Facebook Switches On HTTPS For American Users

Facebook has adopted the policy taken by Google and other websites after it enabled HTTPS as a default for user connections in North America.

The move is meant to provide secure browsing for part of the social network’s user base, which as of September is counted by the company to be more than a billion. The rollout began last week, and Facebook stated there are plans to make HTTPS default for the rest of the world as well. No specific date was given as to when that would be.

HTTPS Protection

Starting last year, Facebook gave users the opportunity to turn on HTTPS so that it was used to protect their entire sessions as opposed to only being used whenever they entered their passwords. The option could be enabled through the Account Security section of the Account Settings page. At the time, Facebook advised users that while HTTPS improves security, encrypted pages take longer to load, and could slow down their experience using the site.

HTTPS layers HTTP on top of the SSL/TLS protocol and provides authentication of the Website and Web server a user is communicating with and keeps the session cookie encrypted to provide protection against man-in-the-middle attacks.

Google opted to turn HTTPS on by default for Gmail in 2010 after calls from security and privacy experts and the emergence of reports of attempts to access the Gmail accounts of Chinese human rights activists. In 2011, Google began redirecting users signed into their Google accounts to the HTTPS version of Google.com to encrypt the searches users perform and the results they receive. Earlier this year, Twitter enabled HTTPS by default for all its users as well, roughly a year after introducing it as an option. Users can turn the option of on their account settings page.

However, there has been research into attacks that can circumvent HTTPS, so it should not be considered fool-proof. For example, last year at the ekoparty Security Conference in Buenos Aires, two researchers demonstrated a tool known as BEAST that can be used to defeat SSL/TLS and enable attackers to steal cookies. Still, turning HTTPS on by default is a good step, blogged Graham Cluley, senior technology consultant at Sophos.

Long Time Coming

Way back in January 2011, Facebook announced it was implementing HTTPS to allow its many millions of users the ability to automatically encrypt their communications with the social network – preventing hackers and attackers from sniffing your sensitive data while using unencrypted wifi hotspots,” Cluley blogged.

In April of last year, Sophos wrote an open letter to Facebook to requesting the site enable HTTPS by default as part of a list of security recommendations.

“We want to say this really clearly and loudly … Well done Facebook! Sure, we might have liked it if Facebook had enabled HTTPS by default more quickly, but it would be churlish to grumble now they’re doing it,” he added.

What do you know about Facebook? Take our quiz!

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

OpenAI In Talks With California Over For-Profit Shift

OpenAI reportedly begins early talks with California attorney general over complex transition from nonprofit to…

2 hours ago

EU To Assess Apple’s iPad Compliance Plans

European Commission says it will review Apple's iPad compliance with DMA rules as it seeks…

2 hours ago

James Dyson Says ‘Spiteful’ Budget Will Kill Start-Ups

James Dyson delivers most high-profile criticism so far of Labour's first Budget that raises £40bn…

3 hours ago

Nvidia, Meta Ask Supreme Court To Axe Investor Lawsuits

Nvidia, Meta bring cases before US Supreme Court this month seeking tighter limits on investors'…

3 hours ago

Nvidia To Replace Intel On Dow Jones Industrial Average

Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…

4 hours ago

Toyota-Backed Joby Flies ‘Air Taxi’ In Japan

Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…

4 hours ago