×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook Switching To HTTPS By Default

Unknown Lamer posted about a year ago | from the single-party-spying dept.

Facebook 92

Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

92 comments

Need password (4, Insightful)

jfdavis668 (1414919) | about a year ago | (#42034271)

Would be helpful if I didn't need a password to read the linked article.

Re:Need password (2)

arobatino (46791) | about a year ago | (#42034355)

It's a typo. Remove the trailing apostrophe in the URL.

Re:Need password (4, Informative)

TheInternetGuy (2006682) | about a year ago | (#42035057)

It's a typo. Remove the trailing apostrophe in the URL.

Still not working here. I need to go to;
https://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912

How long does it take to get a cert? (1)

fsck1nhippies (2642761) | about a year ago | (#42034291)

I can't believe this would be considered news? Facebook figures out how to do a redirect to a HTTPS page. No wonder their IPO was a flop... It will be amazing if they are here in a year.

Re:How long does it take to get a cert? (0)

Anonymous Coward | about a year ago | (#42034509)

Did you say the same when Google did this last year, or are you just a fucking moron?

Re:How long does it take to get a cert? (4, Insightful)

Culture20 (968837) | about a year ago | (#42034511)

They've had a cert (and an https only option) for years. They apparently finally have the computing power to make it default ( it's not free to encrypt every little transaction, and their pages auto update).

Re:How long does it take to get a cert? (0)

Anonymous Coward | about a year ago | (#42034703)

it costs to decrypt too, and is significant on arm cpus, which there are plenty of on phones and tablets!

Re:How long does it take to get a cert? (3, Informative)

TheRealGrogan (1660825) | about a year ago | (#42035147)

Yes, I don't like the use of https where it's not needed. It's more overhead all around and YES it matters on busy servers and slow, high latency links. It can also meant he difference between accessing and not accessing the site with a misconfigured router (e.g. wrong MTU on a PPPoE connection can make SSL not work correctly. There's one ISP here that needs packets no larger than 1454 bytes or there's trouble signing into various services. The default on the routers is 1492 for PPPoE, which is supposed to be correct but gets people every time. The ISP doesn't "support" routers, unless they supply, configure and lock you out of them. So I get service calls over that all the time)

I do not need SSL on Google. Like I give a fuck if people snoop my search phrases. (I'll search for "kiss my ass" just in case the bogey man is listening) I would want SSL for signing in to, say, Gmail or something but I don't need it for all communications. Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

Re:How long does it take to get a cert? (4, Insightful)

ewieling (90662) | about a year ago | (#42035449)

If you only use SSL when you have something to protect, then you are telling any attacker (including a government "attacker") exactly which data you think is important.

Re:How long does it take to get a cert? (0)

Anonymous Coward | about a year ago | (#42036035)

The authentication cookie is what needs protecting.

Re:How long does it take to get a cert? (3, Insightful)

dajjhman (2537730) | about a year ago | (#42040069)

Actually, without SSL Man in the Middle Attacks are very problematic. As a security researcher, I can tell you that it is very easy to cause mayhem with http-based traffic for facebook. We'd launch a proxy on the network, and funnel traffic through it. With no security, we could, for example, change the destination and content of messages, and see everything.

Re:How long does it take to get a cert? (3, Insightful)

LordLimecat (1103839) | about a year ago | (#42036541)

You mean those same governments whose root certs are already in 90% of computer trust chains?

Protip: your computer very likely trusts a root cert from a Chinese company with "strong" ties to their government. Sleep well.

Re:How long does it take to get a cert? (0)

Anonymous Coward | about a year ago | (#42038905)

Protip: your browser very likely trusts a root cert from a Chinese company with "strong" ties to their government. Sleep well.

FIFY

Re:How long does it take to get a cert? (2)

LordLimecat (1103839) | about a year ago | (#42039179)

No, computer. Browsers tend to use the system trusted root cert info. On OSX you install certs to the system certificate chain to get SSL errors to disappear in your browser, email, etc. Ditto on Windows for RDP, email, browsing, and VPNs (SSTP).

Firefox may be the odd man out-- I believe it uses its own internal trusted roots list.

