Security Culture

Most websites today run on non-secure connections (http instead of https) most of the time – and that’s just fine. Browsing pictures of cheeseburger-craving cats doesn’t require a secure connection because the user isn’t sharing any sensitive information. Even e-commerce sites usually only use secure connections for the actual transactions- no one cares what shoes you’re looking at but they might be interested in your credit card information so it’s the credit card transaction that e-commerce sites protect by forcing a secure connection.

This minimalist approach to security has been driven partly by user indifference but also partly because SSL certificates (which allow sites to encrypt user data and enable secure connections) have historically been fairly expensive – though that is now changing rapidly. After all, why spend the money on a certificate for your site if it’s not necessary and your users won’t derive any tangible benefit from it? So while a minority of internet users might have preferred to browse in secure mode all the time, it simply wasn’t an option on many websites.

All of this is interesting if you’re into tech trivia but not something most developers have spent a lot of time thinking about. For social media developers,however, that’s changing and changing fast. Facebook has recently announced that they’re going to require that all app developers in their ecosystem be able to serve both secure and non-secure versions of each tab. They’ve also introduced a ‘secure browsing mode’ which allows users to check a box once and have their entire Facebook experience automatically shifted from http to https.

Facebook is dealing with user privacy concerns by encouraging people to browse in “secure” mode.

The shift is part of their drive to reassure a public that largely doesn’t understand security issues online but has heard scary stories about data mining on Facebook.

Ironically, shifting people playing Farmville or browsing friends pictures into https mode won’t deliver any tangible privacy benefits since it’s Facebook itself – not mysterious hackers exploiting unsecured connections – doing the data mining that has users spooked in the first place.

I’m reminded of former US Secretary of the Treasury John Bowden Connally’s infamous comment to our West German allies after America abandoned the Gold standard that “the dollar is our currency and your problem.”  The Germans had been upset about America’s shift away from the Gold Standard for our currency impacting their economy because the decrease in the dollars value made German imports more expensive for Americans to buy and American exports cheaper to import, throwing their entire economy out of balance. Connally’s point was that the US was going to do whatever was best for American exports and didn’t much care about the impacts on other nations. Similarly, Facebook is going to do whatever they need to do to address their PR concerns and if we want to play ball with them we have to play by their rules. Sure it sounds harsh, but it’s also pragmatic. And really, it’s an easy switch to make.

This last bit is a particularly big deal because while Firefox, Chrome, and Safari will load non-secure remote images and flash objects for users in https mode, Internet Explorer will not. So if you’re pulling remote content into a Facebook tab and aren’t calling that content securely it will not appear for a large portion of the internet-viewing public.

For developers, the big challenge as we navigate the constantly shifting social media ecosystem is keeping our user experiences consistent and consistently positive. So while cross-browser display issues for secure users might seem like an edge case at first, it’s going to be impacting a growing number of users in the coming months and years so it’s worth paying attention to.

Have questions, comments, or funny stories about security issues on Facebook? I’d love to hear from you!