26 January 2011 8 Comments

Facebook Introduces HTTPS Opt-In for Users, Impacts App Developers

close

In an article posted today on the Facebook Developer Blog, Facebook announced that they would be offering users the option to switch their Facebook experience to HTTPS-only, which would force all Facebook page loads to be routed over SSL.

According to the blog entry, this feature would be opt-in, and canvas application developers would need to provide an SSL url for the “Secure Canvas URL”.

If a user who has opted into the SSL-only version of Facebook attempts to access a Facebook Application that doesn’t have a Secure Canvas URL set, the user will evidently be shown a message (which will likely be confusing and scary, not because Facebook will purposefully make it so, but because most users don’t really understand SSL) that will give them the option to switch from HTTPS to HTTP. From the post:

If you do not provide a secure Canvas URL, we will display a confirmation page to let HTTPS users switch to HTTP and continue to your app.

This currently affects CANVAS apps only – not application tabs – although that may very well change once Facebook pushes the IFRAME version of tabs out some time in Q1.

HTTPS is slower and more server intense than HTTP, and it’s one more cost/timeline issue that has to be factored in. For some clients, I set up the hosting environment (which would include DNS, SSL, etc) – for others, their IT department provisions web space and handles DNS, and they often require a mountain of paperwork and a week to process.

For the latter scenario, the cost of the certificate is negligible, but for a highly-trafficked app, the increase in server load could have serious financial impact. It could mean the difference between needing one server and several.

For smaller companies, stepping up to SSL would mean buying a certificate and potentially paying extra for the dedicated IP address it will need, and if the app takes off, a much heftier hosting bill for running everything over SSL.

If the above would actually, truly improve the safety of the users in some significant way, I’d probably still be on-board.

Security is something I take very seriously, and in 2010, Firesheep showed the world how easy it was to hijack a user’s Facebook session and essentially pwn their account because the session data was being transmitted unencrypted and was sniffable over public wifi. To be fair, it wasn’t just Facebook that was affected, but if you’re logging into websites on an unencrypted public wifi, odds are your email accounts and everything else are at risk too.

That said, this seems like it will give naive users a false sense of security and not actually provide that much value for the effort involved by the app developers.

“Oh, this application must be safe – I’m using HTTPS, and the S stands for *secure*!”

Phishing, rogue apps and malware are already horrendous problems on social media websites, Facebook especially. I would much rather see Facebook (and others) improve their session handling before going in this direction. Reputable companies who are collecting any kind of PII are already running data submission over HTTPS, and non-reputable companies aren’t going to become more honest just by forcing them to encrypt the data they’re mining from your profile.

The net result is a lot of extra work for developers and companies for not a lot of benefit to not a lot of users, with the side effect of confusing people into thinking that SSL = trustworthy, or that a non-SSL app is malicious and trying to eat their souls.

IMHO, the much bigger threat to Facebook users is their own poor judgment on what to click on. Social engineering rules social networks, and no amount of encryption is going to fix that. As the fabulous shirt from Jinx says “there is no patch for human stupidity”.

Until people start being more critical of what they’re clicking on and what apps they’re allowing access to their profile, they’ve got a lot more to worry about than SSL. It’s the same false sense of security that users running antivirus programs often suffer from.

“I don’t need to worry about what I click on – I’m running antivirus! My virus definitions are up to date, so I am safe and protected and nothing can harm me.”

In 2008, Symantec had to write new virus signatures every 20 seconds to keep up with the onslaught of malware that was released. This was increased to every 8 seconds by 2009. [Source: Gray Hat Hacking The Ethical Hackers Handbook, 3rd Edition]

To prove my point, I’ve created FB Profile Spy. It’s still a work in progress, but it’s a better-security-through-humiliation project, similar to my better-behavior-through-humiliation project socialmediadouchebag.net. It’s completely safe – and not even hooked up to the Facebook API at all (but of course please feel free to use NoScript and check it out thoroughly before interacting with the links. I have nothing to hide.) Click through and “allow” the “app”. I need to tighten up the javascript slideshow lecture at the end and I need to sync up the layout with the new profile design, but it’s coming along.

