Facebook and HTTPS


Hackers For Charity

Roughly two weeks I came across an article at /dev/random that there was a malicious java script injected on facebook in a Tunisia ISP that was capturing users user names and passwords http://blog.rootshell.be/2011/01/13/tunisia-tracks-users-with-javascript-injection/
Even if you were proxying through Tunisia, there could be a chance that your credentials were stolen. Today I woke up to read about how facebook dealt with the problem, guess what they used , https 🙂 http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044
The register also confirmed this http://www.theregister.co.uk/2011/01/25/tunisia_facebook_password_slurping/
The question I always ask myself is why does facebook direct people to login to their http site while they have a https site where communication is encrypted? Even after the release of powerful tools such as wifizoo and firesheep which can be used to intercept http traffic with ease, why does the site with more than ~600 million people with accounts waiting for to use https as the default login page?
To avoid these issues, I always have a mozilla plugin, https-everywhere to force redirection to https. There is another plugin also for mozilla called force-tls that does the same thing. So do the bright thing, use https.
But even with https, be careful, awesome tools such as ssl-strip can be used with an man in the middle attack to strip out the ssl as the traffic. http://www.securitytube.net/Stripping-SSL-and-Sniffing-HTTPS-using-SSLstrip-video.aspx

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s