Nice Try Facebook

Bruce Morton

The good news? Facebook is enabling you to experience their social media site entirely over HTTPS. The bad news is that HTTPS is not turned on by default. So if you want HTTPS, then you will have to figure it out yourself.

Although probably already in the works when Firesheep was released, it appears that Facebook has rushed its implementation of “HTTPS-all-the-time.” Unlike Google, who turned on HTTPS on Gmail as default, Facebook has left this valuable security feature as a user-chosen option.

My beef is that most users don’t know the threats and don’t know that they need HTTPS. If they are aware enough to enable HTTPS, then here are the steps:

1)      Log on to Facebook
2)      Go to “Account” at the top right menu
3)      Under the drop-down menu, select “Account Settings”
4)      Under the “Account Security” heading,  select “Browse Facebook on a secure connection (https) whenever possible”
5)      Click “Save”

The kicker is that the feature will be rolled out slowly, so if you’ve read Facebook’s blog or this blog and now know about it, you may have forgotten by the time it is available to you.

Nice try Facebook, but you need to step up your game and secure your users, by default.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation