January 26th 2011 Update: Facebook is to launch SSL/HTTPS encryption option via ‘Account Security’ section. How to setup HTTPS with Facebook.
I’m always amazed as to why the popular websites don’t employ SSL/HTTPS encryption on all their pages. Firstly, not all websites require encryption. It depends on what data is being input and what that data is. In the ideal world SSL/HTTPS is the answer. My blog doesn’t require SSL (https://) as you only read and leave comments, but websites that allow you to login and leave personal information should always provide ‘full’ end-to-end encryption. Facebook provides ‘partial’ SSL protection to the browser (but no SSL authorisation) but don’t go far enough considering the data they collect. Ebay and PayPal are probably the most secure popular websites where they provide complete SSL authorisation – hence why the hackers/spammers continue to use email phishing and common social engineering techniques in an attempt to steal Ebay and PayPal usernames and passwords.
Anyone with a little knowledge can ‘session hijack’ (called ‘sidejacking’) someone else’s browser cookie, but only if that person has an active session. Only last month a Firefox exploit add-on called Firesheep proved it was very easy to ‘session hijack’ someone else’s cookie and webpage of Facebook for example.
Partial sidejacking uses the authentication cookie which is used on most websites – it allows you to revisit the same website without logging back in. This doesn’t allow a hacker access to all your Facebook account pages though. Full sidejacking does this and allows a hacker to have access to every webpage on your Facebook page for example. It isn’t possible for a hacker to obtain a username or password or change your password though. This should be applicable to most of the popular websites users use.
Sites that don’t have any SSL encryption are open to full hijacking which means a hacker has access to your username/password and can change your password. This is an experience anyone would want to avoid.
Facebook is one of the most popular websites, but is not the only one that could be subject to the sidejacking and hijacking attack vector. In my opinion all the popular websites should use end-to-end HTTPS or SSL encryption. Maybe one day the Internet will standardize web and browser security. We can only wait and hope.
Safe surfing folks!