The test.squeezenetwork.com App Gallery uses a Facebook Connect button that spawns an http:-based popup from Facebook. If I recall correctly, it is possible to use an https:-based Connect address so the FB users have more reason to trust the popup's request for their FB username & password.

I'll check on that, but you know Facebook's own site does not use SSL for login.

http://wiki.developers.facebook.com/index.php/Facebook_Connect_Via_SSL

"Please note that Facebook ALWAYS sends user login credentials over the wire in SSL, regardless of which include you use. The protocol for the include is simply for loading the static resources, which don't contain secure data. The only reason you would need to do the above is because your site already uses SSL, and you want to avoid mixed content warnings."

Since our page doesn't use SSL, we can't load the Connect stuff with SSL.  It's a fair point that maybe we should deliver these pages with SSL but I think that's probably out of scope for now.

Can't use it -- are you sure about that? It says no http JS if you're running https, but I don't see anything saying no https if you run http.

Always uses SSL/TLS: if the popup login page isn't delivered with https, Facebook can't be sure that the end user is seeing a FB form that hasn't been tampered  with. It's funny, that page you cite in one spot says that "the only reason" to use the https JS URL is for a better user experience (avoid mixed content warnings), but in another admits that "SSL is designed to prevent a man-in-the-middle attack".

FB doesn't use https: a few years ago, my bank's web site was like Facebook's -- its main page delivered over plain http, with the FORM ACTION specifying that my password be posted over https. Now my bank only asks for passwords on https pages, because it's important to protect the login form from MITM attacks. 

MITM attacks on password forms can be very subtle; an attacker could probably attach onchange/onblur handlers to the text input fields and use IMG beacons to transmit login credentials to a 3rd-party server without breaking the login form. AN MITM could even use keydown events to catch more data -- if the user started to enter a password to a different site, but cleared & fixed the password before submitting to FB, a keydown approach would give the attacker that password, even though FB would never see it.

I'd suggest you try simply changing the SCRIPT FB reference to https. If it works, great. If not, maybe punt until later?

Thanks.

Created attachment 7237 [details]
screenshot of FB settings page for https

If I choose the setting in Facebook for "use https when possible" it breaks the FB app--at least wehn it tries to load the fb pictures

THere is a setting in Facebook to use secure connection whenever possible (https)
When I use this setting, the Facebook app in Squeezebox cannot load the facebook photos (gets an error message)

The news feed still works correctly in the app, but not in the screen-saver version

Facebook is gone.