Facebook this week will begin turning on secure browsing be default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks.
Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to in and manually make the change in order to get the better protection of HTTPS.
Now, users will have to manually turn HTTPS off if they don’t want it, a distinction that is a major change, especially for Facebook’s massive user base, which has become a major target for attackers.
“As announced last year, we are moving to HTTPS for all users. This week, we’re starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world,” the company said on its developer site.
The use of HTTPS by default is a significant change for Facebook, a site that handles millions and millions of Web requests every day, just from its North American users alone, and is under constant attack by hackers. One of the common techniques used to compromise many users is a man-in-the-middle attack, through which attackers intercept traffic between a client and the server for which it’s intended. This attack is made much easier when that traffic is unencrypted and attackers don’t need to do anything fancy in order to get to it.
HTTPS encrypts the connection between the user’s machine and the server on the other end, obscuring it from attackers, even if they are able to sniff the traffic on the wire or on a wireless connection. The technology is by no means a cure-all for Web-based attacks, however, as there have been demonstrations of attacks that enable third parties to snoop on encrypted traffic and grab valuable data, such as usernames and passwords or financial information. In 2011 a pair of researchers developed a technique called the BEAST attack that essentially broke the confidentiality model of SSL–the encryption protocol used for HTTPS connections–by enabling attackers to steal and decrypt secure cookies.
Using HTTPS also won’t protect you if there is malware on your machine that’s capable of logging keystrokes. But it is an important change for a leading site such as Facebook, something that has become not just a social network but also an e-commerce platform. There are a number of other changes that users can make on their profiles and in their interactions with the site to help secure Facebook. See our How to Secure Facebook video for more suggestions.