Re:How long does it take to get a cert? (1)

asdf7890 (1518587) | about a year ago | (#42040661)

Nope. Not just your browser. Your browser, your OS & some of its support libraries that many other apps may use.

Re:How long does it take to get a cert? (1)

ewieling (90662) | about a year ago | (#42042019)

If the government wants to read my SSL traffic badly enough they will find a way. I'm not concerned about the NSA, CIA, Military, etc. If they take an interest in me, then I'm totally fucked anyway. I'm concerned with the rest of the government, I want them to work just a little harder to get access to my data. Think of it like locks on doors. They won't keep out a determined thief, but they are not intended to. They are intended to make you less of a target than your neighbors. i.e. you are making the thief work just a little harder to steal your stuff than your neighbors stuff. Fortunately I'm a nobody. I don't do stuff to piss off the government and I hope they never think I'm associated with someone who does piss off the government.

Re:How long does it take to get a cert? (1)

fa2k (881632) | about a year ago | (#42038329)

That's not a problem though, as they will not be able to read it anyway. All they know is what server you connected to and the size, number and time of packets in each direction. [Also read comment below, your attacker may have access to a root CA. I'd mod that up if I had mod points.] One benefit of encrypting unimportant traffic, apart from the actual security benefits like when using open WLANs, is that it makes it much more difficult to block specific pages.

Re:How long does it take to get a cert? (1)

LordLimecat (1103839) | about a year ago | (#42036495)

Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

Im glad youre not in charge of making browsers. The reason thats a big deal is because when you request an SSL page that has a valid cert, the assumption is that your connection is secure from MITMs. If some of the content on the page is insecure, the value of SSL is basically nil: someone can inject html / js that overlays the secure content, so instead of putting usernames / passwords into a secure submission form you are putting it into the attackers overlaid insecure submission form. Once you press submit, that data is transmitted in the clear, you likely get an error page asking you to try again, and the attacker now has all your info.

Thats why all browsers with a clue let you know about that gigantic, ridiculous, glaring security hole with mixed content.

Re:How long does it take to get a cert? (1)

TheRealGrogan (1660825) | about a year ago | (#42038607)

In this case none of that content needs to be encrypted in the first place. This isn't your bank, it's just a video site.

I have noticed the problem only with IE8. I suppose that nobody else except you and it, have a clue?

It is probably erroneous.

Re:How long does it take to get a cert? (1)

LordLimecat (1103839) | about a year ago | (#42039207)

Youtube uses your google account for login. I really dont think you want your gmail credentials out in the open.

And Chrome WILL warn you if there is mixed content-- they just do it with an icon rather than a popup. The popup you noticed originated at least as far back as IE6, and possibly earlier.

Re:How long does it take to get a cert? (1)

TheRealGrogan (1660825) | about a year ago | (#42044501)

No, I am saying that IE8 is erroneously putting up that message. I know what it means and yes, it's been around much earlier than IE6. I think I remember it in Netscape even.

I don't sign in to youtube. I don't sign in to Google. I opted out of all the social networking tripe. (I forget what they call it, but there's a central site you can use to opt out of Google Everything all at once, and only keep what you want.) I have a disposable Gmail account, with completely false information that I log in to maybe once every few months (or if I'm expecting correspondence) and then I log out of it.

So no, I really don't care to have my searches over SSL. It's just unnecessary overhead. I also don't care to read mailing list archives or download source code over SSL either.

Re:How long does it take to get a cert? (0)

Anonymous Coward | about a year ago | (#42037729)

You do need it. Google services transfer your session id back and forth all the time, you can't ssl it "a bit". That's how the interwebz work, sorry; feel free to choose a different mail provider, search engine and social network.

Re:How long does it take to get a cert? (0)

Anonymous Coward | about a year ago | (#42037855)

I do not need SSL on Google. Like I give a fuck if people snoop my search phrases. (I'll search for "kiss my ass" just in case the bogey man is listening) I would want SSL for signing in to, say, Gmail or something but I don't need it for all communications. Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

Google is Gmail, YouTube, Google Search, Google Maps, Google Calendar, Google Shopper, Google Play, Google+, Google Drive, Google Reader, Google Wallet and of course Google Chrome, plus more. Of those, many should require SSL by default.

If I create an event such as an actual meeting in Google Calendar for only a few people on Google+ to see such as coworkers, I'd rather it be encrypted to further ensure snooping parties can't know about it. Otherwise filling in where it is taking place could be a privacy concern. Google Maps allows you to save locations such as home and workplace. Encrypt that to help prevent stalking. Gmail should of course be secure for obvious reasons. YouTube is like Google Search (and Google Image Search of course): all you're doing is entering search queries. Of course, something like "20 ways to kill your boss" could obviously be a scary thing. Funny thing is that you'd be searching for a game called Whack Your Boss [whackyourboss.com].

You probably need SSL more than you think, especially when features are added that could compromise your personal safety due to revealing your physical location in some way. Even checking into a place on Google+ or Facebook or Google Latitude or something similar could cause a problem for you without SSL.

Now if you'll excuse me, I have a tinfoil hat to put on.

Re:How long does it take to get a cert? (0)

Anonymous Coward | about a year ago | (#42035925)

Google disagrees. http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

"SSL/TLS is not computationally expensive any more."

Re:How long does it take to get a cert? (1)

LordLimecat (1103839) | about a year ago | (#42036515)

Not just intel. Use a modern AMD processor or any Xeon E3 or above, and you can hit in excess of 10gbit/sec of AES traffic thru the processor alone (not even counting accelerators). I understand there are PCIe accelerators out there by Exar that can give a pretty substantial boost as well.

Re:How long does it take to get a cert? (2, Insightful)

heypete (60671) | about a year ago | (#42038107)

Indeed. The "heavy" part of SSL is doing the connection setup and exchange as it uses asymmetric algorithms like RSA or Diffie-Hellman for key exchange. The actual bulk encrypted transport is relatively lightweight. It never made much sense to me to spend the cycles to setup a secure connection, use it for protecting the login/password, and then dropping back to an insecure page when you could just keep the same connection secure for minimal additional resources.

Re:wrong! (0)

Anonymous Coward | about a year ago | (#42037741)

The IPO was not a flop, yet a huge influx of capital. Even if the stock were to fall to $8 dollars, facebook would still have enough money to continue on trying to integrate facebook into everything. It's really genius how they over valued facebook at 100 billion, yet to have it fall to a valuation of 35 billion which is still over valued by 34.8 billion.

Link to article has extra character at end (5, Informative)

mcl630 (1839996) | about a year ago | (#42034301)

Re:Link to article has extra character at end (0)

Anonymous Coward | about a year ago | (#42034365)

Interesting bug. I wonder if one can exploit this using SQL injection.

Re:Link to article has extra character at end (0)

Anonymous Coward | about a year ago | (#42034501)

Or for those who don't believe in encrypting reading articles.

http://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912

I think this whole https by default is terrible myself.

If I compare the load time of http and https for a single image the results are:

[code]
# time curl -O http://sphotos-a.xx.fbcdn.net/hphotos-ash3/550798_439936972722687_1113979556_n.jpg
-abbrev-due-to-slashdot-
curl -O 0.00s user 0.01s system 2% cpu 0.629 total

versus

# time curl -O https://sphotos-a.xx.fbcdn.net/hphotos-ash3/550798_439936972722687_1113979556_n.jp
-abbrev-due-to-slashdot-
curl -O 0.00s user 0.02s system 1% cpu 1.107 total
[/code]

Both of them being served from a Facebook CDN in San Jose?

For some reason I've randomly had Facebook utilise https links in the past and I've already tried opting out of HTTP. I figure, Facebook are the bad guys -- what could be worse than someone else intercepting the contents?

I had to remove the content of curl due to slashdot.

Re:Link to article has extra character at end (1)

YodasEvilTwin (2014446) | about a year ago | (#42043693)

Is 0.01 seconds on a single attempt what you consider "significant"? Because it's not. Try a statistically meaningful number of attempts with either (a) a larger file where hiccups have less effect on the total time or (b) real-world usage with multiple assets of various sizes.

power (3, Interesting)

Anonymous Coward | about a year ago | (#42034303)

wonder what the implications are from a power consumption perspective?

