14 DAY TRIAL // Facebook has fixed its HTTP fallback mechanism for users who have the persistent HTTPS option turned on and are trying to use apps that don't support it. Back in January, Facebook introduced a setting which allows users to have full-session HTTPS turned on automatically when they log in.
However, the implementation was lacking in several respects, including the fact that most apps and Facebook Chat did not work over such secure connections.
Trying to use an unsupported app gave users the option to switch back to HTTP, but also cleared the persistent HTTPS setting under Account Security without any warning.
Since then Facebook has been working with application developers to help them add support for HTTPS and also fixed their own chat problem.
In addition, the HTTP fallback mechanism was improved and the switching to unecrypted connections is now only temporary, until the user re-authenticates.
During temporary HTTP use the Account Security section displays a message reading: "You have temporarily turned off secure browsing in order to access an unsupported application."
Seeing Facebook's HTTPS support progressing is very encouraging and should help people protect themselves against session hijacking attacks.
HTTPS is also critically important for privacy, especially in countries where the government has control over the Internet infrastructure and engages in mass surveillance.
One clear example of this was during the Tunisian pro-democracy protests that eventually led to the ousting of former president Zine El Abidine Ben Ali. The Tunisian Internet Authority used its power to launch mass phishing attacks in an attempt to unmask activists and delete anti-government messages posted online.
Facebook plans to eventually have HTTPS turned on by default for all users. Twitter also added HTTPS support recently and is working towards the same goal.