The good news? Facebook is enabling you to experience their social media site entirely over HTTPS. The bad news is that HTTPS is not turned on by default. So if you want HTTPS, then you will have to figure it out yourself.
Although probably already in the works when Firesheep was released, it appears that Facebook has rushed its implementation of “HTTPS-all-the-time.” Unlike Google, who turned on HTTPS on Gmail as default, Facebook has left this valuable security feature as a user-chosen option.
My beef is that most users don’t know the threats and don’t know that they need HTTPS. If they are aware enough to enable HTTPS, then here are the steps:
1) Log on to Facebook
2) Go to “Account” at the top right menu
3) Under the drop-down menu, select “Account Settings”
4) Under the “Account Security” heading, select “Browse Facebook on a secure connection (https) whenever possible”
5) Click “Save”
The kicker is that the feature will be rolled out slowly, so if you’ve read Facebook’s blog or this blog and now know about it, you may have forgotten by the time it is available to you.
Nice try Facebook, but you need to step up your game and secure your users, by default.