Loading Profile...
Why can't I access Facebook via HTTPS/SSL?
Facebook stores a lot of personal information. Just to load my profile page they are transferring my full name, picture, email address, cell phone number, mailing address, school, major, current and former jobs, etc. -- along with all the other extraneous information that may appear on my wall or other profile applications. If I am accessing Facebook at a public computer or using an open wireless network, anyone in the vicinity can see all of this information as it is transferred. Talk about breach of privacy! It's fast, free, and easy for anyone to become such a snoop (check out this video: Get Gephardt – Protecting Your Wireless Connection).
One deterrent against such simple sniffing is to use a secure connection to transmit the data. While it is not the end-all, be-all of Internet security, it is definitely a major step in the right direction. Not only should I be able to access Facebook pages via a secure HTTPS/SSL connection, but secure access should be REQUIRED!
You wouldn't dream of accessing your online banking or credit card website over an unsecured HTTP connection, and they don't even have one one-thousandth of the personal information that Facebook presents on a single page! Banking websites generally don't even show full account numbers, let alone extremely personal details like cell phone numbers and up-to-the-minute information on where and what you are doing.
This really shouldn't be a difficult problem to solve. Facebook already has an SSL certificate, but it is only used when they process credit cards (e.g., for purchasing virtual "gifts" for your friends). You can manually prefix any page URL with https://, but clicking any link on the secure page will take you back to the http:// version of the site, making navigating securely absolutely impossible. The JavaScript/AJAX also references http:// links, so "dynamic" content like scrolling through photos, voting things up and down, poking people, etc. is not secured either.
One deterrent against such simple sniffing is to use a secure connection to transmit the data. While it is not the end-all, be-all of Internet security, it is definitely a major step in the right direction. Not only should I be able to access Facebook pages via a secure HTTPS/SSL connection, but secure access should be REQUIRED!
You wouldn't dream of accessing your online banking or credit card website over an unsecured HTTP connection, and they don't even have one one-thousandth of the personal information that Facebook presents on a single page! Banking websites generally don't even show full account numbers, let alone extremely personal details like cell phone numbers and up-to-the-minute information on where and what you are doing.
This really shouldn't be a difficult problem to solve. Facebook already has an SSL certificate, but it is only used when they process credit cards (e.g., for purchasing virtual "gifts" for your friends). You can manually prefix any page URL with https://, but clicking any link on the secure page will take you back to the http:// version of the site, making navigating securely absolutely impossible. The JavaScript/AJAX also references http:// links, so "dynamic" content like scrolling through photos, voting things up and down, poking people, etc. is not secured either.
I’m seriously concerned about why unsecured connections are even an option for Facebook
97
people have this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
Create a customer community for your own organization
Plans starting at $19/month
-
1 person says
this solves the problem
1 Comment Add a comment
This solves the problem
-
The one I use and forces all the ajax stuff to be HTTPS as well is noscript...there is a section of the configuration where you can tell it which sites to force https on...everytime a request (from AJAX scripts, flash, whatever) request a URL pattern that matches, it changes the request to an HTTPS...it still breaks AJAX functionality, hoewever, because many of the scripts are not stored on an SSL-enabled server, and if they are, they are served with the www.facebook.com cert, which doesn't match the domain name they are coming from...come-on FB, shell out the couple hundred bucks for certs for all of your domains!! -
-
Inappropriate?I have a latptop computer and a desktop computer, both wireless, both running from the same router with the same security products. My laptop can access FaceBook but my desktop cannot. I have yet to find the differences between the 2 computers. I did get FaceBook working for one run on the desktop (after a reload of the entire operating system) but it hasn't worked since. I assume it is either something in the SSL for FaceBook or something in the firewall or virus scanner.
I’m sad
1 person says
this solves the problem
-
Inappropriate?you can maybe use a web proxy that is secure; then at least the part between you and the proxy will be secure, which is probably the part you're most concerned about
I’m =\
2 people say
this solves the problem
-
Inappropriate?I could have sworn that in Germany it seemed that I was on a permanent SSL connection back to the server.
Not sure if it was just the login page or now, however, it did default to HTTPS at least for the login screen. This could have been because I was on an open WiFi connection (and it automagically detected that) or because of the laws in Germany - not sure..
