The Facebook Setting You Should Change as Quickly as Possible
Facebook finally provided a way to keep any random jerk in the café from hijacking your account. But you have to go out of your way to enable this protection, and you might have to wait. Still: Jump on this.
Facebook has at long last offered an option to use the encrypted “HTTPS” protocol, a feature it will begin rolling out today but won’t finish for a “few weeks.” You should check now if it’s available, and sign up as soon as it is enabled for your account. The performance overhead is minor—zippy Gmail, for example, uses HTTPS for everything—and it’s an important step to keep your Facebook account safe from being hijacked on an open or poorly secured wireless network.
By default, Facebook sends your access credentials in the clear, with no encryption whatsoever. Switching to HTTPS is important because a browser extension called Firesheep has made it especially easy for anyone sharing your open wireless network—at cafe or conference, for example—to sniff your credentials and freely access your account. One blogger sitting in a random New York Starbucks was able to steal 20-40 Facebook identities in half an hour. HTTPS solves this longstanding problem by encrypting your login cookies and other data; in fact the inventor of Firesheep made the software to encourage companies like Facebook to finally lock down their systems.
You can sign up for Facebook HTTPS by going to Account Settings and then selecting “Account Security,” third from the bottom. Then click under “Secure Browsing” — if it’s there. Facebook says everyone should have this by the end of the day, but in the meantime you might be missing the relevant option toggle.
Facebook is sure taking its sweet time rolling this out. Firesheep has been out for more than three months, and the EFF released a plugin for secure Facebook connections back in June. Even the HTTPS option is half measure. It applies only on the website, not on Facebook’s iPhone app.
And HTTPS should really be automatic for all Facebook users, not an opt-in buried in one of Facebook’s famously labyrinthine settings menus. Facebook seems to recognize this, writing, “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.” Given that Facebook secures not only intimate pictures and chats but people’s credentials on other websites, that future really can’t come soon enough. But if history is any guide, Facebook’s users are in for a long wait for proper security.