On Thu, Jun 21, 2012 at 7:18 PM, Jan-Christoph Borchardt
> These user-facing safety tips are cool and all, but apparently
> Facebook still doesn’t use https – you have to enable »safe browsing«.
> For a communication platform this big that’s downright irresponsible.
> Sure, many people might read those tips (and forget them also) but it
> seems like a pacifier compared to no https and tracking and all that.
about the https issue, here's their statement from 18 months ago:
"There are a few things you should keep in mind before deciding to
enable HTTPS. Encrypted pages take longer to load, so you may notice
that Facebook is slower using HTTPS. In addition, some Facebook
features, including many third-party applications, are not currently
supported in HTTPS. We'll be working hard to resolve these remaining
issues. We are rolling this out slowly over the next few weeks, but
you will be able to turn this feature on in your Account Settings
soon. We hope to offer HTTPS as a default whenever you are using
Facebook sometime in the future."
that post also mentions the 'faces of your friends' feature, which i
think is really original.
anyway, 18 months is a long time. i found this article as well from
May 2011, saying third-party content will be required https by October
2011, and facebook would be 100% https by the end of 2011 (this
evidently didn't happen)
after that, i can find no further trail.
of the services that have been rated so far, when i visit the
following pages (this may depend on my specific account there and
whether i'm logged in or not; also, not for all services it's equally
relevant, and their flagship .com website may not even be part of
their main service, but still...), i get https:
- google search
when i visit the following pages, i get no https:
- amazon (! - this changes once you click 'checkout', but still, the
information of what you are browsing and buying is not protected from
MitM attacks there)
- facebook (even while logged in!)
(even while logged in!)
- linkedin (even while logged in!)
- seenthis (sorry, Hugo! :)
- skype (although their p2p protocol is encrypted. having said that,
being on skype means you can be tracked geographically by anyone who
knows your skype handle, we should actually make that a separate data
- wikipedia (not sure what to think of that)
last weekend, i was the most striking example of a non-https site:
requires you to put in your creditcard
details over a non-http connection (even though the post is https,
this is still an exploitable vulnerability). the awesome bike scheme
of Vienna is worth it, and in the end, the credit card company and not
the consumer will pay for creditcard fraud, but still, it's obviously
laughably unacceptable. :)
> (Right, by the way – what about storing info/passwords not encrypted,
> that should be a data point right?)
you are referring to linkedin? it's hard to track this, but yeah.