UPDATE (November 26, 2012): Facebook has started rolling out HTTPS by default for all users. More information was released in a November 14, 2012 Platform Update on the Developer Blog.

In October 2010, Eric Butler demonstrated a problem with open networks. It’s easy to capture network data and steal authentication credentials (a “cookie”) from other wireless users. It’s especially easy to do on open wireless networks. So easy, that Eric created a simple Mozilla Firefox plugin for everyone to try called Firesheep. Using this simple tool, anyone could grab the cookie that allowed an authenticated user to browse their private web pages from sites like Twitter and Facebook. Very easy.

In response, Facebook and many other sites provided a security feature to prevent Firesheep and similar tools from working. They now provide the option to encrypt your entire session over the Secure Socket Layer or SSL. This is also referred to as “https”. When your session is encrypted, other network users cannot see the data you send and receive. You also guaranteed to be communicating with a legitimate Facebook server because SSL provides server authentication as well. On Facebook, this advanced security feature is called “Secure Browsing”.

Enabling Secure Browsing

It is a good idea to enable this feature. Here is how you do that:

1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge next to it. Click on it.
4. A list of security settings are presented. Look for “Secure Browsing” and click on it.
5. The option to enable Secure Browsing will slide down. Select “Browse Facebook on a secure connection (https) when possible” and click the “Save Changes” button.
6. Reload the Facebook pages you have open. You should now be able to verify in your web browser that the connection is encrypted to prevent eavesdropping.

Once you have Secure Browsing enabled, you’ll notice that your web browser location bar will change. It will display a lock indicating that the site uses SSL.

Secure Browsing Considerations

There are many advantages to using Facebook Secure Browsing and no significant disadvantages. Once enabled, you no longer have to worry as much about your information being captured over the network, having your account compromised through session hijacking, and that you are connected to a legitimate Facebook server through server authentication. Facebook also now requires all third-party developers to provide SSL-enabled Apps through the Facebook platform. This means that the Facebook Apps you use are exchanging your information over an encrypted communications channel using SSL. One common complaint is that using SSL is slow. Most modern computers and laptops are so fast that there is literally no noticeable delay when using Secure Browsing. Facebook and other services also use very fast servers that can crunch through the cryptographic operations quickly too. You should see no delay that can be traced to Secure Browsing.

Just remember that you can be fooled. Periodically check your web browser location bar for the lock symbol. Some attackers create fake web sites (called “phishing” sites) to capture usernames and passwords by tricking users into thinking they are using the correct web site. If the lock is not present, then your information is not private and may have been compromised. If in doubt, return to the real Facebook URL.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features