Slashdot Mirror
Facebook Switching To HTTPS By Default
Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."
Would be helpful if I didn't need a password to read the linked article.
The proper link is:
https://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912
wonder what the implications are from a power consumption perspective?
Twitter did it a while back. Facebook finally jumped on the bandwagon. Now if only ChatRoulette would follow suit, I could finally bare every detail of my life to strangers without fear of prying eyes.
How can I believe you when you tell me what I don't want to hear?
Crystal Forest is supposed to have SSL acceleration built in. Ivy Bridge (2012) has AES acceleration built in on midrange i5s and up, and I think AES was supported by some processors as early as Sandy Bridge (2011). Crystal Forest is a platform rather than microarchitecture, and I'm not sure exactly when it will be released.
moox. for a new generation.
They've had a cert (and an https only option) for years. They apparently finally have the computing power to make it default ( it's not free to encrypt every little transaction, and their pages auto update).
Of course, the biggest security vulnerability is on one end of the connection, and the biggest threat to privacy is on the other. HTTPS won't help much for those.
You do not have a moral or legal right to do absolutely anything you want.
This is really sad news. My driftnet/webcollage screen in my living room will get boring if it gets starved of all the neighbours' Facebook activity. https is killing all the fun!
Maybe they just want to make it harder for 3rd parties to see their traffic. Browsers won't show https url's as a referer, so advertisers can't audit their click rates.
Yes, I don't like the use of https where it's not needed. It's more overhead all around and YES it matters on busy servers and slow, high latency links. It can also meant he difference between accessing and not accessing the site with a misconfigured router (e.g. wrong MTU on a PPPoE connection can make SSL not work correctly. There's one ISP here that needs packets no larger than 1454 bytes or there's trouble signing into various services. The default on the routers is 1492 for PPPoE, which is supposed to be correct but gets people every time. The ISP doesn't "support" routers, unless they supply, configure and lock you out of them. So I get service calls over that all the time)
I do not need SSL on Google. Like I give a fuck if people snoop my search phrases. (I'll search for "kiss my ass" just in case the bogey man is listening) I would want SSL for signing in to, say, Gmail or something but I don't need it for all communications. Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.
If you only use SSL when you have something to protect, then you are telling any attacker (including a government "attacker") exactly which data you think is important.
I really shouldn't have used someone else's email address for this account.
You mean those same governments whose root certs are already in 90% of computer trust chains?
Protip: your computer very likely trusts a root cert from a Chinese company with "strong" ties to their government. Sleep well.
Last year I succumbed to Facebook's nagging and I finally opted to raise my security to the HTTPS setting. Largely to shut it the @#$% up.
Nagging was worse than ad-supported software.
However once I did that my troubles began. None of the games I played would run under the HTTPS and instructed me to drop back to the HTTP security. However once I did that, Facebook was nagging me "Did I really want to do that?" and "Are you certain that this is wise? The higher security is better to protect your identity".
After several attempts I gave it up and left it at the HTTPS setting. Haven'y played a Facebook game or ran a Facebook app since.
So my question is...what's going to happen to all the people who are addicted to all the apps and games? Will they *finally* run under the higher security setting? Or are we going to hear the wailing and gnashing of teeth as people start going into withdrawal when they can't check on their farms to see if they got the magical macguffin of the week?
[I didn't notice that my comp was logged off of my account and posted it as an anon-coward]
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
Actually, without SSL Man in the Middle Attacks are very problematic. As a security researcher, I can tell you that it is very easy to cause mayhem with http-based traffic for facebook. We'd launch a proxy on the network, and funnel traffic through it. With no security, we could, for example, change the destination and content of messages, and see everything.
The man who cannot imagine a horse galloping on a tomato is an idiot - Andre Breton