Friday, May 13, 2011

Stop Cramming HTTPS Down My Throat!

I’m all for secure web browsing but before you nag me to switch to it on Twitter and Facebook why don’t you make sure it works properly. After a bit of research here’s what I know about using HTTPS for Twitter and Facebook. Both websites let you pick HTTPS as an option however, both are far from perfect in terms of what you give up in the name of security. Almost sounds like the fight against terrorism.

If you opt for HTTPS here are a few issues:

Twitter
  1. HTTPS requires you to login every time you access Twitter after closing your web browser. This issue takes a while to pop up as cookies expire but once it starts, you can’t stop it. Anytime you load the Twitter website you have to login. If you leave your browser open and you use a sharing link on another website then it will log you in fine but if you close your browser, you will have to login again. This can be a real pain if you use the Tweet link on other websites, as you will have to login each time.
  2. Not all Twitter clients use HTTPS anyway so while your computer browser will use that protocol other apps on your computer or smartphone might not so you are only securing one point of entry.
  3. The Twitter mobile website requires you to manually enter HTTPS in order to access it from a mobile phone. While the HTTPS setting allows you to default from HTTP to HTTPS that only works on a computer browser, it does not work on a mobile browser.
Facebook
  1. The same deal is true here. HTTPS does not allow you to save credentials past a cookie expiration so after a while you will have to login to Facebook each time you access the site or use a sharing link from another site.  
  2. Same deal here too, not all Facebook clients use HTTPS so you are only security one point of access.
  3. I’m not sure about the mobile site, as I didn’t test this.
  4. There are several features that don’t work when using HTTP:
    • Videos do not play.
    • Some pictures will not appear.
    • You can’t use the new picture uploader that allows you to upload an unlimited number of pictures at a time. Instead, you have to use the old updated that only allows you to upload 5 pictures at a time after you browse to individually select each one.
    • It won’t print coupons or event tickets.
Again, I’m all for a more secure browsing experience but I’m not willing to give up the experience itself in favor of security. That defeats the purpose. Am I worried about people snooping on my password while I’m at Starbucks and Panera? A little. I figure my iPhone’s connection with these websites is much more of a vulnerability as it is on all the time whereas my laptop connection is only when I launch the apps or browse to the websites.
If these websites want me and everyone else to use HTTPS because it is a more secure connection that will cut down on identity theft, SPAM, etc. then they have to make sure the only difference is HTTPS and not HTTPS that lacks many features of HTTP. Until then, I’m going back to HTTP so I can better enjoy the experience and use these sites to their fullest capability.