Re:power (0)

Anonymous Coward | about a year ago | (#42034475)

They should have a dedicated server for encryption and caching. With a dedicated encryption card, this server should be able to handle 10,000s of connections easily. The overall power consumption should be the same.

Re:power (0)

Anonymous Coward | about a year ago | (#42035243)

So you're saying the encryption processor consumes absolutely no power at all?

Re:power (0)

Anonymous Coward | about a year ago | (#42035915)

In the scheme of things, absolutely. My bet would be on ~0.01% more power consumption. Low enough to be rounding error.

SSL hardware acceleration? (2)

timeOday (582209) | about a year ago | (#42034431)

Anybody know if facebook is using any hardware SSL acceleration? Or is throwing more commodity CPUs at it the better choice?

Re:SSL hardware acceleration? (4, Informative)

Hadlock (143607) | about a year ago | (#42034493)

Crystal Forest is supposed to have SSL acceleration built in. Ivy Bridge (2012) has AES acceleration built in on midrange i5s and up, and I think AES was supported by some processors as early as Sandy Bridge (2011). Crystal Forest is a platform rather than microarchitecture, and I'm not sure exactly when it will be released.

Re:SSL hardware acceleration? (0)

Anonymous Coward | about a year ago | (#42037053)

I am sure that the facebook guys have thought this through, but currently facebook.com returns multiple ip addresses (dns round robin) which will cause the client to re-negotiate the ssl handshake every time they hit the facebook.com endpoint. Unless they are sharing the ssl session cache there will be a dramatic performance decrease due to all of the ssl handshakes. Any OS which does not enable dns caching, like linux by default (NSCD sucks:() will see a huge performance hit from this.
Also, the AES-ni will help with throughput, but will not help with the ssl handshakes and in the testing that I did when we switched form a hardware accelerated ssl termination point to a software based one, AES-ni really did not help with the already existing ssl sessions unless there were connections which took more than a few seconds to complete.

Our software based solution is around 20,000 new ssl terminations per second
with 150,000 re-use per second
and I am able to push around 20 Gbps of traffic (with aes-ni of course) 12 Gbps without aes-ni

haproxy is the sweet sauce.

Re:SSL hardware acceleration? (0)

Anonymous Coward | about a year ago | (#42037493)

Google has been working on reducing the latency for HTTPS connections. Look up "false start" and "snap start". Basically, the client can skip some steps (partially based on assuming the server response will be the same as before) to reduce the number of round trips needed for HTTPS connections.

Re:SSL hardware acceleration? (1)

SuperQ (431) | about a year ago | (#42034565)

With modern machines you only spend about 2% of your CPU handling the HTTPS part of the transaction, especially with HTTPS connection re-use handling. Back when they first started enabling HTTPS I calculated that it might take one more rack of machines to handle all the HTTPS needs for facebook in a worst-case situation. One rack is a drop in the bucket for the http front ends these days for service as big as facebook.

Re:SSL hardware acceleration? (0)

Anonymous Coward | about a year ago | (#42034639)

A10networks.

No, multiple CPUs it is not a better choice.

      http://www.a10networks.com/products/axseries-product_specifications.php#with_fta

I work with F5, Citrix and A10. hands down A10 leads in terms of price performance - AX5200

Re:SSL hardware acceleration? (0)

Anonymous Coward | about a year ago | (#42035369)

Hardware SSL is passé. CPU's are all very fast if not accelerated for it now.

Re:SSL hardware acceleration? (0)

Anonymous Coward | about a year ago | (#42038327)

Facebook use hardware from F5 Networks. No other vendor has hardware that can scale like F5.

Thanks, Facebook. (5, Funny)

pushing-robot (1037830) | about a year ago | (#42034453)

Twitter did it a while back. Facebook finally jumped on the bandwagon. Now if only ChatRoulette would follow suit, I could finally bare every detail of my life to strangers without fear of prying eyes.

Re:Thanks, Facebook. (0)

Anonymous Coward | about a year ago | (#42034575)

Google needs to do it too, should not be optional.

Re:Thanks, Facebook. (4, Funny)

varargs (2260180) | about a year ago | (#42034627)

Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.

Re:Thanks, Facebook. (-1)

Anonymous Coward | about a year ago | (#42034921)

You'd be a hero in everyone's book if you shut the fuck up and killed yourself!

Re:Thanks, Facebook. (0)

Anonymous Coward | about a year ago | (#42035183)

Can we say addition

Re:Thanks, Facebook. (0)

Anonymous Coward | about a year ago | (#42041239)

Sure, you can add other people to the mayhem too.

Re:Thanks, Facebook. (1)

Ford Prefect (8777) | about a year ago | (#42038505)

Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.

Actually, he'd probably get it the wrong way round and redirect that howling infinite void of /dev/null out to the entire populace of Facebook - instantly terminating, unending nothingness piped through smartphones and laptops and desktop computers, straight into the uncomprehending, newly-obliterated minds of the social networking masses.

Still, everyone would find it an improvement over the previous service.

Re:Thanks, Facebook. (1)

roc97007 (608802) | about a year ago | (#42034977)

  "[...] I could finally bare every detail of my life to strangers without fear of prying eyes"

Um.... um... where do I begin...

No big deal (3, Insightful)

Sarten-X (1102295) | about a year ago | (#42034517)

Of course, the biggest security vulnerability is on one end of the connection, and the biggest threat to privacy is on the other. HTTPS won't help much for those.

It's not about security but more privacy (2)

JcMorin (930466) | about a year ago | (#42034633)

I think you should see it the other way around. For me HTTPS is more about privacy than security... Having my connection encrypted prevent my company, ISP, governments or any routers between to know what I'm doing. Security is usually, as you said, related to your computer or the web site getting hacked or not. IMO the web should https by default.

Re:It's not about security but more privacy (1)

ark1 (873448) | about a year ago | (#42035411)

Problem is whatever you upload to Facebook should be considered as exposed/compromised even if you set your privacy settings otherwise. You just know sooner or later another Facebook screw up will occur and information meant to remain private will be made public.

Re:It's not about security but more privacy (0)

Anonymous Coward | about a year ago | (#42036099)

If you're running SSL from a company controller computer, realize that they control what CAs are trusted, and so they can do corporate man-in-the-middle proxies to decrypt any SSL traffic. This is commonly done to check for malicious stuff over SSL connections (less so to eavesdrop on employees, but this is, of course, possible).

So my Driftnet screen will go black? (3, Interesting)

rduke15 (721841) | about a year ago | (#42034831)

This is really sad news. My driftnet/webcollage [ex-parrot.com] screen in my living room will get boring if it gets starved of all the neighbours' Facebook activity. https is killing all the fun!

Re:So my Driftnet screen will go black? (0)

Anonymous Coward | about a year ago | (#42035867)

I wanted to do the same thing with an old first gen digital picture frame. Oh well put the soldering iron away for another day.

Re:So my Driftnet screen will go black? (1)

flyingfsck (986395) | about a year ago | (#42036543)

You could display chatroulette on your picture frame. It would be much the same thing...

Re:So my Driftnet screen will go black? (0)

Anonymous Coward | about a year ago | (#42047545)

If you want a picture frame displaying thousands of live images of random penises, no one is stopping you...

Re:So my Driftnet screen will go black? (0)

Anonymous Coward | about a year ago | (#42037721)

If there is still an option for normal HTTP traffic on Facebook, you can try using something like SSLStrip to force unencrypted connections. Most users won't notice the lack of an s in the address bar, especially since they never used to have it.

That's nice (3, Insightful)

viperidaenz (2515578) | about a year ago | (#42034849)

Maybe they just want to make it harder for 3rd parties to see their traffic. Browsers won't show https url's as a referer, so advertisers can't audit their click rates.

Craigslist forums are now https (0)

Anonymous Coward | about a year ago | (#42035935)

Not the entire site, just the forums I noticed this change about a week ago, right after the New York attorney general subpoen'd CL for IP addresses of alleged gasoline price gougers. But the for sale and jobs listings are still port 80, so I'm not sure what Craig is after.

facebook, more like crackbook (-1)

Anonymous Coward | about a year ago | (#42035939)

Crackbook, digital dope for nerds................
You would have to be somewhat stupid not to realise exactly how much of a bad idea it is to put all of your personal information and connections online for any government to peruse. Just an automated surveilance and evidence collection system. I would love to see the figure of exaclty how many people have been incarcerated of killed because of social media. My bet is in 10 years this figure will out weight deaths from smoking.........
Only plastic people have facebook accounts ( you know sheeple, the fake semi humans bred to power the corporate machine, trained never to think outside the square) HTTPS will not stop your GOV from using your information against you.

Have a nice day.

http should be banned (0)

Anonymous Coward | about a year ago | (#42036141)

HTTP should be banned.

Yes, I know there is an associated cost to it, there's an associated cost to everything, so figure it out. So the CEO might have to get a Porsche instead of Ferrari.

Wah!

Performance implications of HTTPS (0)

Anonymous Coward | about a year ago | (#42036185)

Thanks for completely destroying any ability to cache content. Really speeds up the "web experience", because as we all know, with your "Web 2.0" shit it's already blazing fast, right?

Thanks for the added protocol overhead required for certificate and cipher negotiation for every connection. Really speeds things up too! Can't wait for those Location: redirects too, that way I can battle with my browser when clicking the Back button faster than it can get headers!

Thanks for using HTTPS exclusively; it's very important that all those compressed images be transmit securely! Really speeds up loading times for big images, and it's not like sites like Facebook have images at all! *clicks a button and isn't sure what's going on because some Javascript bullshit behind the scenes is doing something, so clicks another button which may or may not do something based on if previous button is still blocking or not*

Thanks for removing any ability to troubleshoot what's going on (by use of Wireshark -- for legit purposes, not nefarious). Really helps debug issues, especially when "abstract frameworks" are used across multiple layers of an infrastructure (front-end to back-end)!

So yes, thanks everyone, for moving to HTTPS entirely! If your concerns were purely about plaintext passwords going across the wire via HTTP, you could have just designed your shit differently while using RFC 2817 for the authentication bits only. But nah, that'd require some brainpower and thinking about all the above implications. Better to just use SSL entirely. Excellent design as a result of fantastic engineering choices.

Cheers!

Captcha: smarted

Re:Performance implications of HTTPS (0)

Anonymous Coward | about a year ago | (#42037001)

Disregard that, I suck cocks!

Re:Performance implications of HTTPS (0)

Anonymous Coward | about a year ago | (#42037737)

Well I'm glad we cleared that up.

Yawn ... (1)

drpimp (900837) | about a year ago | (#42036211)

Glad the populace on there will enjoy HTTPS as I have been explicitly been using for years now. I never wanted my pesky network admins sitting on the wire and watching what I post when I am at work ... errrrr on break ... errr I mean ...

Re:Yawn ... (0)

Anonymous Coward | about a year ago | (#42036473)

Glad the populace on there will enjoy HTTPS as I have been explicitly been using for years now. I never wanted my pesky network admins sitting on the wire and watching what I post when I am at work ... errrrr on break ... errr I mean ...

They can still see your posts. If tyou control the network a MITM exploit is pretty trivial.

awesome! (0)

Anonymous Coward | about a year ago | (#42036455)

This means I'll have more exclusive rights to the content shared with my man in the middle attack!

Facebook + Security = WTF? (1)

Shavano (2541114) | about a year ago | (#42036655)

They still encourage you to air all your soon-to-be-former-friends' laundry and sell their identities for entertainment.

Latency to https? (1)

Twinbee (767046) | about a year ago | (#42037271)

Will https add any latency to site navigation?

Re:Latency to https? (1)

heypete (60671) | about a year ago | (#42038119)

I've opted to use https only on Facebook for a year or so and haven't noticed any discernible difference.

Quicker HTTPS (1)

u64 (1450711) | about a year ago | (#42048381)

A few things that may help on Palemoon and Firefox :

  Make sure SSL pages gets cached,
browser.cache.disk_cache_ssl;true

  Pipeline the SSL too,
network.http.pipelining.ssl;true

  TorBrowser uses this,
security.ssl.enable_false_start;true

  And as always, reduce some traffic bloat,
dom.storage.enabled;false
gfx.downloadable_fonts.enabled;false
browser.chrome.image_icons.max_size;16
general.useragent.override;Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0

  If you want, at the cost of stickier browser-fingerprint,
image.http.accept;*

opt-in opt-out (0)

Anonymous Coward | about a year ago | (#42037659)

Typical FB: opt-in on security when you always have to opt-out on privacy rights?

