Monday, February 28, 2011

Facebook security http vs. https questions answered

There's been a lot of talk on Facebook lately about http and https and how to change it. Do any of the folks touting this wobegone actually understand what is going on here?  Do YOU know what the difference between http and https is?  Let me try to explain.

When a web browser tries to get to a web site, there is a conversation that happens in the network between the browser and the web server.  Basically you browser gives the web server a bunch of information about itself and then asks the web server to transmit back the page it's requesting.  When you're browser address bar has http:// in front of the web server, this happens in "plain text".  This means that anyone that can see the network traffic between your web browser and the web server can read in plain words what is going on in that conversation.  When you are writing an email, writing a Facebook status update, filling in a form on a website, writing a Facebook message, or sending ANY data to a web site, anyone can read that data that really wants to.  Now, this can happen only at the time that you hit save, send, login, update, or any other button that uploads the information.  As soon as the information is uploaded, that's it.  Noone else, besides the folks you sent it to, can read that data.

Now, when you're browser address bar has an https:// in front of the web server name, then the conversation is a little more involved.  First your browser asks the server for it's "keys", server certificate and then goes out to a certificate authority (such as Verisign, Microsoft, or others) and makes sure the server is who you think it is.  Then your browser takes the "keys", looks at it's own "key" and creates an encryption "key" that will scramble the data that is sent back and forth.  The server then looks at that key and makes sure everything is OK.  Then all data back and forth from the server to the browser is sent coded with the "key".  If someone were to look at that conversation in the network, it would look like gobbledygook to them.
This is the preferred way to log into web sites (since you don't want to send your password over the network so that anyone can read it), send emails, Facebook messages, web site forms, etc, etc, etc so that no one can read the information you are transmitting.

Why is everyone worried about this right now?  Because of Facebook "hacking"?  Will this prevent this???


There are very few opportunities to do this type of hacking. The first is an open WiFi network.  Open means that you have to do nothing to connect to it besides hit the button on your computer or phone that says "Connect".  If you did that, and I did the same thing, I can run a program in the network and listen to everything your computer/phone is saying out on the internet.  If you connect to a WiFi that is password protected, then I can't listen in because the WiFi network does basically the same as the web server in the https:// scenario.

The other two opportunities I have to do this is to send you a bogus email with a link to Facebook that looks like Facebook, but really is my bogus server where you put your information in.  Then my server records that information and sends you on to Facebook so you don't suspect anything.  The last one is that I need to hack into the internet.  This is a little more difficult since I will need to get into network devices owned by AT&T, MCI, Sprint, etc.  Not that easy.

Although this is always good practice to make sure that whenever you are sending private information to a web server, that you ensure https:// is in the address bar, this is not how many of the email and Facebook scams are getting your passwords.  They are getting it by "brute force".  Basically, they are just trying a bunch of passwords and getting a success because yours is easy to guess.  (and don't think you're being clever by using P@55w0rd).

No comments: