Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Switching To HTTPS By Default

Posted by Unknown on from the single-party-spying dept.

Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."

9 of 92 comments (clear)

  1. Need password by jfdavis668 · · Score: 4, Insightful

    Would be helpful if I didn't need a password to read the linked article.

  2. Re:How long does it take to get a cert? by Culture20 · · Score: 4, Insightful

    They've had a cert (and an https only option) for years. They apparently finally have the computing power to make it default ( it's not free to encrypt every little transaction, and their pages auto update).

  3. No big deal by Sarten-X · · Score: 3, Insightful

    Of course, the biggest security vulnerability is on one end of the connection, and the biggest threat to privacy is on the other. HTTPS won't help much for those.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  4. That's nice by viperidaenz · · Score: 3, Insightful

    Maybe they just want to make it harder for 3rd parties to see their traffic. Browsers won't show https url's as a referer, so advertisers can't audit their click rates.

  5. Re:How long does it take to get a cert? by ewieling · · Score: 4, Insightful

    If you only use SSL when you have something to protect, then you are telling any attacker (including a government "attacker") exactly which data you think is important.

    --
    I really shouldn't have used someone else's email address for this account.
  6. Re:How long does it take to get a cert? by LordLimecat · · Score: 3, Insightful

    You mean those same governments whose root certs are already in 90% of computer trust chains?

    Protip: your computer very likely trusts a root cert from a Chinese company with "strong" ties to their government. Sleep well.

  7. Re:power by Alien+Being · · Score: 3, Insightful

    I don't know but I'm sure the waste ratio hasn't increased from 100%.

  8. Re:How long does it take to get a cert? by heypete · · Score: 2, Insightful

    Indeed. The "heavy" part of SSL is doing the connection setup and exchange as it uses asymmetric algorithms like RSA or Diffie-Hellman for key exchange. The actual bulk encrypted transport is relatively lightweight. It never made much sense to me to spend the cycles to setup a secure connection, use it for protecting the login/password, and then dropping back to an insecure page when you could just keep the same connection secure for minimal additional resources.

  9. Re:How long does it take to get a cert? by dajjhman · · Score: 3, Insightful

    Actually, without SSL Man in the Middle Attacks are very problematic. As a security researcher, I can tell you that it is very easy to cause mayhem with http-based traffic for facebook. We'd launch a proxy on the network, and funnel traffic through it. With no security, we could, for example, change the destination and content of messages, and see everything.

    --
    The man who cannot imagine a horse galloping on a tomato is an idiot - Andre Breton