Last year, a security enthusiast released a Firefox extension called Firesheep that made it incredibly easy for users with little technical knowledge to break into the online accounts of people connecting over open wireless networks.
The type of man-in-the-middle attack executed by the extension is called session hijacking and has actually been known for over a decade.
It relies on sniffing the network traffic and extracting the session cookies sent by the victim’s browser. These files are used by websites to remember authenticated users and can be used to obtain access to their accounts as long as they remain active.
After the Firesheep extension received widespread coverage in the media, large online services started offering the option of using encrypted connections (HTTPS) for entire sessions in order to prevent cookie stealing attacks.
Facebook began allowing users to enable persistent HTTPS for their accounts in January and since then the company has made significant progress in implementing the feature.
However, the nature of the platform, which pulls in content from tens or hundreds of thousands of external websites via third-party apps, makes rolling out HTTPS significantly harder.
Each time an HTTPS user tries to use a third-party app that doesn’t have its content signed with a SSL certificate, they are asked to drop back to plain a HTTP connection, which makes them vulnerable.
To fix this shortcoming, the company recently asked all app developers to sign their apps by October 1st. Last week, at the Hack in the Box 2011 security conference in Amsterdam, we asked Mr. Joe Sullivan when he expects the website to roll out HTTPS by default for all users.
“My hope is that we’ll get there by the end of the year, but it depends on a lot of different factors,” the Facebook CSO said . He noted that default HTTPS is the company’s goal, but pointed out that there are still lots of little technical details to go through.
Hopefully those will be sorted out until October 1st, when third-party apps are required to support HTTPS, so the company can move forward with the plan to bring encrypted connections to everyone. Source