In response to complaints that a recent announcement of secure connections doesn't go far enough, Facebook said today that it's planning to roll out additional changes that would shield mobile devices and all apps from eavesdropping.
Last month, Facebook began offering the ability for users to turn on HTTPS (Hypertext Transfer Protocol Secure) to encrypt all communications with the site. However, F-Secure and others have noticed that some apps require users to switch to a regular HTTP connection to use the app, but don't warn users that the switch then becomes permanent.
Asked for comment, a Facebook representative said the company is working to make it so that the switch to unencrypted communications is only temporary and that Facebook is encouraging developers to write apps that support HTTPS.
"We are pushing our third-party developers to begin supporting HTTPS as soon as possible. We've provided an easy way for third-party developers to encourage to do this, and we hope to transition to fully persistent HTTPS soon," the rep said in an e-mail. "However, we recognize that there is currently too much friction in this process and we are iterating on the flow so that the setting will only be temporarily disabled for that session. The account will then return to HTTPS on the next successful log in. We are testing this flow now and hope to launch it in the near future."
Also this week, a computer science professor at Rice University demonstrated that his Motorola Droid X running Android could be eavesdropped on with the right sniffing software. Dan Wallach ran the Wireshark network protocol analyzer and Mallory proxy in his undergraduate security class a few days ago. He found that Facebook sends data (except log-in credentials) in the clear, even though he has his Facebook account set to use HTTPS whenever possible, he wrote on the Freedom to Tinker blog.
Asked for comment, the Facebook representative said the company is working to provide Secure Sockets Layer (used in HTTPS) on mobile platforms in coming months.
"After launching SSL for the site, we are still testing across all Facebook platforms, and hope to provide it as an option for our mobile users in the coming months," the rep said in a statement. "As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks."
Wallach also found that Google Calendar traffic is not encrypted. In response, a Google representative said, "We plan to begin encrypting traffic to Google Calendar on Android in a future maintenance release. When possible, we recommend using encrypted Wi-Fi networks."
(A tip of the hat to Dan Goodin at The Register.)