Facebook praised for encrypting Web access by default

Facebook's decision to encrypt all communications with its millions of North American users won praise Monday from security experts, who said the move would protect users on public Wi-Fi networks.

Facebook quietly rolled out secure hypertext transfer protocol (HTTPS) last week, announcing in its Developer Blog (https://developers.facebook.com/blog/post/2012/11/14/platform-updates--operation-developer-love/) that all communications would be over the secure connection by default. Before the announcement, users had to opt-in, which typically leads to low adoption rates.

HTTPS keeps the session cookie encrypted between logging in and logging out, preventing hackers from hijacking the session and impersonating the user. Google started rolling out HTTPS for all its services in 2010, while Twitter enabled the encrypted protocol by default in February. (http://www.csoonline.com/article/700427/twitter-enables-https-by-default)

Facebook joining the pack was welcome news to security experts who favor HTTPS use by all major Internet companies. "It's an important thing and everyone should do it," Wolfgang Kandek, chief technology officer for Qualys, said. "It's especially important since Facebook is moving more into e-commerce."

The importance of HTTPS was highlighted in 2010 with the release of a browser-based plug-in called Firesheep. The Wi-Fi sniffing tool published by security developer Eric Butler demonstrated the security vulnerabilities in the way session cookies for Facebook and Twitter were exchanged between servers and users' PCs.

The relatively simple tool was able to capture the session cookie traveling across a public wireless network without HTTPS turned own. If a user shut off his PC without logging out, then a hacker could use the cookie to impersonate the user on the site.

[See related: Google protects its current HTTPS traffic against future attacks]

The damage that can be done by such a hack was seen when actor Ashton Kutcher had his Twitter account hijacked during the brainbox TED conference last year. The hackers accessed the account over an unencrypted Wi-Fi connection and posted graffiti in his name.

For years, the use of HTTPS was avoided by sites out of fear of degrading performance due to higher demand on servers' processing power. However, the today's more powerful processors and other technological advancements have mitigated any impact on performance.

"SSL is certainly more processing power, but it's really small and incremental," Chester Wisniewski, senior security adviser for Sophos, said. SSL, or Secure Sockets Layer, is the cryptographic protocol used in HTTPS communications.

In Facebook's case, implementing HTTPS was likely complicated by the fact that many third-party websites offer services through the social network. Examples would include online game makers such as Zynga.

Because many of those sites may not use HTTPS, Facebook had to figure out how to use its servers as an intermediary for communications with users. "Those are valid technical problems that are not easy to solve," Wisniewski said.

Nevertheless, Internet companies have to accept basic security, like HTTPS, as a necessary expense. "If you're going to run your business, you should do it in a secure and safe way for your customers," Wisniewski said. "And if it costs you money and a bunch of equipment, tough nuts. It's part of the cost of doing business.

Read more about social networking security in CSOonline's Social Networking Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecurityData Protection | Social Networking SecurityHTTPSsocial mediainternetdata protectionFacebook

More about FacebookGoogleQualysSophosZynga

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts