MyFitnessPal is a simple, social site which helps track food, water and exercise. The web applications touts over 1 million foods and, if what you are eating is not listed, you can enter your own nutritional facts. Like many popular social applications MyFitnessPal uses SSL and, like many popular apps it moves the user AWAY from SSL after logging in. This means everything after login is being sent over the Internet in the clear.
There are a few reasons this is the case. The simplest answer is that they don’t realize that sending information of the Internet without any encryption is a problem. After all, it’s just food data right? But it’s not. It’s also the authentication token (in this case a cookie) which goes over the wire unencrypted.
They may turn it off to decrease load. I’ve heard this argument used before by people. It is true that SSL is ‘more expensive’ on the servers than plain HTTP but in the age of cloud computing, agile development and devops SSL should be an easy default.
No matter what the actual reason is please don’t take this as a slight to MyFitnessPal. Many sites have this issue. If they didn’t tools like HTTPS Everywhere wouldn’t exist to try and protect user data in transit.
OWASP explains what can happen as well as how to verify your safety. As far as I know the best fix is to install a rule in HTTP Everywhere to handle this site. Unfortunately most non-technical people may not be able to easily import the following but this is the rule that I came up with after noticing the lack of SSL post login:
<securecookie host="^www\.myfitnesspal\.com$" name=".*"/>
<rule from="^http://myfitnesspal\.com/" to="https://myfitnesspal.com/"/>
<rule from="^http://(www|api)\.myfitnesspal\.com/" to="https://$1.myfitnesspal.com/"/>
Be aware though that this will NOT protect any data being transfered by the mobile applications. The real fix has to come from MyFitnessPal themselves. It looks like at least a few users have asked for the enhancement.
Many sites have this issue. This issue should not stop you from using an application but do make an informed decision as to what data to pass along and what applications to link with. When possible use things such as HTTPS Everywhere. At the very least pay attention to your browser’s URL bar and know when your data is being sent in the clear.