[HTTPS-Everywhere] Facebook HTTPS Issues
Drake, Brian
brian2 at drakefamily.tk
Sun Dec 19 00:16:22 PST 2010
On Sat, Dec 18, 2010 at 1115 (UTC-8), Chris Palmer <chris at eff.org> wrote:
> On Dec 18, 2010, at 0818 (UTC-8), Drake, Brian wrote:
>
>> The main Facebook ruleset is, I assume, designed to not break anything
>> except chat.
>
> Actually, no, apps are known to be broken as well. As you discovered. :(
I thought that the intention was to move anything known to break apps
to the Facebook+ ruleset?
> I think it is worthwhile to add your voice to the chorus asking Facebook to use HTTPS throughout their site.
I have, in fact, joined several other users on one of the topics on
the official Facebook discussion board calling for Facebook to make
chat work over HTTPS. I have not seen any official response to this or
other topics on the same board.
Do they listen? Do they even realise that people discuss Facebook on
those discussion boards?
> Note that, of course, iframe-based apps load content from sites that other organizations operate, and there is nothing Facebook can do about that.
Actually, there is: the Facebook page containing those iframes could
be served from a domain that can’t access a session ID, or that can
only access a restricted session ID that only has the privileges
required to make the apps and ads work. The restricted session ID
could still be compromised, but it is much better than the ordinary
session ID being compromised.
More information about the HTTPS-everywhere
mailing list