Facebook goes deep on SSL, a good practice for all social media sites
Today Facebook announced that it now supports always-on SSL as a user-configurable option. This announcement comes in the wake of recent attention to the possibility of using rogue hotspots to harvest sensitive information from e-mail or social media sites. The issue is that many of these sites use SSL to encrypt the login page, inhibiting the potential theft of logins and therefore accounts, but they fail to offer encyption for the subsequent content that you see when you're inside the site. That's problematic because a man-in-the-middle (MITM) can sit and harvest this information, information that then becomes the basis for a second tier of social engineering attacks. One clear way to become a man-in-the-middle is by operating a rogue hotspot and preying on those who use it to connect to their mail or social accounts. This practice garnered a lot of attention last year with the release of Firesheep, a Firefox plug-in that makes it easy to do exactly that. But even before the release of Firesheep, Google already had taken the step of encrypting the entire Gmail experience under SSL. Google has gone on to unambiguously state that by today's standards SSL is not computationally expensive any more. One standards development that can aid sites in offering full SSL protection is called Strict Transport Security, or STS. Strict Transport Security is a policy that can be applied to a web site. That policy states that all elements of that site must be secured with SSL or considered in violation. Supporting browsers can then alert users of a problem with the site or even prevent the user from continuing. PayPal, which has been a leader in many best practices in security for consumer-facing sites, already supports Strict Transport Security.