What do you think? Am I just being a whine-ass lazy developer? Am I being a slacker security pundit? Let me know in the comments.

Possibly Related posts:

Tags: , , , ,
  • http://www.autoprometrix.com Automotive marketing Guy

    Great post as always! I have a question for you, totally unrelated. Do you have an FAQ area or anything? Basically – I want to know if anyone else is having a problem with inviting people to “like” a business page. A long (like, really long) time ago I tried to suggest the page to my friends. I selected them, and continued on with my day. The problem is, the invites never went out, and now I cannot select those people to try to send them another message… Efing Facebook.. FBMHell indeed. Any suggestions Snipe?

    • http://www.snipe.net snipe

      Hrm. Crap. I don’t actually know. I’ve not heard of that happening before. Can you try sending them a regular message with the fan page as an attached link, instead of the invite functionality?

      • http://www.autoprometrix.com Automotive Marketing Guy

        Great suggestion. Totally weird. I was hoping other people were experiencing the same problem – that way it might actually get fixed. Oddly enough, I don’t think they consider me a priority lol. Thanks for your help :) .

        • http://www.snipe.net snipe

          Hrm… maybe this is related? http://www.insidefacebook.com/2011/01/28/removal-suggest-friends-pages/

          And don’t feel bad – they don’t consider me a priority either ;)

          • http://www.autoprometrix.com Automotive Marketing Guy

            Yes – That sounds about exactly right. Doesn’t surprise me. Thanks for the article, I appreciate it!

  • Jeanne68

    Love your article and yes this is becoming a nightmare for folks like me – I’m just a small time developer who happens to create facebook fan page apps (basically mini sites via iframe) for small businesses. Now, I have the added headache of ensuring each mini app is hosted with a dedicated IP and SSL cert. Cost prohibitive to say the least – but if you don’t do it, chances are half your audience can’t see your app. We’re talking about mini sites mainly for restaurant owners and the like. As an example, check out https://www.facebook.com/goodlifecatering – that app is simply a way for the client to show off daily lunch specials, menus and reward their fans with a text coupon. There is no reason in the world it should require SSL.

    My “niche” business for custom facebook fan pages is just taking off – I have 5 jobs right now waiting on me to figure out the landscape. My original hosting provider (1 and 1) couldn’t even provide SSL unless I upgrade to their virtual server package. I switched to hostgator, which does provide SSL with their business package – but I’m running these sites via wordpress multi-site with subdomains…which actually means I need $400 cert and that only buys me 5 – anything over that is extra.

    I’m sure these amounts are chump change to big design companies – but for the freelance designer in rural Mississippi, it totally bites. And completely unnecessary.

    Blah!! ;-)

    • http://www.snipe.net snipe

      I hear ya. Are you the only one with access to the hosting server? If so, you might do something like ssl.yourdomain.com, get the SSL cert for that and handle everything else via subdirectory, like ssl.yourdomain.com/client1, ssl.yourdomain.com/client2, etc. It’s clunky, but it would save you the money for having multiple certs.

      I guess the part that chaps my ass here is that FB hasn’t yet made it clear what our risk is by not doing this. Is there a 0.04% HTTPS-Only adoption rate? Is it 10%? Or 30%? It becomes impossible to be calculate losses if you can’t figure out what those numbers actually look like.

  • Jangla

    Good article. Facebook would have developers believe that setting up https is as easy as purchasing a certificate but that’s simply not the case. We have a suit of applications that are delivered from our domain and others; this, in conjunction with the complexity of what we’re doing on FB means we’ve so far spent 14 man days setting up https and we estimate another 7 at least – that’s a whole pile of cash for any company, let alone freelancers – and that’s before we factor in the actual cost of the cert itself.

    Facebook would also have users believe that:
        https == completely secure environment for them to go click mad with impunity 
    …when we all know that’s not the case.

    IMVHO this move by FB is nothing more than pandering to media hyperbole, will actually harm more users than it helps and in some cases will send smaller dev shops to the wall (or at least down other non-FB dev routes) as the cost of implementation is too prohibitive for them.