Re: [Good] Facebook educate their users about how to be safe, [Bad] doesn’t use https by default

52 views
Skip to first unread message

Jan-Christoph Borchardt

unread,
Jun 21, 2012, 1:18:42 PM6/21/12
to to...@googlegroups.com
These user-facing safety tips are cool and all, but apparently
Facebook still doesn’t use https – you have to enable »safe browsing«.
For a communication platform this big that’s downright irresponsible.
Sure, many people might read those tips (and forget them also) but it
seems like a pacifier compared to no https and tracking and all that.

(Right, by the way – what about storing info/passwords not encrypted,
that should be a data point right?)


On Thu, Jun 21, 2012 at 2:59 AM, Michiel de Jong <mic...@unhosted.org> wrote:
> i just got prompted by facebook (during normal use) to 'read these
> security tips' http://www.facebook.com/about/security?mp=2
>
> I've seen several other websites do this (airbnb, wg-gesucht, tuenti,
> ing bank, gmail), and for some services it's more relevant than for
> others, but i think it's important from a consumer rights point of
> view that a service takes reasonable efforts to make the service safer
> to use for consumers.
>
> even if the service is aimed at tech savvy users, it should at the
> very least warn people when they choose a weak password (the little
> strength meter), and if there is valuable data, two-factor passwords,
> https, and other security measures should be a consumer right i think.
>
> if a service puts users at risk of oversharing (no, i won't shut up
> about it ;) or scams, i would say it is the duty of the service to
> warn about this.
>
> of course more "be safer online" education is needed if a service is
> aimed at non-technical people and especially minors.
>
> so i think facebook did not do this very well in the past, but is
> doing a good job at it now.
>
> --
> You received this message because you are subscribed to the Google Groups "Terms of Service; Didn&#39;t Read" group.
> To post to this group, send email to to...@googlegroups.com.
> To unsubscribe from this group, send email to tosdr+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

Michiel de Jong

unread,
Jun 22, 2012, 3:04:35 AM6/22/12
to to...@googlegroups.com
On Thu, Jun 21, 2012 at 7:18 PM, Jan-Christoph Borchardt
<h...@jancborchardt.net> wrote:
> These user-facing safety tips are cool and all, but apparently
> Facebook still doesn’t use https – you have to enable »safe browsing«.
> For a communication platform this big that’s downright irresponsible.
> Sure, many people might read those tips (and forget them also) but it
> seems like a pacifier compared to no https and tracking and all that.
>

about the https issue, here's their statement from 18 months ago:

"There are a few things you should keep in mind before deciding to
enable HTTPS. Encrypted pages take longer to load, so you may notice
that Facebook is slower using HTTPS. In addition, some Facebook
features, including many third-party applications, are not currently
supported in HTTPS. We'll be working hard to resolve these remaining
issues. We are rolling this out slowly over the next few weeks, but
you will be able to turn this feature on in your Account Settings
soon. We hope to offer HTTPS as a default whenever you are using
Facebook sometime in the future."

http://www.facebook.com/blog/blog.php?post=486790652130

that post also mentions the 'faces of your friends' feature, which i
think is really original.

anyway, 18 months is a long time. i found this article as well from
May 2011, saying third-party content will be required https by October
2011, and facebook would be 100% https by the end of 2011 (this
evidently didn't happen)

http://news.softpedia.com/news/Facebook-to-Have-Default-HTTPS-by-the-End-of-the-Year-Hopefully-202070.shtml
http://news.softpedia.com/news/Softpedia-Exclusive-Interview-Facebook-Chief-Security-Officer-Joe-Sullivan-201935.shtml
http://developers.facebook.com/blog/post/497/

after that, i can find no further trail.

of the services that have been rated so far, when i visit the
following pages (this may depend on my specific account there and
whether i'm logged in or not; also, not for all services it's equally
relevant, and their flagship .com website may not even be part of
their main service, but still...), i get https:

- diaspora
- dropbox
- flattr
- foursquare
- loopt
- gmail
- google search
- paypal
- spideroak
- twitter

when i visit the following pages, i get no https:

- amazon (! - this changes once you click 'checkout', but still, the
information of what you are browsing and buying is not protected from
MitM attacks there)
- apple
- at&t
- comcast
- delicious
- duckduckgo
- facebook (even while logged in!)
- identi.ca (even while logged in!)
- linkedin (even while logged in!)
- microsoft
- myspace
- openstreetmap
- seenthis (sorry, Hugo! :)
- skype (although their p2p protocol is encrypted. having said that,
being on skype means you can be tracked geographically by anyone who
knows your skype handle, we should actually make that a separate data
point!)
- sonic
- verizon
- wikipedia (not sure what to think of that)
- wordpress
- yahoo

last weekend, i was the most striking example of a non-https site:
http://www.citybikewien.at/ requires you to put in your creditcard
details over a non-http connection (even though the post is https,
this is still an exploitable vulnerability). the awesome bike scheme
of Vienna is worth it, and in the end, the credit card company and not
the consumer will pay for creditcard fraud, but still, it's obviously
laughably unacceptable. :)


> (Right, by the way – what about storing info/passwords not encrypted,
> that should be a data point right?)

you are referring to linkedin? it's hard to track this, but yeah.

Jan-Christoph Borchardt

unread,
Jun 22, 2012, 6:50:32 AM6/22/12
to to...@googlegroups.com
Nice! Super good writeup. I basically just want to reply to one point

On Fri, Jun 22, 2012 at 12:04 AM, Michiel de Jong <mic...@unhosted.org> wrote:
>> (Right, by the way – what about storing info/passwords not encrypted,
>> that should be a data point right?)
>
> you are referring to linkedin? it's hard to track this, but yeah.

No, not specifically. Tracking this is pretty easy – when you reset
your password and you get it mailed in plaintext, they store it in
plaintext. I had that with a few services over the last years.
One of them I remember was jinni.com, a movie recommendation website.
Not sure if they still do it though.

Also, not sure if it’s current, but just found this about Newegg:
http://ashercodes.com/fyi-newegg-stores-your-password-as-plaintext

AND found a blog about this, pretty active and up to date!
http://plaintextoffenders.com/

Michiel de Jong

unread,
Jun 22, 2012, 8:09:06 AM6/22/12
to to...@googlegroups.com
On Fri, Jun 22, 2012 at 12:50 PM, Jan-Christoph Borchardt
<h...@jancborchardt.net> wrote:
> when you reset
> your password and you get it mailed in plaintext, they store it in
> plaintext. I had that with a few services over the last years.
> One of them I remember was jinni.com, a movie recommendation website.
> Not sure if they still do it though.
>
> Also, not sure if it’s current, but just found this about Newegg:
> http://ashercodes.com/fyi-newegg-stores-your-password-as-plaintext
>
> AND found a blog about this, pretty active and up to date!
> http://plaintextoffenders.com/
>

epic! :) the plain-text offenders thing, together with https-or-not
and educating users about how to be safe online, can all go into a
sort of 'security best practices' category of data points

Hugo Roy

unread,
Jun 22, 2012, 8:48:07 AM6/22/12
to to...@googlegroups.com
Le vendredi 22 juin 2012 à 14:09 +0200, Michiel de Jong a écrit :
> epic! :) the plain-text offenders thing, together with https-or-not
> and educating users about how to be safe online, can all go into a
> sort of 'security best practices' category of data points

https://grepular.com/FastMail_FM_Security_Vulnerabilities

We should be careful as to define clearly this category. We also have
to note for instance that https is not so easy to implement just for any
service. (or you can self-sign, but then people usually get a very
stressful warning in their browser although everything's fine).

Of course, Amazon, Facebook & the like are not "any service" and are
able to afford to push for https.

--
Hugo Roy
French Coordinator, FSFE chat: hu...@jabber.fsfe.org
www.fsfe.org/about/roy mobile: +336 08 74 13 41
mobile DE: +49 151 143 56 563

Michiel de Jong

unread,
Jun 22, 2012, 8:55:44 AM6/22/12
to to...@googlegroups.com
using startssl, it now costs no money, and about two hours of work, to
put an ssl certificate on a website. the only situation where this is
impossible is if you don't have the website running on its own IP
address (e.g. as a nodejitsu or 5apps or github-pages app). but if it
runs on rackspace or amazon or similar hosting platforms, there is no
real excuse not to offer https.

Hugo Roy

unread,
Sep 26, 2012, 2:24:25 AM9/26/12
to to...@googlegroups.com


On Friday, June 22, 2012 2:55:44 PM UTC+2, Michiel de Jong wrote:
using startssl, it now costs no money, and about two hours of work, to
put an ssl certificate on a website. the only situation where this is
impossible is if you don't have the website running on its own IP
address (e.g. as a nodejitsu or 5apps or github-pages app). but if it
runs on rackspace or amazon or similar hosting platforms, there is no
real excuse not to offer https.
 

This should not be a point for tos-dr.info, it has nothing to do with the terms and rights. Please remove it. There are plenty of other projects taking care of this.

Michiel de Jong

unread,
Sep 26, 2012, 3:21:18 AM9/26/12
to to...@googlegroups.com
On Wed, Sep 26, 2012 at 8:24 AM, Hugo Roy <hu...@fsfe.org> wrote:
> it has nothing to do with the terms and rights.

Hm, Jan brought this one up, and i agree it's part of a responsible
way of treating our data. It's comparable to storing our passwords in
plain text - all ways in which a service can put our valuable data at
risk, and is basically telling us they don't really care.

Jan, others, what do you think? I'll set it these data points to
'disputed' for now.


Cheers,
Michiel
Reply all
Reply to author
Forward
0 new messages