Facebook praised for encrypting Web access by default

Facebook's decision to encrypt all communications with its millions of North American users won praise Monday from security experts, who said the move would protect users on public Wi-Fi networks.

Facebook quietly rolled out secure hypertext transfer protocol (HTTPS) last week, announcing in its Developer Blog (https://developers.facebook.com/blog/post/2012/11/14/platform-updates--operation-developer-love/) that all communications would be over the secure connection by default. Before the announcement, users had to opt-in, which typically leads to low adoption rates.

HTTPS keeps the session cookie encrypted between logging in and logging out, preventing hackers from hijacking the session and impersonating the user. Google started rolling out HTTPS for all its services in 2010, while Twitter enabled the encrypted protocol by default in February. (http://www.csoonline.com/article/700427/twitter-enables-https-by-default)

Facebook joining the pack was welcome news to security experts who favor HTTPS use by all major Internet companies. "It's an important thing and everyone should do it," Wolfgang Kandek, chief technology officer for Qualys, said. "It's especially important since Facebook is moving more into e-commerce."

The importance of HTTPS was highlighted in 2010 with the release of a browser-based plug-in called Firesheep. The Wi-Fi sniffing tool published by security developer Eric Butler demonstrated the security vulnerabilities in the way session cookies for Facebook and Twitter were exchanged between servers and users' PCs.

The relatively simple tool was able to capture the session cookie traveling across a public wireless network without HTTPS turned own. If a user shut off his PC without logging out, then a hacker could use the cookie to impersonate the user on the site.

[See related: Google protects its current HTTPS traffic against future attacks]

The damage that can be done by such a hack was seen when actor Ashton Kutcher had his Twitter account hijacked during the brainbox TED conference last year. The hackers accessed the account over an unencrypted Wi-Fi connection and posted graffiti in his name.

For years, the use of HTTPS was avoided by sites out of fear of degrading performance due to higher demand on servers' processing power. However, the today's more powerful processors and other technological advancements have mitigated any impact on performance.

"SSL is certainly more processing power, but it's really small and incremental," Chester Wisniewski, senior security adviser for Sophos, said. SSL, or Secure Sockets Layer, is the cryptographic protocol used in HTTPS communications.

In Facebook's case, implementing HTTPS was likely complicated by the fact that many third-party websites offer services through the social network. Examples would include online game makers such as Zynga.

Because many of those sites may not use HTTPS, Facebook had to figure out how to use its servers as an intermediary for communications with users. "Those are valid technical problems that are not easy to solve," Wisniewski said.

Nevertheless, Internet companies have to accept basic security, like HTTPS, as a necessary expense. "If you're going to run your business, you should do it in a secure and safe way for your customers," Wisniewski said. "And if it costs you money and a bunch of equipment, tough nuts. It's part of the cost of doing business.

Read more about social networking security in CSOonline's Social Networking Security section.

Tags: Internet-based applications and services, Data Protection | Social Networking Security, security, HTTPS, data protection, internet, social media, Facebook

Reverse Heartbleed puts your PC and devices at risk of OpenSSL attack

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

IT Compliance Solutions

Enforce compliance consistently and cost-effectively across your organization.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.