Facebook turns on HTTPS to block WiFi hijacking

Facebook logoFacebook announced Wednesday it would begin supporting a feature to protect users from having their accounts hijacked over WiFi connections or snooped on by schools and businesses.

Facebook users will now have the option of using Facebook over HTTPS, the encryption protocol used to protect online banking sessions and user logins for services of all kinds on the Web.

The announcement comes just a day after Mark Zuckerbergs own account was seemingly hijacked.

Currently, Facebook only uses HTTPS to send a users password to the company and the Facebook.com homepage doesnt use HTTPS. The dangers of that design decision became very clear earlier this month when the Tunisian government, via the countrys largest ISP, inserted rogue JavaScript into the html of Facebook.coms homepage as users loaded it, in order to steal passwords of activists. It used those passwords to delete accounts and pages critical of the regime.

The change is intended to give users a way to protect themselves from WiFi snoopers, who can sniff packets going over unsecured WiFi. This lets them watch what a user is doing on Facebook (or any site not using HTTPS) and even log-in to the users account and pretend to be them on Facebook temporarily.

Its not clear if the option would have prevented the hijacking of Zuckerbergs account, but it almost certainly would have prevented Tunisias snooping on users if they had the protection option turned on.

Computer security researcher Christopher Soghoian notes that the move also comes a full year after FTC Commissioner Pamela Jones Harbour called for more sites to start using HTTPS by default.

Even though that is a decade in Internet time, it is still pretty quick in terms of a firm responding to pressure from regulators, Sogohoian said in an e-mail.

Of course, I would be even happier if Facebook deployed HTTPS by default, or if it at least provided users with notice when they log in that the option exists, he added. Similarly, Facebook could auto-detect when users try to login from a Starbucks WiFi connection, and shift them to HTTPS by default.

Currently, Googles Gmail is the only major Internet service to set users to default, while Hotmail and Googles search page can be used with HTTPS, but its not the default.

So-called session hijacking was made even easier in October 2010, with the release of a Firefox plugin called Firesheep, that made it simple for anyone to perform this hijacking.

Facebook security engineer Alex Rice warns, however, that speed and third-party applications could be affected.

Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS, Rice said in a blog post. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. Well be working hard to resolve these remaining issues.

That trickery is much harder to do with an HTTPS page, since it would require the complicity of a Certificate Authority, which would likely be blackballed by the net at large if it was discovered faking a certificate for a site.

Using HTTPS always may slow the site loading for some, but Google has found with its new default of HTTPS for all users, that the encryption isnt nearly as server-intensive as many engineers and companies think it is.

Facebook users will need to find the setting on their Facebook page (Account Settings->Account Security) to make it the default for their account. Facebook is rolling it out for all users over the next few weeks.

The option is highly recommended for anyone who uses Facebook over open Wi-Fi or on their school or office connection.

For those who want further protection, try the EFFs HTTPS Everywhere plug-in for Firefox, which forces many sites to use HTTPS. For total protection, investigate using a VPN such as CryptoCloud.

Tags: Facebook, social networks

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apples 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (15)