Facebook Security: Use Secure Browsing to Keep your Facebook Session Safe

UPDATE (November 26, 2012): Facebook has started rolling out HTTPS by default for all users. More information was released in a November 14, 2012 Platform Update on the Developer Blog.

In October 2010, Eric Butler demonstrated a problem with open networks. It’s easy to capture network data and steal authentication credentials (a “cookie”) from other wireless users. It’s especially easy to do on open wireless networks. So easy, that Eric created a simple Mozilla Firefox plugin for everyone to try called Firesheep. Using this simple tool, anyone could grab the cookie that allowed an authenticated user to browse their private web pages from sites like Twitter and Facebook. Very easy.

In response, Facebook and many other sites provided a security feature to prevent Firesheep and similar tools from working. They now provide the option to encrypt your entire session over the Secure Socket Layer or SSL. This is also referred to as “https”. When your session is encrypted, other network users cannot see the data you send and receive. You also guaranteed to be communicating with a legitimate Facebook server because SSL provides server authentication as well. On Facebook, this advanced security feature is called “Secure Browsing”.

Enabling Secure Browsing

It is a good idea to enable this feature. Here is how you do that:

  1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
  2. Select “Account Settings”. A new page will open.
  3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge next to it. Click on it.
  4. A list of security settings are presented. Look for “Secure Browsing” and click on it.
  5. The option to enable Secure Browsing will slide down. Select “Browse Facebook on a secure connection (https) when possible” and click the “Save Changes” button.
  6. Reload the Facebook pages you have open. You should now be able to verify in your web browser that the connection is encrypted to prevent eavesdropping.
Facebook Security: Facebook Account Settings for Secure Browsing
The Facebook account settings page showing that Secure Browsing is enabled.

Once you have Secure Browsing enabled, you’ll notice that your web browser location bar will change. It will display a lock indicating that the site uses SSL.

Facebook Security: Look for the web browser lock symbol to indicate a secure connection
Google Chrome Location Bar showing a lock symbol for Facebook.

Secure Browsing Considerations

There are many advantages to using Facebook Secure Browsing and no significant disadvantages. Once enabled, you no longer have to worry as much about your information being captured over the network, having your account compromised through session hijacking, and that you are connected to a legitimate Facebook server through server authentication. Facebook also now requires all third-party developers to provide SSL-enabled Apps through the Facebook platform. This means that the Facebook Apps you use are exchanging your information over an encrypted communications channel using SSL. One common complaint is that using SSL is slow. Most modern computers and laptops are so fast that there is literally no noticeable delay when using Secure Browsing. Facebook and other services also use very fast servers that can crunch through the cryptographic operations quickly too. You should see no delay that can be traced to Secure Browsing.

Just remember that you can be fooled. Periodically check your web browser location bar for the lock symbol. Some attackers create fake web sites (called “phishing” sites) to capture usernames and passwords by tricking users into thinking they are using the correct web site. If the lock is not present, then your information is not private and may have been compromised. If in doubt, return to the real Facebook URL.


Check our guide: Own Your Space, “A Guide to Facebook Security

Facebook Extra Security Features

, ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: