Bitdefender Blog

Considering that data safety and privacy protection have been hot topics on the agenda of Facebook page creators and app developers for quite a while, we were curious to see what impact a major security advance – namely the introduction of SSL support – has had so far.

Our findings?  Quite troubling, we might say. Having analyzed the top 50 Facebook applications listed on appdata.com, we've found that 30 of them completely lack SSL support. Moreover, a closer look at the top 50 most popular Facebook pages, provided by AllFacebok.com, revealed that 17 of them have at least one tab which does not provide SSL support.

Brief History of SSL Support on Facebook

After the huge media buzz sparked off by the discovery that the Firesheep Firefox extension could hijack unencrypted sessions, on January 26, 2011, Facebook decided to introduce the possibility of users browsing the social network under a secure connection, whenever possible. This was an important step towards safer social network interactions, even if the SSL enabling option was not the most visible for users and the loading of a non-ssl application forced them to switch back to a non-secure connection. On April 19, 2011 Facebook further improved SSL support by introducing the automatic switch back option, together with other interesting security features. In addition to that, the Facebook Platform Roadmap set October 1, 2011 as a deadline for SSL support implementation in Canvas apps.

Current Stage of SSL Implementation

While Facebook has request that page owners and app developers get an SSL certificate by October 1, 2011, at the moment, many big names that are active on Facebook still do not have full SSL support. For instance, none of the Zynga popular games that we've test worked under a secure connection.

Fig 1. CityVille players must to turn off secure browsing before entering the game

Also, many of the top pages seem not to support SSL yet in of their tabs.

Top Pages that have at least one tab without SSL Support

Top pages source: allfacebook pages leaderboard

The Problem

When a user tries to access a tab or an application that does not have SSL support, he/she is prompted by Facebook to switch to a regular connection, as shown in the image bellow.


Fig 2. Message prompting the user to turn off secure browsing while trying to access a specific tab on the organization’s page

Having turned off secure browsing,  if users want to view some other Facebook content that can be displayed over a secure connection, unless they explicitly write https// in the address bar the respective content will be accessed over a regular connection. Users will be switched back to secure mode automatically after they have logged out.

Fig. 3 The enable/disable SSL option that informs users about the necessity to log back into their account for secure browsing to be re-enabled
 

This makes users vulnerable to session hijacking in unprotected networks. In simple terms, using the Firesheep extension, with one click, someone could actually log in to the Facebook account of a person using an open Wi-fi connection. This meant free access to all of the private data within the respective account.

How many users are exposed?

All the pages that we have analyzed have more than 15 million users. We are talking here about the fan pages of major players such as Youtube, Coca Cola or Justin Bieber.  With the top most used applications, exposure is even higher; for example, CityVille, the most popular Zynga game on Facebook has more than 83 million active users. What may cause even greater concern is that according to data provided by Facebook in May 2011, only 9.6 million users, that is less than 2% of the entire Facebook tribe, use an SSL connection.

Conclusions

Though the Platform Roadmap set October 1, 2011 as the deadline for all Canvas apps to have a SSL certificate, Facebook should enforce SSL support for pages&apps with a very high number of users as soon as possible.  Even if Facebook has made a lot of progresses in implementing SSL, most of users still don’t resort to secure browsing and even the most popular pages do not offer full SSL support. The low adoption rate of SSL may be caused by users not being aware of  the advantages of a secure connection and because this option is not visible and it is not enabled by default. Unless SSL option is enabled by default or given more visibility by being placed  in a another area of the main page, it is difficult to believe that its adoption rate will increase, even after the official deadline by which all third parties should support  a secure connection.  

This proves that, after so many months since the SSL alarm bell first rang, Firesheep may still be an important threat for Facebook users.
 

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.