Facing a wave of criticism for not offering a secured browsing option, Facebook has finally added a new feature to browse the popular social network on a secure connection (https).

However, the https:// browsing is not turned on by default and must be manually activated from an “Account Settings” page on Facebook.
Here’s the company’s explanation:
 
If you’ve ever done your shopping or banking online, you may have noticed a small “lock” icon appear in your address bar, or that the address bar has turned green. This indicates that your browser is using a secure connection (”HTTPS”) to communicate with the website and ensure that the information you send remains private. Facebook currently uses HTTPS whenever your password is sent to us, but today we’re expanding its usage in order to help keep your data even more secure.
Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.
Facebook offers peek at incoming malware attacks
However, instead of being on by default (as it is with GMail, for example), Facebook is urging users to activate secure browsing via the ”Account Security” section of the Account Settings page.
The new feature will effectively kill tools like Firesheep which were created to highlight the weaknesses of Web sites that don’t offer a secure browsing option.   Firesheep, released as a Firefox plug-in, offered a point-and-click interface to fully compromise Facebook browsing sessions.
Facebook says the new feature may slow down surfing on the site because encrypted sessions typically take longer to load.  In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS, which will cause problems.
The company says it hopes to offer HTTPS as a default setting “sometime in the future.”

However, the https:// browsing is not turned on by default and must be manually activated from an “Account Settings” page on Facebook.

Here’s the company’s explanation:

If you’ve ever done your shopping or banking online, you may have noticed a small “lock” icon appear in your address bar, or that the address bar has turned green. This indicates that your browser is using a secure connection (”HTTPS”) to communicate with the website and ensure that the information you send remains private. Facebook currently uses HTTPS whenever your password is sent to us, but today we’re expanding its usage in order to help keep your data even more secure.

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.
Facebook offers peek at incoming malware attacksHowever, instead of being on by default (as it is with GMail, for example), Facebook is urging users to activate secure browsing via the ”Account Security” section of the Account Settings page.

The new feature will effectively kill tools like Firesheep which were created to highlight the weaknesses of Web sites that don’t offer a secure browsing option.   Firesheep, released as a Firefox plug-in, offered a point-and-click interface to fully compromise Facebook browsing sessions.

Facebook says the new feature may slow down surfing on the site because encrypted sessions typically take longer to load.  In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS, which will cause problems.

The company says it hopes to offer HTTPS as a default setting “sometime in the future.”

Categories: Cryptography, Government, Malware, Social Engineering, Vulnerabilities

Comments (6)

  1. Anonymous
    1

    Just where am I looking again, cuz I looked at “”Account Security” section of the Account Settings page” and saw no such settings.. is this another hoax like facebook shutting down?

  2. Anonymous
    2

    You can enable it, but it doesn’t seem to stick – I’ve had to re-enable it multiple times since I had the option to use it.

  3. Anonymous
    3

    Hardly “Kills.”  More like “Provides an option whereby a small set of users may reclaim a modicum of security.”  But I guess that doesn’t fit on a headline. 

  4. weasel5i2
    4

    Facebook has worked over SSL for quite some time now, it’s just that few people ever bothered to try using “https://” instead of “http://” when going to facebook.com. If Google has it so SSL is required, why can’t FB make it turned on by default? It’s not like they don’t already use SSL to do the initial login, as well as being standard for their OAuth platform.. :-P

    –W5i2

  5. Anonymous
    5

    Go to Account Security section of Account Settings page.  In mine it is just under Privacy.  Click on Change on far right, and you will see the option to check it.

     

Comments are closed.