Six Lines

Facebook and HTTPS

Posted by Aaron Massey on 02 Feb 2011.

Looks like Facebook decided to announce the availability of an account option to enable HTTPS throughout your browsing session rather than just during login. This announcement coincided with Data Privacy Day 2011, which makes it a great public relations move in addition to a solid improvement for security and privacy of Facebook users. For example, this will prevent Firesheep-style hijacking attacks. As the Wired article about this announcement says:

Currently Facebook only uses HTTPS to send a user’s password to the company and the Facebook.com homepage doesn’t use HTTPS. The dangers of that design decision became very clear earlier this month when the Tunisian government, via the country’s largest ISP, inserted rogue JavaScript into the html of Facebook.com’s homepage as users loaded it, in order to steal passwords of activists. It used those passwords to delete accounts and pages critical of the regime.

The change is intended to give users a way to protect themselves from Wi-Fi snoopers, who can sniff packets going over unsecured Wi-Fi. This let’s them watch what a user is doing on Facebook (or any site not using HTTPS) and even log-in to the user’s account and pretend to be them on Facebook temporarily.

I agree with Christopher Soghoian, who is quoted in the Wired article. This would be even better if it were enabled by default rather than an option users have to manually enable.