Providers of online tools and services use Hypertext Transfer Protocol Secure (HTTPS) to allow users to access their websites over secure connections as one of the ways of minimizing security risks. A good number of the most popular websites on the web provide most of their services over HTTPS, although this does slow down access of some sites, an example of this is Gmail. The internet has always been a place where security and convenience must be balanced.

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server.

Wikipedia

However until recently, Facebook had not been using or providing secure connections as the default on all pages. HTTP is unsecured and is subject to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information.  HTTPS is designed to withstand such attacks and is considered secure against such attacks (with the exception of older deprecated versions of SSL).

However in January, Facebook announced that you can now enable default HTTPS use on all parts of Facebook, which support it. It must be noted that for some security sensitive actions (login, signup, changing account settings) Facebook already uses SSL to ensure you are safe.

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.

The change between the old the new feature is that you were vulnerable on parts of Facebook with the old approach where secure connections were not used but now almost everything you do in Facebook would be secure and encrypted, wherever possible.

You can enable the use of secure connections on Facebook by following these steps.

There is however a loophole in this security measure by Facebook. Some apps, games and pages on Facebook do not currently support and Facebook will notify you that to continue using them you will need to do so over over a regular connection (HTTP) not HTTPS.

Here’s where the problem is. Accepting this turns off SSL for that game, app or page and also switches your entire account connection back to the unsecured version (http) of Facebook. This means by default you will once again be using an unsecured connection unless you specifically go and turn HTTPS on again within your settings page, even though you checked a box saying use HTTPS whenever possible earlier.

In order to ensure you browse securely again you will need to enable this over and over again, whenever an app, game or page turns it off. Facebook has stated that it will fix the issue and make HTTPS the default and We hope they do soon, because this is annoying and a lot of people will simply forget or not bother to turn HTTPS on again.

bugs, Facebook, HTTPS, security, vulnerability