My Bitdefender
  • 0 Shopping Cart

Bitdefender Blog

Full Facebook SSL Support Question (Still) Met with (Fire)sheepish Grin

by , on 19 July 2011

6 months after the introduction of SSL support when browsing on Facebook, sections of several major organizations’ pages & most popular applications on this platform still require users to switch to an unsecure connection.

Considering that data safety and privacy protection have been hot topics on the agenda of Facebook page creators and app developers for quite a while, we were curious to see what impact a major security advance – namely the introduction of SSL support – has had so far.

Our findings?  Quite troubling, we might say. Having analyzed the top 50 Facebook applications listed on appdata.com, we've found that 30 of them completely lack SSL support. Moreover, a closer look at the top 50 most popular Facebook pages, provided by AllFacebok.com, revealed that 17 of them have at least one tab which does not provide SSL support.

Brief History of SSL Support on Facebook

After the huge media buzz sparked off by the discovery that the Firesheep Firefox extension could hijack unencrypted sessions, on January 26, 2011, Facebook decided to introduce the possibility of users browsing the social network under a secure connection, whenever possible. This was an important step towards safer social network interactions, even if the SSL enabling option was not the most visible for users and the loading of a non-ssl application forced them to switch back to a non-secure connection. On April 19, 2011 Facebook further improved SSL support by introducing the automatic switch back option, together with other interesting security features. In addition to that, the Facebook Platform Roadmap set October 1, 2011 as a deadline for SSL support implementation in Canvas apps.

Current Stage of SSL Implementation

While Facebook has request that page owners and app developers get an SSL certificate by October 1, 2011, at the moment, many big names that are active on Facebook still do not have full SSL support. For instance, none of the Zynga popular games that we've test worked under a secure connection.

Fig 1. CityVille players must to turn off secure browsing before entering the game

Also, many of the top pages seem not to support SSL yet in of their tabs.

Top Pages that have at least one tab without SSL Support

Page Owner/Name

Page Users

YouTube

41,671,833

CocaCola

32,297,560

Justin Bieber

32,982,053

The Simpsons

31,949,681

Cristiano Ronaldo

30,941,973

Harry Potter

29,139,026

Bob Marley

28,520,103

Lil Wayne

28,955,797

Sponge Bob

25,546,805

The Twilight Saga

23,607,366

Selena Gomez

22,703,080

Usher

22,624,749

Black Eyed Peas

22,434,269

David Guetta

21,873,366

Enrique Iglesias

20,203,302

Avatar(The movie)

20,145,604

The Beatles -

19,847,596


Top pages source: allfacebook pages leaderboard

 

The Problem

When a user tries to access a tab or an application that does not have SSL support, he/she is prompted by Facebook to switch to a regular connection, as shown in the image bellow.


Fig 2. Message prompting the user to turn off secure browsing while trying to access a specific tab on the organization’s page

Having turned off secure browsing,  if users want to view some other Facebook content that can be displayed over a secure connection, unless they explicitly write https// in the address bar the respective content will be accessed over a regular connection. Users will be switched back to secure mode automatically after they have logged out.


 

Fig. 3 The enable/disable SSL option that informs users about the necessity to log back into their account for secure browsing to be re-enabled
 

This makes users vulnerable to session hijacking in unprotected networks. In simple terms, using the Firesheep extension, with one click, someone could actually log in to the Facebook account of a person using an open Wi-fi connection. This meant free access to all of the private data within the respective account.

How many users are exposed?

All the pages that we have analyzed have more than 15 million users. We are talking here about the fan pages of major players such as Youtube, Coca Cola or Justin Bieber.  With the top most used applications, exposure is even higher; for example, CityVille, the most popular Zynga game on Facebook has more than 83 million active users. What may cause even greater concern is that according to data provided by Facebook in May 2011, only 9.6 million users, that is less than 2% of the entire Facebook tribe, use an SSL connection.

Conclusions

Though the Platform Roadmap set October 1, 2011 as the deadline for all Canvas apps to have a SSL certificate, Facebook should enforce SSL support for pages&apps with a very high number of users as soon as possible.  Even if Facebook has made a lot of progresses in implementing SSL, most of users still don’t resort to secure browsing and even the most popular pages do not offer full SSL support. The low adoption rate of SSL may be caused by users not being aware of  the advantages of a secure connection and because this option is not visible and it is not enabled by default. Unless SSL option is enabled by default or given more visibility by being placed  in a another area of the main page, it is difficult to believe that its adoption rate will increase, even after the official deadline by which all third parties should support  a secure connection.  

This proves that, after so many months since the SSL alarm bell first rang, Firesheep may still be an important threat for Facebook users.
 

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

On Jul.19.2011 11:34

Mincu Matei said

excelenta treaba! felicitări!

On Jul.19.2011 20:00

Veronica Williams said

I am investigating security as a whole. Is it possible we are fighting security from the wrong end of the gun? In general our protocols, standards rules in general all leave security to to be fought by our house pets not the strategic forces required to defend anything.

On Sep.20.2011 23:55

Rick Kirschbrown said

Anyone can add an SSL Certificate to their Facebook Fan Page ... takes less than an hour ... we've written a 26 page eBook that describes the process step-by-step ... free download, no optin, email or Like required ... here's the link: http://bit.ly/nCbInn ... enjoy ...

On Sep.26.2011 14:35

pops said

@Rick.......You`re funny.

On Nov.14.2011 05:46

Synthetic Urine said

If you use Firefox, download HTTPS Everywhere from eff.org and also grab ADBlock and you'll have FULL SSL Support in Facebook. Once installed you'll need to enable Facebook from HTTPS Everywhere, as it's not turned on by default.

Daily "Did you know?"

On July 31, 2008, the Koobface computer worm started to target users of Facebook and MySpace; and new variants still constantly appear.

Authors

  • Bitdefender Security Specialists
    Bitdefender Labs
  • Catalin Cosoi
    Chief Security Researcher
  • Dan Lowe
    Dan Lowe, an OEM Senior Marketing Manager, has been working with Bitdefender for the last 3 ½ years. His familiarity with multiple security products from Firewalls to Antivirus has provided him a unique perspective on the security industry.
  • Ligia Adam
    Security Evangelist and Social Media Professional
  • Loredana Botezatu
    Loredana Botezatu – E-threat Analyst – Loredana has been writing about the IT world and e-security for well over five years. She has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Categories

HOTforSecurity