We are all so busy applauding facebook for adding an “always use HTTPS” setting (thanks for finally responding to firesheep, folks), but maybe we should look a little more closely at it before telling the moms of the world to just set it and forget it. The stupid thing turns itself off (and doesn’t turn itself back on) when you go to a non-HTTPS facebook page.
In case you haven’t seen it described on 50,000 websites at this point, here’s the deal with the new “feature:”
Click on “Account” at the upper right of your facebook page and choose “Account Settings” … you’ll get something like this:
Click on “Account Security” and you’ll be able to check the new https box, illustrated here:
note that it says “whenever possible” … this implies that there are some parts of the facebook site that are NOT capable of being served up via https. I have no idea why this is still the case, but it clearly is. The wording would also imply that once you check this box, you will get a https connection “whenever possible” and a http connection when https is not possible. What it DOESN’T say is that the first time you view a non-https page, the box will simply uncheck itself and next time you go to a https-capable page, it’ll be back in vanilla http mode.
So what are these non-https-capable pages? I can’t speak for all of them, but I’d be willing to bet that most of them are “facebook applications.” The only facebook app I use is Scrabble. After checking the https box, I tried to go to Scrabble and I got this page first:
Excellent, right? It is warning me that I’m leaving the safe-and-cozy https-zone. What this warning SHOULD say is “if you hit ‘continue,’ you are permanently turning off the https option.”
Yes, that’s right, once I’m done playing my turn in the http-only-danger-zone of the Scrabble application, I go back to facebook home and I’m back to http.
I went back to check my account settings and I see this:
Well, that’s just fantastic. What’s the point of saying “whenever possible” when it means “until impossible?” This has to be a mistake, and I hope they fix it… then we can all tell our moms to go and re-check the box as it has probably been turned off when they went to play farmville or whatever the hell other pages are non-https.
This was discussed on Tech News Today (first 5 minutes)