How to enable HTTPS/SSL encryption to secure your Facebook account

Filed Under: Facebook, Privacy, Social networks, Video

CC padlock courtesy of Dieselducy from WikiCommonsMany people have been pleased to hear that Facebook is now allowing users to choose full SSL/HTTPS encryption throughout their session to prevent their accounts from being compromised through unencrypted WiFi using tools like Firesheep.

After the announcement though, lots of people are confused and requested we provide better instructions on how to choose this more secure option. I have put together a brief (only 1.5 minutes!) YouTube video on how to enable this feature.

As of the time of this article (January 28, 2011) only a fraction of all Facebook accounts have been enabled to use this option. We expect it to be available to all Facebook users in a short amount of time.


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

The myth that HTTPS sessions consume a large quantity of resource needs to be quashed. While encryption may seem to be a heavy duty task, modern algorithms are designed to create the maximum security for a minimum impact.

If you are a webmaster or IT administrator who is responsible for providing services to your customers, please look into securing your pages and following Facebook's lead. If they can provide an extra layer of protection for more than 500 million users, surely you can provide the same protections to your users.

For Facebook users, in addition to selecting the new HTTPS option, take a look at our guide on how to secure your profile.

And don't forget to join the Sophos page on Facebook, where we regularly alert on the latest security threats on the social network.

Creative Commons image courtesy of Dieselducy from the WikiCommons

, , , ,

You might like

29 Responses to How to enable HTTPS/SSL encryption to secure your Facebook account

  1. Miguel · 1271 days ago

    Neat. I am in Slovenia and I don't have the option to activate https.

    • Same here Miguel. I think Facebook is staggering the roll-out across users.

      So, check the settings panel that Chet shows you in the video and hopefully it will appear sooner or later.

    • Bangon Kali · 1261 days ago

      I'm from the Philippines and I still don't have it. :(

  2. Sylvia · 1271 days ago

    I don't have that option

  3. Leesa · 1271 days ago

    I'm in Canada and don't have this option either.

  4. david56543 · 1271 days ago

    it will take time for it to appear on all accounts they said.

    anyway this wont help much for non-IT people as they wont know what HTTPS is exactly... and so they will just still use HTTP unless facebook makes a notice when they log in.

  5. Cheryl · 1271 days ago

    Don't have that option in Colorado yet!

  6. Wilful · 1271 days ago

    Everything I do on facebook ends up being visible to my friends and family, from what I write there to photos that I upload, games I play, etc.

    How does securing the connection help in ANY way? I just don't see how this is an issue.

    • Brent · 1271 days ago

      Without a secure connection, someone can steal your username and password fairly easily. This would most likely happen if you were using a wireless internet connection that other people were connected to.

      Once someone had your login information, they would have full access to your account and could send messages, create posts, or even delete your account entirely. They would also have access to your photos and other personal information that you mentioned.

      Securing the connection means it will be much harder to steal login information, and therefore less likely that someone could login to your account and take actions that you wouldn't want.

  7. Mars · 1271 days ago

    I'm in the Philippines and I don't have the http option either.

  8. Did it, and then found out that if you play any games on FB, the setting MUST be converted back to a standard connection. So... apparently you can only use the https encryption for reading your feed. Not much help to a huge number of FB users.

    • melissa · 1242 days ago

      very true u can't use this when u play games!!! so i just don't use it at all:)

  9. Mengano · 1271 days ago

    Is this beneficial only to those who access Facebook via wireless internet or also for those who connect via a landline internet connection?

    • helpful hinter · 1269 days ago

      thats....every person in the world..

    • Mark · 1268 days ago

      Wireless connections mostly but people can also compromise servers on a wired network and install "packet sniffers" (software that steals unencrypted data). It's not as common or easy as stealing data off a wireless network (which doesn't require compromising a server) but it is possible so it is better to be safe than sorry and use HTTPS wherever you have the option, especially when transmitting personal data.

  10. Do you know how this applies to mobile app connections once this rolls out to one's account and is activated? I'd guess that mobile browsers would default to full https, but what about the FB apps for iOS, android, and blackberry? The FB app running in the background keeps me from using public wifi for benign browsing while out (gmail's IMAP is secure); I use my data plan instead, since at least 3G connections are safer. But I haven't seen app data encryption mentioned anywhere.

  11. the Doctor · 1269 days ago

    In Wales, don't have it...(yet)

  12. In The Netherlands also no HTTPS option there..

  13. Peter J Taylor · 1266 days ago

    Thank you for drawing attention to this improvement.
    I am unable to see the https option on my own account, but it is available on my wife's account, using the same computer and broadband connection!
    Could this be because I use Safari and she uses Firefox? Or could it be because her email address is a virgin.net POP account and mine is an IMAP account with AOL?

  14. Peter J Taylor · 1262 days ago

    Further to my previous comment, I have now been able to activate https for Facebook on my Macintosh/Safari application, so perhaps they are now rolling the facility out at a faster rate.

  15. Warning. Some of the app pages on facebook will complain about not being viewable over https connections and will ask for your permission to fall back to http. What is NOT explained is that this will uncheck your "use https" setting in your privacy settings, and it will remain unchecked until you go back in to your settings and reset your https box. Very annoying facebook.

  16. Richard M Canedo · 1196 days ago

    When you leave Facebook to go to another application/game you are required to turn off the secure encryption. Then when you go back to facebook you have to log out and then log back inorder to get the secure connection back.

  17. I swear it's flawed on purpose. I can't get it to work worth a flip. I know it's supposed to disable it temporarily when do apps and such but 75% it won't let you and you have to re-log and hope it works this time. BTW - feel free to friend me on facebook (whew, say that 10 times fast). I try to give up to date info on any FB or computer security question. If I don't know, I research and find out very quickly for both our our knowledge.

  18. Facebook SSL Provider · 1019 days ago

    I have found out so many apps in fb that now not visible due to not carry ssl cert. So I think fb has already started investigation & disable the apps which not follow the fb rules.

  19. If your Account Has Been Hacked And You Have Access To your Login Email

    * Go here: https://ssl.facebook.com/help/contact.php?show_fo...

  20. Babs · 705 days ago

    I have tried today to log into my facebook account, and everytime it sends me to the https facebook, how do I disable this, I have two accounts one for family and one for friends, the one for family works, it's the friends one I can't get to work, Please help

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.