4

I was wondering if chat messages on Facebook are sent plain text, or whether they are encrypted in some way. The address bar in browser looks like this

https://www.facebook.com

(notice the https), but are the AJAX requests used by chat also sent over https?

And since my understanding of https is a bit shoddy, what would using https for chat actually mean in terms of encryption? Would there be encryption for incoming messages, outgoing messages, or both (or neither)?

Basically what I'm curious is, can a middle man (a router for example) read any of the messages on Facebook chat?

I took a peek with Wireshark and I couldn't see any plain text message. Everything Facebook related was going through TLS/SSL. It appears that, at least in my case, everything was encrypted. I would, however, appreciate if someone more knowledgeable could confirm this.

Novotny
  • 43
  • 4

1 Answers1

2

I took a peek with Wireshark and I couldn't see any plain text message. Everything Facebook related was going through TLS/SSL. It appears that, at least in my case, everything was encrypted. I would, however, appreciate if someone more knowledgeable could confirm this.

That would be exactly what I would do to test whether my browser is sending plaintext messages from some webapp. Yet, since you are on a page that is connected over HTTPS the AJAX call must be made through HTTPS thanks to the same origin policy. There is an old (but still actual) question on SO about it.

If you look at the comments on that question you will also see a reference to the CORS spec which argues the following about Cross Site Resource Sharing:

user agents are allowed to terminate the algorithm and not make a request. This could be done because e.g.:

...

  • https to http is not allowed.

Now, this part of your question is another story:

And since my understanding of https is a bit shoddy, what would using https for chat actually mean in terms of encryption? Would there be encryption for incoming messages, outgoing messages, or both (or neither)?

For the encryption part I'll simply refer you to the relevant SO question.

For the "shoddy" part you probably mean the (quite) famous sslstrip attack by Moxie Marlinspike. It is a MITM which fakes to your browser who it is actually talking to, it is an attack that requires the attacker to have control of the network you are on. HSTS is being widely implemented these days (facebook uses it) therefore sslstip is becoming less of an issue. And we also have a reference question for sslstrip.

References:

Community
  • 1
grochmal
  • 5,677
  • 2
  • 19
  • 30