Facebook is still insecure
I've run into this shocking error message from my browser several times last week:
As a good paranoic person I am, the first thing I thought was:
- I got into a Rogue Access Point
- They did a Man-In-The-Middle with a fake certificate
- I've been surfing for 10 minutes until I saw the error, so there's a big chance somebody has seen my activity
- FUUUUUUU (for those of you not familiarized with the MEME, see it here)
Desperate, I analyzed the gateway's MAC against my Access Point's MAC (to which I have physical access to and could see the MAC address directly from the device) and everything matched. So I thought "ok, they did their job and ran away". So I started checking connection logs and more, and all indicated that I'd never hooked to any hotspot other than my own Wireless network. I sat and thought WHAT could have happened... Without answer.
Until I thought about checking the browser error in detail:
(The image shows that although an HTTPS session has been established, some of the content is being transferred in plain text)
It turns out that in my false sense of security, given by surfing the social network through HTTPS, there are still some insecure components that escape through the side. This activity is to expect, since webmasters organize the site in order for the content without personal value (such as ADs, generic site images, etc) to be transmitted in plain-text to reduce the overhead caused at the server when establishing a secure channel.
As I was already with my hands in the cookie jar, I decided to analize what specific content was transmitted in plain-text. so I checked the site source code, and big was my surprise when I ran into the following:
External links were transmitted to the user in plain-text. WHY ?? This is not necessary!!
I understand that the user will eventually end up surfing in plain-text through external links (since not every site offers HTTPS services), but at least inside Facebook they could be kept encrypted.
This is how it should be:
Facebook should obtain the insecure content from the original server and embed it inside its SSL channel.
However, this is what's actually happening:
The user is being fooled, by thinking that all his/her content is being transmitted securely. However Facebook, in order to avoid resource consumption in their servers, allows for an important security hole.
So I recommend you to be carefull with the information you manage through Facebook, even if you see HTTPS in the title. And when you see an error message in your browser, read it in detail.
Bye!
Enjoy this article?
Tags
Recent Posts
- Online Nmap Scanner – Scan your network quick and easily
- What’s my IP Address?
- Denial of Service to a Sony Bravia IP TV
- CXO Community – V Identity Management in the Digital Era Conference
- Lock – A simple Linux console locking tool
Archives
- April 2012 (3)
- March 2012 (2)
- February 2012 (1)
- January 2012 (1)
- October 2011 (11)
- September 2011 (13)
- August 2011 (5)
- July 2011 (7)
- June 2011 (8)
- May 2011 (3)
- April 2011 (7)
- March 2011 (2)
- February 2011 (2)
- December 2010 (2)
- November 2010 (5)
- October 2010 (3)
- September 2010 (6)
- August 2010 (3)
- June 2010 (4)
- May 2010 (3)
- April 2010 (3)
- March 2010 (2)
- February 2010 (6)
- January 2010 (16)
- December 2009 (6)
- November 2009 (2)
- October 2009 (7)
- September 2009 (12)
- August 2009 (4)
- July 2009 (4)
- June 2009 (4)
- May 2009 (4)
April 19th, 2011 - 16:19
Sin contar lo mal que funciona facebook via https. Yo me harte de no poder entrar muchas veces porque el ssl funciona para atras y te termina pateando por timeout. Aunque twitter funca un poco mejor por https.
April 19th, 2011 - 16:51
Matutin, gracias por escribir
Es verdad, funciona mal. Probablemente por el tema del overhead que comenté en el post. Pero bueno, prefiero que funcione mal por ser inseguro.
Twitter está funcionando bien aún a través de HTTPS, es verdad.
Saludos!
April 23rd, 2011 - 21:13
vendes dominios .com.ar? efectoplacebo.com.ar .. no es ilegal vender un dominio de registro gratuito?
April 24th, 2011 - 01:24
Marcelo,
Aunque los dominios se entreguen de manera gratuita, al adquirirlo este pasa a ser un bien patrimonial y como todo bien, puede venderse legalmente.
Igualmente este dominio no esta en venta.
Saludos, gracias por escribir
April 28th, 2011 - 12:37
Se podría pensar con base en esto que los centros de computo de facebook, ya no están dando a basto y están aplicando está medida para evitar consumo de recursos en sus servidores??? … Aunque está claro, no se justifica por desde el putno de seguridad esta mal.
May 1st, 2011 - 14:58
Gustavo,
Es posible, no quitaría la duda de arriba de la mesa. Lo cual no tiene sentido, desde un punto de vista comercial….
Saludos, gracias por escribir!
May 17th, 2011 - 00:49
Hola Matias, muy buena info, estuve habilitando HTTPS en Facebook y Twitter y me surgió la duda, sabes si se puede habilitar en LinkedIn ? Busque la opción en el sitio y en Google y no la encontré. Saludos de otro paranoico
May 19th, 2011 - 13:30
rsavo,
En linkedin por ahora no se puede (hasta donde tengo entendido). Habra que esperar!
Saludos, gracias por escribir
August 3rd, 2011 - 20:18
Hola Matias, vos pensas que es tan inseguro como para cerrar el facebook? o solo tener cuidado con los datos que se manejan?. Me aparece bastante seguido Https:// pero en vez de verde tiene un triangulo amarillo. Que significa? Es peligroso?
August 5th, 2011 - 17:42
Nicolas, el triangulo amarillo es exactamente este problema. Parte del contenido viaja en texto plano. No es para cerrar Facebook, sino para usarlo únicamente en redes seguras
Saludos!