Although it hasn't yet reached my account, Facebook have announced that they will soon be enabling HTTPS for all communications with the site and not just when you send your password. This is a bit of a privacy win and should enable us to better protect our personal data. Given that most of the data that we share on Facebook is private, in the sense that we share it with our friends and not the world at large, and because Facebook is one of those online venues where people organise themselves and the lack of HTTPS has lead to some unfortunate security lapses. For example, with the collusion of an ISP, the Tunisian government were able to disrupt protests by inserting malicious Javascript into users pages after authentication and subsequently deleting accounts and censoring critical pages. Even if you are not planning protests that might overthrow a government, the idea that a third party can interfere with your private communications should give us sufficient pause to want to make use of this facility. This is especially true if you are logging in from public terminals or over wifi.
Over the last few months there have been a number of reminders of how easy such session hijacking is to achieve. FireSheep, a FireFox extension, showed us how easy it was to hijack a FaceBook session, whereas idiocy.py demonstrated how, in 129 lines of code, you can automatically highjack somebody elses Twitter account and post your own tweets as them.
Which brings me almost round full circle to say that HTTPS Everywhere is a FireFox extension that I have been using for a few months to make FireFox default to HTTPS when available. This is a tool that just works and is a necessary step along the path to the secure by default future internet.
No comments:
Post a Comment