As a good paranoid, the first thing I thought is:
- I got into a Rogue Access Point
- I was man-in-the-middle with a fake certificate
- I was browsing for 10 minutes until I realized the error, so there's a good chance someone saw my activities.
- FUUUUUUU (for those unfamiliar with MEME, see here)
Until it occurred to me to review the browser error in detail:
It turns out that within my sense of security obtained when browsing the social network through HTTPS, there are certain insecure components that escape from the side. This activity is to be expected, since webmasters organize the site so that material without personal value (such as ADs, generic images of the site, etc.) are transmitted in plain text to reduce the overhead caused on the server by making a secure channel.
Since I was already red-handed, I decided to analyze what content was being conveyed in plain text. So I checked the source code of the site, and big was my surprise when I came across the following:
External links to Facebook that were transmitted to the user in plain text. WHY? No need!!
I understand that the user also ends up browsing plain text in external links (since not all sites provide HTTPS services), but at least within the navigation on Facebook they could be kept encrypted.
Here's how it should be:
Facebook should get the insecure content from the original server and embed it within its SSL channel.
However, here's what's happening:
The user is being deceived, believing that all their content is transmitted safely. However, Facebook to avoid consumption of resources on its servers, allows a very important security hole.
- Publicidad -
So I recommend that you be careful with the information you handle on Facebook, even if you see HTTPS in the title. And when you see an error message in your browser, read it in detail.
Source: Matias Katz
