Secure vs. Regular connection

[navymich]

The newest copy and paste on FB is regarding secure connections:

While on Facebook, look at your URL address; if you see http: instead of https: then you don't have a secure session and you can be hacked. Go to Account|Account Settings|Account Security and click Change. Check at least the first setting, otherwise FB defaults to the non-secure setting. Copy and repost.

I looked at my settings and changed it to the secure.  Seemed simple enough to me.  Until I clicked on the link for AO and got this message:

Switch to regular connection (http)?
Sorry! We can't display this content while you're viewing Facebook over a secure connection (https).
To use this app, you'll need to switch to a regular connection (http).

So do I keep switching back and forth?  Am I safe to leave this on regular connection?  Or should I (*horrors*) give up AO?  btw, option 3 is not a real option!  ;D

 

[Mike Bobbitt]

Hi Mich,

I had that setting on briefly too... It's a great feature, but Facebook hasn't extended it to apps (any of them) yet. So as soon as you hit AO, Facebook asks you to turn it off again. It makes a certain amount of sense... Pages loaded by apps go from the app server to Facebook to you... and Facebook would only encrypt that last leg, so you'd have the illusion of security, which can sometimes be more dangerous than none at all. (You're less likely to be careful.)

I've actually been seriously thinking about getting an SSL certificate for Army.ca (this would allow secure HTTPS communication for us), but I don't think that would change things for the game.

 

[Occam]

I'll refrain from going into the technical details (Google "Firesheep", "HTTP sidejacking" if you want info), but this vulnerability is really only an issue when one is using an unsecured connection, such as a unsecured WiFi connection at a coffee shop.  Someone can grab your Facebook/Twitter login info quite easily using Firesheep if you both happen to be in the same coffeeshop and you're using HTTP instead of HTTPS.  There's a Firefox plugin called HTTPS Everywhere which automates the process of using HTTPS connections when available, but for reasons Mike described you won't be protected if you're using a Facebook app.

Reader's Digest Condensed Version:  If you're only accessing Facebook/Twitter from home on a wired or WPA2 secured wireless connection, you have nothing to worry about.

 

[navymich]

Thank you for the replies and easy answers guys (my at-home geek out talks me all the time!  lol).  Makes sense for sure and hopefully this will help if anyone else comes upon the same situation.

 

[Mike Bobbitt]

Sort of good news... I decided to look into it a bit more, and I was wrong in what I said above. Facebook now allows app developers to provide a 'regular' and a 'secure' link. If a secure link is provided, users can continue to use HTTPS with the app. I've done that, and in my testing it works.

Which is pretty cool, because I did not shell out $200/year for a certificate, I generated my own (untrusted) one. Normally that will generate all kinds of errors and warnings, but because Facebook is essentially the man-in-the-middle, they get the warnings and you get their (trusted) certificate.

So in short: It should work now, but please let me know if you have troubles.

Thanks for pointing it out Mich, points coming your way!