I’m sitting at a coffee shop in Mission district in San Francisco and experimenting with Firesheep. I knew about the “cookie fail” for quite some time now, but never took the time to exploit it (unless we’re talking about my roommates) and luckily someone did the job for me.

now, the Firesheep exploit itself if a huge fail on behalf of many a social networks, but Facebook takes their fail to a whole new level:

the obvious thing to offer your users (at least on demand) is https. and you can do that most of the time at the majority of the pages. now go and try this at Facebook. seriously, go and try. it works! now go click on any link. it doesn’t matter which one. just click.

it’s magic! you’re no longer using a secure protocol. not only does Facebook not default to https, even when you demand it, The Social Network decides you’re better off browsing their way.

FAIL.

m