Security Corner

Jan 30 2011   3:09PM GMT

Facebook Enables Always-on HTTPS

Ken Harthun Ken Harthun Profile: Ken Harthun

Street sign in South Africa. Credit: hmvh

Facebook users now have the option to select HTTPS as their connection method after a strange post was discovered on the Facebook fan page under founder Mark Zuckerberg’s name. Though the company maintains that this was due to a bug in the system, they quickly began rolling out the SSL option. This will effectively stop hackers from grabbing user login details and sniffing Facebook sessions when connected through public WiFi

Previously, Facebook used HTTPS only to send passwords, similar to the way Yahoo! Mail STILL (hint, hint) is doing things. Users will have to manually enable the SSL setting in their account security settings (Account Settings->Account Security) and it doesn’t work with all third-party Facebook applications.  It is available in the US, but has not yet been rolled out worldwide. [As of Saturday morning, even US coverage was sporadic, though I was able to change my settings.]

While I applaud this move, I wish they would have just implemented HTTPS by default or at least notify the user when they log on that option is available. They could also sense when the user is logged into an insecure wifi hotspot and switch automatically to HTTPS. While some might argue that always on HTTPS will slow pageloads for some, Google has found with its new default of HTTPS for all users, that the encryption isn’t nearly as server-intensive as many engineers and companies think it is. Of course, if you’re always wired to your home network when you log into Facebook, you don’t have to worry about having your session hijacked anyway.

This article in Wired says that for those who want further protection, try the EFF’s HTTPS Everywhere plug-in for Firefox, which forces many sites to use HTTPS. [For the totally paranoid out there], investigate using a VPN such as CryptoCloud.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: