NEWS FROM THE LAB - Wednesday, February 23, 2011

Facebook HTTPS: Is Done Better Than Perfect? Posted by Sean @ 20:33 GMT

My Facebook account finally provided me with the option to use an HTTPS connection "whenever possible" last week.

The option is located under the Account Security section of the Account Settings page:

Facebook Account Security

So I selected the option and saved my changes:

Facebook Account Security

And now, Facebook defaults to a secure HTTPS connection:


Or so I thought… (more on that below).

Today I did a Facebook search for "http:// omg" and came across some spam.

Typical Facebook spam bait — see who stalks your profile:

OMG, see who stalks your profile...it's Working

Clicking the link prompted me with this notification:

Switch to regular connection (http)?

Okay… well, I guess this application can only be viewed with an HTTP connection.

So I clicked the Continue button.

And this is the application's Request for Permission:

Request for Permission

Hmm, so just who is the developer of "Who Spends Watching Your Profile?"?

Who Spends Watching Your Profile?

Justn Bieber? Justn?

Right. Well, now we know the target group of this particular spammer.

Justn Bieber seems to spend his time commenting on a Justin Bieber fan page:

Justn Bieber

I reported the spam application to Facebook and moved on…

A bit later, I noticed that my connection was no longer secured:


Wait, what?

I checked my settings:

Facebook Account Security

My security settings are undone? But the option is supposed to be "whenever possible", so the earlier prompt about switching to a "regular connection" was just temporary, right?


I tested several times and each time I found an application that asked me to "continue" to a "regular connection", my default Account Security settings reverted to HTTP.

I'm not the first to notice this. Facebook is aware of the issue and is working to make SSL preferences persistent.

I'm sure there are cynics out there that will say that Facebook does stuff like this deliberately. Personally I don't think so. I think it's just an oversight on their part.


Take a look at this photo from Facebook HQ:

Move fast and break things � Done is better than perfect

What do you see? (Not Katy Perry, look again.)

There, above the door. Do you see the words "move fast and break things" and "done is better than perfect"?

And I get it. I do. Facebook is driven to innovate.

They need to in order to grow and stay at the front of social networking (with Google eager to usurp them).

But is done really better than perfect when it comes to Account Security settings?

It doesn't need to be perfect, but personally, I think fully baked is better than half baked.

Half baked only causes confusion in the long run.

So then why do we get half baked results? Frankly, I blame Twitter (in part).


The Blogosphere is now the Twittersphere, and when Firesheep started making news last October, the Twittersphere started to tweet. And Facebook? They gave the masses what they were demanding, an HTTPS option.

And it probably doesn't really matter when it's fully baked… the Twittersphere probably won't notice anyway, it will be busy tweeting about the next trending topic.