Hacker News new | past | comments | ask | show | jobs | submit login
Facebook new SSL setting has loophole/defect around apps
2 points by krisnessa on Mar 4, 2011 | hide | past | web | favorite
Issue: After seeing the new Facebook Security setting to enable a secure session, I tried out the setting. The setting has a loophole (or a defect if you want to call it that). If you engage in any apps that run on Facebook, these apps may need to take you out to a non-secure session. When the new Facebook SSL security option is enabled, and you try to go to a non-secure session to engage in the app, Facebook will notify you with a message asking you if it’s ok to jump out to the non-secure session. If you choose to jump out, at this point Facebook is disabling your Account Security SSL setting. That’s right. So when you’re done playing Farmville (or whatever app you choose) and go to log into Facebook later, Facebook has disabled the SSL and you are back to non-secure Facebook browsing and interactions.

There are a few options out there to force security on your web browsers and you can get by this issue of Facebook disabling your setting and ensuring you’re always browsing the secure session of the application (and SSL of all websites).

Alternatives/Fixes: If using Mozilla Firefox, there is a free, beta add-on, HTTPS Everywhere from the Electronics Frontier Foundation. I’ve installed and tested this, and it works as desire (you may want to uninstall the browser toolbar it installs by default).

If using Google Chrome, there is an extension, KB SSL Extension. I have not tested or verified this extension.

I couldn’t find any current updates for Safari and Explorer browsers.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact