We are all so busy applauding facebook for adding an “always use HTTPS” setting (thanks for finally responding to firesheep, folks), but maybe we should look a little more closely at it before telling the moms of the world to just set it and forget it. The stupid thing turns itself off (and doesn’t turn itself back on) when you go to a non-HTTPS facebook page.
In case you haven’t seen it described on 50,000 websites at this point, here’s the deal with the new “feature:”
Click on “Account” at the upper right of your facebook page and choose “Account Settings” … you’ll get something like this:
Click on “Account Security” and you’ll be able to check the new https box, illustrated here:
note that it says “whenever possible” … this implies that there are some parts of the facebook site that are NOT capable of being served up via https. I have no idea why this is still the case, but it clearly is. The wording would also imply that once you check this box, you will get a https connection “whenever possible” and a http connection when https is not possible. What it DOESN’T say is that the first time you view a non-https page, the box will simply uncheck itself and next time you go to a https-capable page, it’ll be back in vanilla http mode.
So what are these non-https-capable pages? I can’t speak for all of them, but I’d be willing to bet that most of them are “facebook applications.” The only facebook app I use is Scrabble. After checking the https box, I tried to go to Scrabble and I got this page first:
Excellent, right? It is warning me that I’m leaving the safe-and-cozy https-zone. What this warning SHOULD say is “if you hit ‘continue,’ you are permanently turning off the https option.”
Yes, that’s right, once I’m done playing my turn in the http-only-danger-zone of the Scrabble application, I go back to facebook home and I’m back to http.
I went back to check my account settings and I see this:
Well, that’s just fantastic. What’s the point of saying “whenever possible” when it means “until impossible?” This has to be a mistake, and I hope they fix it… then we can all tell our moms to go and re-check the box as it has probably been turned off when they went to play farmville or whatever the hell other pages are non-https.
This was discussed on Tech News Today (first 5 minutes)
Even our great-grandmothers know they shouldn’t log into their bank account while on open wifi, right? But what about your Google/gmail account, Facebook, Twitter, etc? The login credentials for these sites are becoming more and more valuable as they connect to more and more of our lives. Most offer some form of secure login, but they don’t make it terribly obvious.
For instance, you can go directly to https://www.twitter.com/ and you’ll get a completely HTTPS login page, including a HTTPS submit button for sending your credentials. The same goes for Facebook…however, nobody knows to use the https urls. Rather than redirecting http traffic to the https front end (and making everybody warm and fuzzy), most of these sites have simply used a https submit button so that your credentials are submitted securely. Some banks even do this, and it is infuriating. I’ve even seen FAQ links right next to the https submit buttons explaining that the site is secure even though you don’t see https at the top of the screen. You’d think it would save them a lot of customer support time and trouble by simply encrypting the entire page…but I digress.
There is an obvious problem with https submit buttons: it is far from obvious that the operation is secure. Browser developers have put a great deal of effort into making it clear when you are or are not on a properly-certified https site…change the color of the address bar, etc. So you’d think that maybe this lack of apparent security would be something the “bad people” would take advantage of? You would be correct. Sam Bowne (of samsclass.info … NOT one of the “bad people”) demonstrated a typical man-in-the-middle attack of this variety using SSLStrip (created by the great Moxie Marlinspike of thoughtcrime.org). Simply put, the targeted user is unknowingly accessing Facebook through the attacker’s proxy. The proxy replaces the HTTPS submit with a standard HTTP and then captures the submitted data when the user attempts to log in. The entire transaction is completely transparent to the targeted user.
Sam Bowne also demonstrated his own spin on SSLStrip: The Wall of Stripped Sheep. The WoSS is a nifty play on the famous Defcon “Wall of Sheep” which displays the usernames and partial passwords of people who are using the Defcon network to login to non-secure email systems/twitter/etc. In the case of the WoSS, it is a nifty little web interface that will display captured usernames and passwords (using SSLStrip) for 4 popular sites.
While it is possible to spoof SSL certs and truly pull off a sinister man-in-the-middle attack for https sites (see Moxie’s incredible Defcon talk from this year), it is much more difficult to pull off and considerably more rare in the wild. Attacks like SSLStrip are much easier for the average scumbag to use to gain access to your email account, which, as we all know, is the doorway to every other site/service you use. Even if some baddie doesn’t use this as a jumping off point for full-on identity theft, do you want somebody farting around in your Facebook account?
So what do you do? When possible, go directly to the https version of the site rather than the default http. When that isn’t possible, and you absolutely MUST sign into some site, try a nifty little (experimental) Firefox plugin called “Safe” from the Mozilla addons site.
As the description says, Safe makes SSL and extended SSL more visible to the user. The most obvious thing that Safe does is to add a green or blue border to https sites depending upon whether they have a Extended Validation (EV) cert (which makes the border green) or a normal cert (which makes the border blue). I didn’t feel like looking around for an expired cert site, but I believe it gives you a red border if that is the case. See the following examples:
The next thing Safe does for you is to make you aware of https submit buttons. Brilliant. Down at the bottom of your browser, it adds a little key icon which looks like this:
However, when you hover your mouse over a button that submits via https, it looks like this:
This functionality should really be built into Firefox. Until it is, I recommend installing this addon and keeping an eye on the little key. I probably don’t have to explain this, but just in case, here is the jist:
If you don’t see that key light up when you are about to submit credentials for some website, it is much easier for somebody to intercept them.
If you are reading this blog, I gotta figure you know how common this threat is, but I figured I’d say it anyway.
If you would like to protect yourself even more, check out this nifty tool from Irongeek (brought to my attention by Sam Bowne). It is called DecaffeinatID and, among other things, it gives you an alert if the MAC address associated with a gateway IP changes (this is a clue that somebody is doing some ARP spoofing and probably lining you up for a man-in-the-middle attack).
Good luck protecting yourself…