Now - finally "force-in" on security - really long overdue...

cap buster (0)

Anonymous Coward | about a year ago | (#42037685)

all those facebook addicts, all those pageviews and all that content that will no longer be cached by browser.........

Re:cap buster (1)

jedwidz (1399015) | about a year ago | (#42049175)

HTTPS content can be cached in the browser, and why not?

You can expect to lose proxy caching though.

(Unless your corporate proxy is kind enough to decrypt your traffic and then cache it...)

Turning on secure browsing be default? (1)

dgharmon (2564621) | about a year ago | (#42039109)

Except, if you are at the end of a corporate proxy, your encrypted session can be easily eavesdropped on .. link [crypto.com]

A problem I have with that... (0)

Anonymous Coward | about a year ago | (#42039177)

Last year I succumbed to Facebook's nagging and I finally opted to raise my security to the HTTPS setting. Largely to shut it the @#$% up.

Nagging was worse than ad-supported software.

However once I did that my troubles began. None of the games I played would run under the HTTPS and instructed me to drop back to the HTTP security. However once I did that, Facebook was nagging me "Did I really want to do that?" and "Are you certain that this is wise? The higher security is better to protect your identity".

After several attempts I gave it up and left it at the HTTPS setting. Haven'y played a Facebook game or ran a Facebook app since.

So my question is...what's going to happen to all the people who are addicted to all the apps and games? Will they *finally* run under the higher security setting? Or are we going to hear the wailing and gnashing of teeth as people start going into withdrawal when they can't check on their farms to see if they got the magical macguffin of the week?

I have a slight problem with this... (3, Interesting)

Phoenix (2762) | about a year ago | (#42039197)

Last year I succumbed to Facebook's nagging and I finally opted to raise my security to the HTTPS setting. Largely to shut it the @#$% up.

Nagging was worse than ad-supported software.

However once I did that my troubles began. None of the games I played would run under the HTTPS and instructed me to drop back to the HTTP security. However once I did that, Facebook was nagging me "Did I really want to do that?" and "Are you certain that this is wise? The higher security is better to protect your identity".

After several attempts I gave it up and left it at the HTTPS setting. Haven'y played a Facebook game or ran a Facebook app since.

So my question is...what's going to happen to all the people who are addicted to all the apps and games? Will they *finally* run under the higher security setting? Or are we going to hear the wailing and gnashing of teeth as people start going into withdrawal when they can't check on their farms to see if they got the magical macguffin of the week?

[I didn't notice that my comp was logged off of my account and posted it as an anon-coward]

Re:I have a slight problem with this... (1)

Unknown Relic (544714) | about a year ago | (#42043331)

Facebook used to allow apps/games to optionally provide a secure URL to be used when a user was logged in via https but it was up to the developer to determine if https was supported or not. Because SSL = the need to purchase a certificate many did not, but it's now required that a secure URL be provided.

Re:I have a slight problem with this... (1)

bill_mcgonigle (4333) | about a year ago | (#42044573)

I suppose they'll be forced to finally support their app on HTTPS, like they should have done two years ago.

Such valuable data (1)

Jaza (178039) | about a year ago | (#42041661)

Britney Braindead:
"OMG peepz Justin Bieber is on the morning show... switch channels RIGHT NOW!!!"
2 minutes ago

SSL... is it really necessary?

man in the middle (0)

Anonymous Coward | about a year ago | (#42042307)

This will make no difference to many people who use preconfigured browsers at their place of work. Fake certs for facebook and other sites are inserted into the browser so that the users don't see the man in the middle decoding their traffic.
The average user has no idea this is possible and even those who do know would probably not think to check the certs stored in the browser.

Great! (0)

Anonymous Coward | about a year ago | (#42044853)

That's Fantastic! Https will keep those prying eyes away except for the built in Gov't back door to Facebook. Cool :-)

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...