Here's my email exchange with a rep from Facebook which ended unsatisfactorily..
From: Naaman (xxx@xxx.com)
To: privacy@facebook.com (privacy@facebook.com)
Subject: Permanent HTTPS Access To Facebook
Hey guys,
I have seen it pop up in quite a few forums across the net that it is
near on impossible to maintain an encrypted session to Facebook over
HTTPS. From my travels in Germany, I remember the session was always
in HTTPS and it seemed to had defaulted to it - I have a feeling that
this was to comply with some of their laws.
Is it possible to access a URL to login to Facebook that maintains a
HTTPS connection for all activities (including AJAX scripts)?
I find it a little silly to be using an unencrypted connection on a
public wi-fi network when it comes to what is stored within Facebook.
Cheers,
Naaman
---
From: privacy@facebook.com (privacy@facebook.com)
To: Naaman (xxx@xxx.com)
Subject: Permanent HTTPS Access To Facebook
Hi Naaman,
Facebook takes appropriate precautions to protect users' information. Your account information is located on a secured server behind a firewall. When you enter sensitive information (such as a credit card number or your password), we encrypt that information using secure socket layer technology (SSL).
Let me know if you have further questions.
Thanks for contacting Facebook,
Eli
User Operations
Facebook
---
From: Naaman (xxx@xxx.com)
To: privacy@facebook.com (privacy@facebook.com)
Subject: Permanent HTTPS Access To Facebook
I understand that you guys have in place measures on the server end. I am requesting the option (like Gmail) to turn on HTTPS for the entire connection to Facebook.
This setting is important to ensure that when Facebook users are using free/open wi-fi connections, their personal information is not being transmitted in clear text.
Naaman.
---
From: privacy@facebook.com (privacy@facebook.com)
To: Naaman (xxx@xxx.com)
Subject: Permanent HTTPS Access To Facebook
Hi Naaman,
Unfortunately, the specific functionality you are requesting is not currently available. We will keep your suggestion in mind as we continue to improve the site. Let me know if you have any further questions.
Thanks for contacting Facebook,
Eli
User Operations
Facebook
I’m disappointed
3 Comments Add a comment
This solves the problem
-
Thanks for the info! :)
-
Its been more than two or three months that I cant access facebook. My screen hangs when entering site then doesnt connect. Today I have tried putting https when logging in, and was able to connect but this was for only a few minutes, then it started hanging again. What is the matter???? What do I need to do to fix this problem???? Please help
-
What browser do you use, Bongi? It might be worth trying the latest Firefox or Google Chrome.
-
Inappropriate?If you keep in mind it's in *their* not *your* best interest not to have SSL work with all pages, you realize the *only* choice is server address rewriting on user-side from http:// to https://. Facebook wouldn't want to have users use SSL excessively because it loads the servers more and users should be allowed to use SSL because you might not want your personal information banging around the net even if it's not related to banking.
-
Inappropriate?What gives this guy at User Operations the right to tell me what I should regard as "sensitive information"?
My username and password on Facebook are sensitive to me, I don't want ANYONE to steal them.
Another point is that keeping a secured server behind a firewall is a LAN security measure, and has nothing to do with real internet security, like encryption.
This guy obviously does not know what he is talking about..
I’m frustrated
4 Comments Add a comment
This solves the problem
-
username and password are always sent securely when logging in. Its just all the information on pages you view that can be snooped.
So when you look at your profile, someone could snoop on all the personal information on that page. -
Frederick: not completely true. One the user logs in the session cookie can be sniffed and you can authenticate as the original user. From there you would have complete control.
-
but the username and password are never actually viewed, I think (and hope) that facebook has secondary checks so that a snooped session cookie doesn't give access.
Its not very hard for them to implement secondary checks anyway; which is why I hope they do. -
Frederick: You don't need to view the login and password if you've authenticated otherwise. Once authenticated you can change the login and password to whatever you want. You can further the attack by also stripping out the ssl and getting the login and password anyway. As far as a second check goes, the session cookie is the check. That is how the system works not only on facebook, but almost every site out there. I know this because I've done it. I harvest all sorts of email, facebook, etrade, etc login and passwords at starbucks, airports, and etc. Even if SSL was allowed and not forced, the whole system still falls apart. It's flawed from the ground up.
-
Inappropriate?Some workarounds, until facebook fixes this (it's been 1 year now), if you want to:
- login securely to facebook, go to: https://login.facebook.com/login.php?...
- go further and force Facebook to use secure login and always use an encrypted SSL connection (ie: HTTPS) except for photos and videos, use this script:
http://userscripts.org/scripts/show/4...
(You'll require greasemonkey for firefox, or some other user script support, ie it may work with opera, safari or google chrome.)
I’m loving the user scripts power!
-
Inappropriate?I agree with you
It is ridiculous that you have to use a script to force SSL. I considered using Facebook in addition to hyves.nl (a famous social networking site for Dutch people), but I won't accept it containing absolute http:// links for pages in the menu.
This is such a big site. Why can Google do it correctly for their services like GMail, but facebook cannot? Is it so the feds can easily snoop data without contacting facebook operatives?
Talking about safety on wireless networks... -
Inappropriate?I managed to force facebook to always use secure links by using Google Chrome and the scripts linked a couple of posts ago, but the chat doesn't seem to work and there are some other little annoyances. Good solution nonetheless.
-
-
This reply was removed on 11/28/09.
see the change log -
-
Inappropriate?If Https doesnt workk and neitherr does facebook lite then how do we acces it during college times etc?? The appropiate proxy doesnt workk and neitherr doess access to the firewall settings :/
Buggaa!
I’m Bummed Out!
-
Inappropriate?The only workaround without resorting to scripts that i've found is this:
1) Login using the https login technique mentioned before:
https://www.facebook.com/login.php
Immediately after submitting your login information, stop the page loading.
2) Go to:
https://lite.facebook.com
The page should stay secure so long as you stay away from chat. Occacionally check the address bar, I'm still working to see what triggers the connections to becoming http again. I haven't found a way to make the chat use SSL.
I’m still unimpressed
-
-
Inappropriate?stuiped -
Inappropriate?one more for a ssl-enable option in settings
-
Inappropriate?Hi everyone, not really sure how It's supossed to work but I've found this alternative site, guess It's encrypted.
https://ssl.facebook.com/
I'll check it out , though I really need to find out how to connect securely (SSL) from the Facebook servers to the Facebook FBML application that I'm developing.
1 Comment Add a comment
This solves the problem
-
The problem with this is that you can't use Facebook chat and probably some other functions... our point is that if Google can encrypt their chat and mail, why can't FB?
-
Inappropriate?I tried https://www.facebook.com, not working as well as @matias one too. So why the chat app has to be in http (asides performance issues)?
I’m frustrated
-
This reply was removed on 03/24/10.
see the change log -
Do NOT do this. It is a phising attempt to get your google account password. In other words, it will seriously screw you up. I've already reported it.
-
!!!WARNING!!!
-
-
Inappropriate?This can be done with NoScript as well. Just force all access to facebook.com to use https://ssl.facebook.com/ or https://lite.facebook.com
Ultimately, you still don't gain total security with SSL access. URLs are not obfuscated and reveal what you are looking at/doing, and you can't force others to use SSL either.
-
Inappropriate?Why i login using http://www.facebook.com the browser system is slow in loading and took very long to load like abt 5 mins
whereas i login thu https://www.facebook.com the browser load in just second.
I’m bored
-
-
-
Inappropriate?look, this is the problem with Facebook and all other similar systems. on the plus side, you get to participate with friends for "free". i'd suggest to
* never use you password combination for anything else that relates to your email address, such as hotmail.
* NEVER place you real date of birth (your real friends should know that :-), if you wanna get birthday wishes, why not put you're date of birth a decade or two aside the real one
* remember that if you go travelling and some nice hostel has free wireless, some punk will have an application in the hostel, on their iphone/laptop to get your password, if you are clever, you know to not have the same password for really sensitive things
1 Comment Add a comment
This solves the problem
-
You are a retard. We shouldn't have to jump through hoops and risk our personal information when facebook can fix this almost effortlessly. The problem is that facebook wants your information to be public to all the Apps you and your friends use and SSL complicates that. They want to look like they are trying so hard when they have ulterior motives.
