Have you ever had your Facebook account hacked? Do you know anyone who has? Much has been made lately of Facebook supporting full HTTPS access. There are many different people out there who will tell you that it’s a good thing and show you how to enable it, but not many who explain how it will help prevent your account from being hacked – especially while travelling.
If you’ve found your way here you are likely that type that enjoys travelling and using the Internet. Many people who use the Internet while travelling use it to access Facebook in order to stick to to their family and friends back at home. To take this story a little further, I suggest that many of these travelling Facebook users will access Facebook on unencrypted wireless connections at a hotel, hostel, airport, cafe, or other location. I have no scientific evidence to back this up, but it holds true among my circle of friends so hopefully this post will at least be useful to both of them.
Logging into and using any web applications not protected by encryption is much more risky than most people know. In my other life as an Information Security Consultant I get to show people how easy it is to hijack web application accounts over unencrypted wireless networks such as those commonly used by travellers.
If you didn’t already know, HTTPS secures your Facebook session by encrypting all the traffic that travels between your browser and Facebook’s servers. The S stands for secure. It’s been around for ages and is the the same technology that you’ve been taught to look for while banking online.
HTTPS support isn’t entirely new to Facebook, either, as it has been possible to simply change the HTTP in the URL to HTTS before login for quite some time. The difference is that until now that HTTPS session only protected your Facebook login credentials (user name and password) and the rest of your session would run in unencrypted plain-text after login.
Why wouldn’t Facebook encrypt everything? The primary argument against it is that encryption requires computer processing power on their servers. On a one-off basis the difference is barely noticeable, but when you are one of the biggest websites on the Internet every little bit adds up quickly.
So what caused Facebook to bring about the change? Firesheep. Firesheep is a Firefox extension that easily allows people to monitor unencrypted traffic on a network to look for Facebook cookies and then use those cookies to hijack those accounts. Cookies are how your browser proves to Facebook that the click you are sending them is associated with the login process you completed earlier. It’s a web trick to prevent you from having to send your username and password every time you click on a web page.
Because Facebook didn’t encrypt sessions, anyone on the same network as you or who is within radio range of your unencrypted wireless traffic could capture one of these cookies. The cookie could then be replayed by the bad guy and Facebook would happyily think that the bad guy using your cookie is, in fact, you. This kind of attack was possible before Firesheep, but it required knowledge of computer networking and a moderate amount of geekery. Firesheep just brought this capability to anyone who can use a browser and handed it them with point and click simplicity.
If you use are a heavy user of cafe or hotel wireless, I strongly suggest that you enable this function. Facebook hasn’t rolled this out to everyone yet, but I know I will enable it once it is available to me. If Facebook has planned things out properly and bumped up their encryption horsepower you shouldn’t really notice a difference in performance. Of course, just using this setting alone does not guarantee that the bad guys won’t hack your Facebook, but it means that only the more sophisticated bad guys can do it. And trust me, there are loads of unsophisticated bad guys out there.
If you want to learn how to increase your protection against the smart bad guys, as well as how to protect your email and other web apps, check back for a future post about Virtual Private Networks.
To see if you can enable HTTPS on Facebook:
- Login to Facebook
- Click on ‘Account’ at the top right hand of your Facebook page
- Click on ‘Account Settings’ in the drop-down box
- There should be an option to enable HTTPS there. I would include a screen cap, but it’s not available to me yet.