Facebook FINALLY allows HTTPS as an option

Thanks to Geek.com for bringing this to our attention.

Some time ago, I did an article on Firesheep and the dangers of using an open Wi-Fi connection.

You can find it over at Death Valley magazine:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.
It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else.

This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Well, it appears now that at least one of the sites ‘hackable’ by Firesheep, Facebook is allowing you to actually use HTTPS to login to their site by default as opposed to using something such as Blacksheep or HTTPS Everywhere.

It’s as simple as

  • Log in to your Facebook account
  • Go to account (upper right hand corner)
  • Go to account settings

  • Select Account security and click on the check box under Secure browsing.

You are now able to log in to Facebook using HTTPS as a default.

And there’s one more problem solved in the ‘security’ arena.  Unfortunately, FB still isn’t the greatest when it comes to security but at least they’re making steps in the right direction.

Thanks for visiting.

~ by Normanomicon on January 31, 2011.

%d bloggers like this: