Facebook finally enables HTTPS by default, we give away free T-shirts to celebrate

Facebook finally enables HTTPS by default, we give away free T-shirts to celebrate

Back of T-ShirtIn April 2011, Naked Security wrote an open letter to Facebook about security and privacy.

Eighteen months later, it looks like he have some reason to celebrate – as Facebook appears to be saying “yes” to one of the three steps we asked them to take to better protect its users.

Way back in January 2011, Facebook announced it was implementing HTTPS to allow its many millions of users the ability to automatically encrypt their communications with the social network – preventing hackers and attackers from sniffing your sensitive data while using unencrypted wifi hotspots.

Accessing Facebook with HTTPS enabled

However, Facebook made this enhancement to security “opt-in” only. Which meant that most people never turned it on.

In Naked Security’s open letter, we asked that Facebook did a better job with HTTPS.

As we wrote to them at the time:

"We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers."

A posting last week on Facebook’s developer blog, quietly announced that the site was finally going to be following our suggestion:

Facebook quietly announces the roll-out of https

In the blog post, Facebook said that it was finally starting to rollout HTTPS to its North American users, with the rest of the world following “soon”.

We want to say this really clearly and loudly, so we’ll use a big font:

Well done Facebook!

Sure, we might have liked it if Facebook had enabled HTTPS by default more quickly, but it would be churlish to grumble now they’re doing it.

If you can’t wait for Facebook to turn on HTTPS/SSL in your neck of the woods, you should set it up for yourself. Log into your Facebook account and navigate to Account settings / Security where you should be able to enable “Secure Browsing”.

Security settings. Click for larger version

Of course, Facebook’s roll out of HTTPS leaves us with a problem. We have a large pile of “Dislike” t-shirts that explain the three steps we’d like to see Facebook implement to improve privacy and security.

Clearly, with the roll out of HTTPS, one of those now needs to be crossed out.

So, we need to get rid of our T-shirts. We’ve decided the fairest thing to do would be to offer them to loyal subscribers to our email newsletter. Every month, until our stocks run out, we’re going to give away 10 of these limited edition T-shirts to randomly selected newsletter subscribers.

Pile of t-shirts

If you’re not already a subscriber to our newsletter, you can sign up here.

T-SHIRT GIVEAWAY TERMS & CONDITIONS: You need to be signed-up for our email newsletter at the time that we randomly select winners. If you’ve previously won a t-shirt from us in the giveaway, you can’t win again. If you’re a Sophos employee, tough luck – you can’t win. If you’re a Facebook employee, sure – feel free to subscribe and you might win a t-shirt, but we’re not going to give you special treatment.

If you win, you will be contacted via email (naturally) to ask for your snail-mail address, so we can send you the shirt. It’s kinda tricky otherwise. We’ll do our best to give you a t-shirt in the size you want, but – hey – our stock is limited, so don’t be too peeved if you get a baggy one. Your email address is only used for sending you the newsletter (you can unsubscribe at any time) and for asking you where we should send the t-shirt. No spam, we promise. We’re nice guys.

Make sure that you keep informed about the latest security and privacy issues affecting Facebook users. Join the Sophos page on Facebook, where over 190,000 people regularly share information on threats and discuss the latest security news.