We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Facebook praised for encrypting Web access by default

Facebook's decision to encrypt all communications with its millions of North American users won praise Monday from security experts, who said the move would protect users on public Wi-Fi networks.

Facebook quietly rolled out secure hypertext transfer protocol (HTTPS) last week, announcing in its Developer Blog (https://developers.facebook.com/blog/post/2012/11/14/platform-updates--operation-developer-love/) that all communications would be over the secure connection by default. Before the announcement, users had to opt-in, which typically leads to low adoption rates.

HTTPS keeps the session cookie encrypted between logging in and logging out, preventing hackers from hijacking the session and impersonating the user. Google started rolling out HTTPS for all its services in 2010, while Twitter enabled the encrypted protocol by default in February. (http://www.csoonline.com/article/700427/twitter-enables-https-by-default)

Facebook joining the pack was welcome news to security experts who favor HTTPS use by all major Internet companies. "It's an important thing and everyone should do it," Wolfgang Kandek, chief technology officer for Qualys, said. "It's especially important since Facebook is moving more into e-commerce."

The importance of HTTPS was highlighted in 2010 with the release of a browser-based plug-in called Firesheep. The Wi-Fi sniffing tool published by security developer Eric Butler demonstrated the security vulnerabilities in the way session cookies for Facebook and Twitter were exchanged between servers and users' PCs.

The relatively simple tool was able to capture the session cookie traveling across a public wireless network without HTTPS turned own. If a user shut off his PC without logging out, then a hacker could use the cookie to impersonate the user on the site.

[See related: Google protects its current HTTPS traffic against future attacks]

The damage that can be done by such a hack was seen when actor Ashton Kutcher had his Twitter account hijacked during the brainbox TED conference last year. The hackers accessed the account over an unencrypted Wi-Fi connection and posted graffiti in his name.

For years, the use of HTTPS was avoided by sites out of fear of degrading performance due to higher demand on servers' processing power. However, the today's more powerful processors and other technological advancements have mitigated any impact on performance.

"SSL is certainly more processing power, but it's really small and incremental," Chester Wisniewski, senior security adviser for Sophos, said. SSL, or Secure Sockets Layer, is the cryptographic protocol used in HTTPS communications.

In Facebook's case, implementing HTTPS was likely complicated by the fact that many third-party websites offer services through the social network. Examples would include online game makers such as Zynga.

Because many of those sites may not use HTTPS, Facebook had to figure out how to use its servers as an intermediary for communications with users. "Those are valid technical problems that are not easy to solve," Wisniewski said.

Nevertheless, Internet companies have to accept basic security, like HTTPS, as a necessary expense. "If you're going to run your business, you should do it in a secure and safe way for your customers," Wisniewski said. "And if it costs you money and a bunch of equipment, tough nuts. It's part of the cost of doing business.

Read more about social networking security in CSOonline's Social Networking Security section.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model