Facebook insecure by design

Ben Carleton ben at bencarleton.com
Fri Sep 30 07:32:31 CDT 2011


Actually, the reason for what happened in your example is that Cee Lo's 
page has what is **technically** an app (called I Want You, as seen in 
the sidebar under his profile photo) set as the default screen for when 
you view his page. The app (that does admittedly looks like it could be 
an official feature from facebook) uses externally-hosted HTTP-only 
content, which Facebook will detect and warn you about.

-- Ben

On 9/30/2011 5:05 AM, William Allen Simpson wrote:
> In accord with the recent thread, "facebook spying on us?"
>
> We should also worry about other spying on us.  Without
> some sort of rudimentary security, all that personally
> identifiable information is exposed on our ISP networks,
> over WiFi, etc.
>
> Facebook claims to be able to run over TLS connections.
> Not so much (see attached picture).
>
> This wasn't an "app", this is the simple default content of a
> page accessed after a Google search.
>
>   https://www.facebook.com/ceelogreen




More information about the NANOG mailing list