domingo, 5 de julio de 2009

Facebook Secure Pro, Encripting it!

Facebook supports the usage of secure encrypted connections, i.e. HTTPS or HTTP over SSL. (See technical note below for technical security concepts.) But unless the Facebook team decides to put it by default or as an option in their configuration is not usable. So I decided to make a small GreaseMonkey script to replace HTTP with HTTPS whenever is possible. I call it Facebook Secure Pro because it is based on the script Gmail Secure Pro version 1.1.

The last version of the script, version 1.1, Is working okey except for the following issues:

- Photos and Videos are not supported encrypted by Facebook, probably due to performance.
- Facebook Chat apparently is not supported by Facebook or the script broke it.
- Share button is apparently broken.

Please report any comment you have or error you found in the Issues section. I hope the Facebook team decides to use secure connections by default, like Gmail these days, or at least optional from the configuration.

Download the script!

Technical Note: In this case secure means that using HTTPS anyone sniffing your Facebook traffic can't see it, for example in your favorite cybercafe, unless the eavesdropper uses a more sofisticated attack called man-in-the-middle. Also, in the latter case, the eavesdropper very probably can't use the original and secret certificate owned by Facebook for the connection. That means you conversation will be stolen but you will problably see a wrong certificate, not assigned to Facebook. Messing with SSL certificates can be done by an eavesdropper but a really hard and experimental attack.