Jump to content


Facebook Enabling HTTPS by Default for North American Users

  • Please log in to reply
7 replies to this topic

#1 Asrokhel



  • 1,027 posts
  • Joined: 05-April 12
  • OS: Windows 8 Pro x64 (testing to see if I keep it or go back to Windows 7)

Posted 19 November 2012 - 17:06

Facebook this week will begin turning on secure browsing be default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks.

Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to in and manually make the change in order to get the better protection of HTTPS.

Now, users will have to manually turn HTTPS off if they don't want it, a distinction that is a major change, especially for Facebook's massive user base, which has become a major target for attackers.

"As announced last year, we are moving to HTTPS for all users. This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world," the company said on its developer site.

The use of HTTPS by default is a significant change for Facebook, a site that handles millions and millions of Web requests every day, just from its North American users alone, and is under constant attack by hackers. One of the common techniques used to compromise many users is a man-in-the-middle attack, through which attackers intercept traffic between a client and the server for which it's intended. This attack is made much easier when that traffic is unencrypted and attackers don't need to do anything fancy in order to get to it.

HTTPS encrypts the connection between the user's machine and the server on the other end, obscuring it from attackers, even if they are able to sniff the traffic on the wire or on a wireless connection. The technology is by no means a cure-all for Web-based attacks, however, as there have been demonstrations of attacks that enable third parties to snoop on encrypted traffic and grab valuable data, such as usernames and passwords or financial information. In 2011 a pair of researchers developed a technique called the BEAST attack that essentially broke the confidentiality model of SSL--the encryption protocol used for HTTPS connections--by enabling attackers to steal and decrypt secure cookies.

Using HTTPS also won't protect you if there is malware on your machine that's capable of logging keystrokes. But it is an important change for a leading site such as Facebook, something that has become not just a social network but also an e-commerce platform. There are a number of other changes that users can make on their profiles and in their interactions with the site to help secure Facebook. See our How to Secure Facebook video for more suggestions.


#2 Royalty™


    Inventing the Future

  • 849 posts
  • Joined: 01-December 11
  • Location: Los Angeles
  • OS: Windows 7 Ultimate
  • Phone: Samsung Galaxy Note 4

Posted 19 November 2012 - 17:11

I think I've always been browsing on HTTPS. It's good to know I'm safe. :)

#3 SuperKid


    Im no superman

  • 2,548 posts
  • Joined: 21-April 08
  • OS: Windows 8.1, OS X 10.10, iOS 8
  • Phone: iPhone 6 Plus

Posted 19 November 2012 - 17:14

I think I've always been browsing on HTTPS. It's good to know I'm safe. :)

Same, always been using https with Facebook!

#4 Yusuf M.

Yusuf M.

  • 21,504 posts
  • Joined: 25-May 04
  • Location: Toronto, ON
  • OS: Windows 8.1 Pro
  • Phone: OnePlus One 64GB

Posted 19 November 2012 - 17:20

I've been using HTTPS for a very long time now. You can enable it at Account Settings > Security Settings > Secure Browsing. Check off the box that says "Browse Facebook on a secure connection (https) when possible".

#5 +Audien


    Software Eng.

  • 4,572 posts
  • Joined: 30-December 03
  • Location: Seattle, WA
  • OS: Windows 10/Mac OSX
  • Phone: iPhone 6

Posted 19 November 2012 - 17:27

I thought this was the case already like 2 years ago but I might be thinking of Gmail.

#6 grik



  • 823 posts
  • Joined: 14-November 01
  • Location: Portugal

Posted 19 November 2012 - 17:28

Sure hope so they do it to the rest of the world too. It should be standard.

Offtopic: i just noticed, on the 14th this month it was the 11th year Neowin Membership...woooow :)
Really glad i joined at that time, i was one of the first members nº 3576.

#7 Ambroos


    Neowinian Senior

  • 6,232 posts
  • Joined: 16-January 06
  • Location: Belgium
  • OS: OS X Yosemite / Windows 7
  • Phone: Sony Xperia Z2

Posted 19 November 2012 - 17:33

I think Neowin is one of the only non-HTTPS sites I visit regularly. Facebook, Twitter, all Google stuff, all stuff from my school, all secure.

#8 Glassed Silver

Glassed Silver

    ☆♡Neowin's portion of Crazy♡☆

  • 10,729 posts
  • Joined: 10-June 04
  • Location: MY CATFORT in Kassel, Germany
  • OS: OS X ML; W7; Elementary; Android 4
  • Phone: iPhone 5 64GB Black (6.0.2)

Posted 19 November 2012 - 17:42

Well, this was long overdue if you ask me.

Glad to see better security rolled out as standard to more people though.
Better late than never. :)

Glassed Silver:mac