With the release of Firesheep the Firefox add on HTTPS Everywhere has increased in popularity as it helps ensure that your Facebook session is encrypted. Using Facebook over https breaks the chat on Facebook however.

The other day a friend of mine initiated a chat with me on Facebook. Imagine my surprise since I was using Firefox with HTTPS Everywhere. It turns out that blog.facebook.com does not support SSL. In the unencrypted tab or window Facebook chat works if you allow the page to write to your cookie.

I’m not entirely certain how it is working, but Facebook was able to manipulate the encrypted cookie without Firesheep being able to capture it. At the same time Facebook chat became functional.

I’ll have to look into this a bit more to be able to say you can safely do this with respect to sidejacking. Firesheep is a pretty small automated program and it is still possible that reading the Facebook blog while logged into Facebook on an encrypted connection is not safe.

Perhaps one of the security experts from Facebook would like to explain what’s happening and if there is any risk.

Randy Abrams
Director of Technical Education
ESET LLC