Facebook announced Wednesday it would begin supporting a feature to protect users from having their accounts hijacked over WiFi connections or snooped on by schools and businesses.
Facebook users will now have the option of using Facebook over HTTPS, the encryption protocol used to protect online banking sessions and user logins for services of all kinds on the Web.
The announcement comes just a day after Mark Zuckerberg’s own account was seemingly hijacked.
The change is intended to give users a way to protect themselves from WiFi snoopers, who can sniff packets going over unsecured WiFi. This lets them watch what a user is doing on Facebook (or any site not using HTTPS) and even log-in to the user’s account and pretend to be them on Facebook temporarily.
It’s not clear if the option would have prevented the hijacking of Zuckerberg’s account, but it almost certainly would have prevented Tunisia’s snooping on users if they had the protection option turned on.
Computer security researcher Christopher Soghoian notes that the move also comes a full year after FTC Commissioner Pamela Jones Harbour called for more sites to start using HTTPS by default.
“Even though that is a decade in Internet time, it is still pretty quick in terms of a firm responding to pressure from regulators,” Sogohoian said in an e-mail.
“Of course, I would be even happier if Facebook deployed HTTPS by default, or if it at least provided users with notice when they log in that the option exists,” he added. “Similarly, Facebook could auto-detect when users try to login from a Starbucks WiFi connection, and shift them to HTTPS by default.”
Currently, Google’s Gmail is the only major Internet service to set users to default, while Hotmail and Google’s search page can be used with HTTPS, but it’s not the default.
So-called session hijacking was made even easier in October 2010, with the release of a Firefox plugin called Firesheep, that made it simple for anyone to perform this hijacking.
Facebook security engineer Alex Rice warns, however, that speed and third-party applications could be affected.
“Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS,” Rice said in a blog post. “In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We’ll be working hard to resolve these remaining issues.”
That trickery is much harder to do with an HTTPS page, since it would require the complicity of a Certificate Authority, which would likely be blackballed by the net at large if it was discovered faking a certificate for a site.
Using HTTPS always may slow the site loading for some, but Google has found with its new default of HTTPS for all users, that the encryption isn’t nearly as server-intensive as many engineers and companies think it is.
Facebook users will need to find the setting on their Facebook page (Account Settings->Account Security) to make it the default for their account. Facebook is rolling it out for all users over the next few weeks.
The option is highly recommended for anyone who uses Facebook over open Wi-Fi or on their school or office connection.
For those who want further protection, try the EFF’s HTTPS Everywhere plug-in for Firefox, which forces many sites to use HTTPS. For total protection, investigate using a VPN such as CryptoCloud.