Sophos Cloud Optix
Many people have been pleased to hear that Facebook is now allowing users to choose full SSL/HTTPS encryption throughout their session to prevent their accounts from being compromised through unencrypted WiFi using tools like Firesheep.
After the announcement though, lots of people are confused and requested we provide better instructions on how to choose this more secure option. I have put together a brief (only 1.5 minutes!) YouTube video on how to enable this feature.
As of the time of this article (January 28, 2011) only a fraction of all Facebook accounts have been enabled to use this option. We expect it to be available to all Facebook users in a short amount of time.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)
The myth that HTTPS sessions consume a large quantity of resource needs to be quashed. While encryption may seem to be a heavy duty task, modern algorithms are designed to create the maximum security for a minimum impact.
If you are a webmaster or IT administrator who is responsible for providing services to your customers, please look into securing your pages and following Facebook’s lead. If they can provide an extra layer of protection for more than 500 million users, surely you can provide the same protections to your users.
For Facebook users, in addition to selecting the new HTTPS option, take a look at our guide on how to secure your profile.
And don’t forget to join the Sophos page on Facebook, where we regularly alert on the latest security threats on the social network.
Creative Commons image courtesy of Dieselducy from the WikiCommons
Neat. I am in Slovenia and I don't have the option to activate https.
Same here Miguel. I think Facebook is staggering the roll-out across users.
So, check the settings panel that Chet shows you in the video and hopefully it will appear sooner or later.
I'm in the UK and I don't have the option either…
I will, thank you for the information!
I'm from the Philippines and I still don't have it. 🙁
I don't have that option
I'm in Canada and don't have this option either.
it will take time for it to appear on all accounts they said.
anyway this wont help much for non-IT people as they wont know what HTTPS is exactly… and so they will just still use HTTP unless facebook makes a notice when they log in.
Don't have that option in Colorado yet!
Everything I do on facebook ends up being visible to my friends and family, from what I write there to photos that I upload, games I play, etc.
How does securing the connection help in ANY way? I just don't see how this is an issue.
Without a secure connection, someone can steal your username and password fairly easily. This would most likely happen if you were using a wireless internet connection that other people were connected to.
Once someone had your login information, they would have full access to your account and could send messages, create posts, or even delete your account entirely. They would also have access to your photos and other personal information that you mentioned.
Securing the connection means it will be much harder to steal login information, and therefore less likely that someone could login to your account and take actions that you wouldn't want.
I'm in the Philippines and I don't have the http option either.
there is, its at security and click secure browsing
Did it, and then found out that if you play any games on FB, the setting MUST be converted back to a standard connection. So… apparently you can only use the https encryption for reading your feed. Not much help to a huge number of FB users.
very true u can't use this when u play games!!! so i just don't use it at all:)
Is this beneficial only to those who access Facebook via wireless internet or also for those who connect via a landline internet connection?
thats….every person in the world..
Wireless connections mostly but people can also compromise servers on a wired network and install "packet sniffers" (software that steals unencrypted data). It's not as common or easy as stealing data off a wireless network (which doesn't require compromising a server) but it is possible so it is better to be safe than sorry and use HTTPS wherever you have the option, especially when transmitting personal data.
Do you know how this applies to mobile app connections once this rolls out to one’s account and is activated? I’d guess that mobile browsers would default to full https, but what about the FB apps for iOS, android, and blackberry? The FB app running in the background keeps me from using public wifi for benign browsing while out (gmail’s IMAP is secure); I use my data plan instead, since at least 3G connections are safer. But I haven’t seen app data encryption mentioned anywhere.
In Wales, don't have it…(yet)
In The Netherlands also no HTTPS option there..
Thank you for drawing attention to this improvement.
I am unable to see the https option on my own account, but it is available on my wife's account, using the same computer and broadband connection!
Could this be because I use Safari and she uses Firefox? Or could it be because her email address is a virgin.net POP account and mine is an IMAP account with AOL?
Further to my previous comment, I have now been able to activate https for Facebook on my Macintosh/Safari application, so perhaps they are now rolling the facility out at a faster rate.
Warning. Some of the app pages on facebook will complain about not being viewable over https connections and will ask for your permission to fall back to http. What is NOT explained is that this will uncheck your "use https" setting in your privacy settings, and it will remain unchecked until you go back in to your settings and reset your https box. Very annoying facebook.
When you leave Facebook to go to another application/game you are required to turn off the secure encryption. Then when you go back to facebook you have to log out and then log back inorder to get the secure connection back.
I swear it's flawed on purpose. I can't get it to work worth a flip. I know it's supposed to disable it temporarily when do apps and such but 75% it won't let you and you have to re-log and hope it works this time. BTW – feel free to friend me on facebook (whew, say that 10 times fast). I try to give up to date info on any FB or computer security question. If I don't know, I research and find out very quickly for both our our knowledge.
I have found out so many apps in fb that now not visible due to not carry ssl cert. So I think fb has already started investigation & disable the apps which not follow the fb rules.
If your Account Has Been Hacked And You Have Access To your Login Email
* Go here: https://ssl.facebook.com/help/contact.php?show_fo…
I have tried today to log into my facebook account, and everytime it sends me to the https facebook, how do I disable this, I have two accounts one for family and one for friends, the one for family works, it's the friends one I can't get to work, Please help