook.com to not work with https as well. They have had PLENTY of time to get this stuff working. If the feature wasn’t fully baked, they shouldn’t have released it.

    • jeremy

      oh, and just because another site does it doesn’t make it OK.

  • Stuee

    I concur with Jeremy. Thanks for the heads up, mate.

  • Alex

    Hey Jeremy –

    We’re going to make changes to the flow shortly so that the setting will remain sticky on future logins. However, the flow will continue to downgrade your Facebook connection for the duration of that session. This is currently necessary as apps.facebook.com and facebook.com share session cookies.

    The option to downgrade to HTTP is intended to be a transitional step as we give our many developers adequate time to upgrade their apps to HTTPS. You can help the process along by mailing the developers of your favorite apps and request that they begin supporting HTTPS.

    http://developers.facebook.com/blog/post/452

    • jeremy

      Thanks for the quick response, Alex. I’m glad to hear you guys have a fix in mind and I’ll definitely email the folks behind the Scrabble app.

  • Ajm

    Any one know if things like FB for the iPhone use HTTPS to begin with?

  • Verena Techie

    PS This site is http….. :/

  • Chris

    About the same time that Facebook made the “unsticky” mistake, seems they/Scrabble or a hacker has decided that the iPad version must now have access to “post on my Wall, access posts to my News Feed, and Access my data any time.” seems overly invasive.

  • Mark

    Yeah, well, the setting is “sticky” now, however, if you click on the Facebook logo at the top to quickly get back to your main page, it goes into http mode with NO warnings. Go back to account settings, and https is still turned on, however, not all the pages it’s automatically reverting to http connections are unavailable as https connections. I’ve tested a few, so availability of a secure connection seems to me to be a virtual non-issue. Facebook really needs to ramp up the script.

    One suggestion would be to default all links to https links, and ~if~ you need an http link to do something, pop a warning for every page that requires it keeping the https link default enabled. Sure, it’ll be annoying in apps, but there is a bright side to this as well. If app developers don’t want to annoy the hell out of there users any more than they already do with the spam and pay features, they’ll upgrade their apps to secure specifications.

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!