Despite recently starting to allow users to opt for HTTPS on all sessions, Facebook clears the setting with no warning when people try to access most apps.Two weeks ago, the social networking site proudly announced a new "secure browsing" option located under the Account Security menu which would allow people to enable HTTPS for all future visits.
However, at the moment, third-party apps don't not work via HTTPS, because they load external content into the page.
This content cannot be signed by Facebook, therefore, the secure connection is broken each time an HTTPS client opens such an app.
Facebook prevents this from happening automatically via a dialog that reads "
Sorry! We can't display this content while you're viewing Facebook over a secure connection (https). To use this app, you'll need to switch to a regular connection (http)."
Pressing the continue button, however, doesn't just remove HTTPS for that session, but clears the checkbox from the persistent "secure browsing" setting without any indication of doing so.
A dialog allowing users to break HTTPS temporarily or at least one that would clearly indicate that the permanent option is also modified, would be much more appropriate.
Users could determine the risks at a particular moment and take a decision to drop HTTPS temporarily based on that.
For example, a person who's frequently on the go, might feel ok with not using HTTPS when he's connected from home, but would probably expect their connection to revert back to a secure one when connecting through wireless hotspots.
Under current conditions, giving that the vast majority of apps load external content, the persistent secure browsing option seems almost futile if it's going to be removed every time.
Find us on Google+
