Network News

X My Profile
View More Activity
Posted at 11:05 AM ET, 01/26/2011

Facebook offering site-wide 'HTTPS' security

By Rob Pegoraro

Facebook will allow its users to encrypt their use of the site, an overdue move that would stop eavesdroppers from picking up any information sent to and from the social network.

This may come too late to protect founder Mark Zuckerberg's recently-hacked public page, but the rest of us can benefit from it.

facebook_https.png

The Palo Alto, Calif., company announced the news on its blog. Instead of scrambling only your login -- something that its design obscures by not showing the usual lock icon and "https" address prefix in a browser that you see in the image above -- it will allow users to encrypt their entire session on the site.

That will thwart account hijacking or identity theft through Firesheep and other snooping tools that rely on picking up data sent to and from Facebook after a user's login.

Facebook's blog post warns that enabling this measure once it's available in your account (which may take a few weeks) will have some side effects:

Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues.

Turn it on anyway when you can, even if that means dumping an incompatible Facebook application.

The post goes on to note that Facebook hopes to make this a default setting -- a good idea that Google adopted for Gmail last year.

The post does not, however, note another security upgrade Facebook seems to have planned. A screen shot on it, showing a green highlight in a browser address bar labeled "Facebook, Inc. (US)," indicates that it will use "extended validation" security, an extra measure of defense against site-impersonation attempts.

(Post Co. chairman Donald E. Graham sits on Facebook's board of directors. I hope he enables the new HTTPS option, too.)

A lot of Web sites remain behind the curve in terms of using security options that have long been available. While it's rare to see a site not require an encrypted "SSL" login, many fumble their implementation of it and few bother setting up "EV" security as Facebook seems to be doing.

You can work around these issues by tinkering with your browser or adding third-party extensions to force an encrypted connection. But it's simpler if the site allows you to full-session encryption -- and, better yet, takes the decision out of a user's hands by making that a default setting.

Facebook's post also notes an account-validation technique I've seen one or two readers describe in e-mails: When the site suspects an account has been compromised, it will require its user to identify pictures of their current Facebook friends to prove that he or she is the rightful account holder.

Those are good steps for the world's biggest social network. Your privacy relative to other Facebook users, however, remains a lot more complicated.

By Rob Pegoraro  | January 26, 2011; 11:05 AM ET
Categories:  Security, Social media  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: $20 a month for Verizon iPhone hotspot
Next: Ahoy! White Google Nexus S spotted in Germany

Comments

Facebook peaked in 2010, this social networking site has become too large and will soon experience a decline similar to myspace circa 2007. Myspace succeeded 1rst, Facebook succeeded 2nd, and the 3rd will be....

Posted by: MrWillie | January 26, 2011 1:38 PM | Report abuse

Um why on earth would I want picture identification of "friends" that I may or may not even KNOW to be my security? Are they going to be plucking pictures people are tagged in? Their avatar? My avatar is not even a picture of me. I'm about done with FB the security measures are getting to be obsurd..

Posted by: jojoranting | January 26, 2011 6:51 PM | Report abuse

I agree MrWillie. I know a lot of people will disagree but Facebook is a house of cards. I disabled my account long ago. Waste of time and who wants to pay for another wing on Zuckerberg's mansion.

Posted by: davidwg46 | January 26, 2011 9:57 PM | Report abuse

While not formally turned on yet, logging on to Facebook then adding an "s" to "http" will get you a secure page and the little lock on the screen. So they are working on it.

Posted by: courry | January 26, 2011 10:38 PM | Report abuse

This is great if you're on a laptop in a coffee shop. What if you're on a handheld WiFi device: will Facebook update their iPhone/iPod Touch app to use the encrypted site?

Posted by: DaveL60 | January 27, 2011 8:01 AM | Report abuse

I agree – we can all benefit from this uptick in security. Facebook’s made an important move by encrypting each page on Facebook, not just login. I work for Symantec, so of course I am a fan of SSL and believe that it is crucial to online security. This public declaration from Facebook is a huge step in awareness and security for social networking and other online activities, and I’m curious to see what’s next.

Posted by: hollylarocco | January 27, 2011 4:11 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




characters remaining

 
 
RSS Feed
Subscribe to The Post

© 2011 The Washington Post Company