Naked Security Naked Security

Facebook opens up but there’s no support for HTTPS

Facebook has opened the internet up to users in India and other countries but says it won't immediately allow HTTPS.

Mark ZuckerbergAfter facing a heap of criticism for running roughshod over the principles of net neutrality, Facebook has announced that its platform – which aims to deliver free internet to new users in India and other countries – will now be a more open initiative.

The platform – which allows mobile users to access the web for free if they are using the Opera web browser or select Android apps – originally intended to limit the number of sites in its “walled garden” to 38, including Facebook, Wikipedia, health, news and sports sites.

But such a limitation on the number of accessible apps and services led to protests – activists suggested that limiting access to some apps and sites over others violates the principles of net neutrality that Facebook itself says it supports – and a number of businesses in India pulled out of the scheme.

Now any website could, potentially, be accepted into the platform and hence accessed for free, said CEO Mark Zuckerberg in an announcement yesterday.

But there are some caveats to the opening up of

  • Included services “should encourage exploration of the broader internet wherever possible,” – a phrase that likely implies that locking users into apps will not be permissible.
  • Apps and sites must be efficient, presumably to keep costs down. Facebook notes that sites requiring high levels of bandwidth will not be included, meaning no downloads, high resolution photos, video files or VOIP.
  • Included sites and services must meet certain technical specifications, which means no Java, Flash, JavaScript or, far more crucially, HTTPS/SSL or TLS.

So, while the platform is moving away from one avenue of criticism, it may be moving toward another.

Residents of India, Colombia, Ghana, Indonesia, Kenya, Philippines, Tanzania and Zambia may well be pleased to see the opening up of the initiative to potentially include far more apps and sites, but will they be so happy to risk their privacy with the dropping of encryption?

Possibly not, but it seems they may not need to be concerned for too long.

Coder Frederic Jacobs took to competing social network Twitter to publish a short conversation he had with Zuckerberg about why SSL was not supported.

Jacobs put it to Zuckerberg that:

Not allowing HTTPS traffic is a pretty lame move. Can you explain the reasoning behind it? Poor people don't deserve privacy? Goal is to be compliant with local authorities? In the announcement post you're claiming that it's because you don't want to be proxying/MitM traffic but why would you have to?

Facebook’s CEO replied that the lack of support for HTTPS/SSL was only temporary and that engineers were still working on it:

We're going to support HTTPS and SSL. We still need to do some work to make this work on all phones and browsers - so that's why our docs say it's not currently available - but we're going to make this happen soon.

For the time being however, data across the platform could be sniffed by telecoms operators and governments and Facebook has confirmed that it is currently able to track users’ activity, with VP of product Chris Daniels telling the Hindustan Times that:

Yes, we do know what users are accessing. We do have some of that information. But all of it is governed by Facebook's standard data policies.

Daniels also denied that the platform breaches net neutrality principles, saying that “the purest definition of net neutrality shouldn’t be used to deny people access to the internet”.

Leave a Reply

Your email address will not be published. Required fields are marked *