Farewell Firesheep, Facebook Rolls Out Secure HTTPS Option

After the Firesheep  fiasco of last October, most people became keenly aware of how insecure they were on unencrypted websites like Facebook and Twitter. (In case you missed it, Firesheep is an add-on for Firefox that allows a malicious user to take control of your account on unsecure non-https websites when browsing on wi-fi)

Firesheep is very easy to block; all you need to do is access websites through their secure https connection (i.e. using https://www.google.com instead of http://www.google.com). Plugins like HTTPS Everywhere made this easy by automatically forcing your browser to use the https versions of popular websites.

Some websites started including an option to use the https version of the site by default. Gmail enabled this feature way back in 2008 (making it the default setting for everyone in January 2010), and even though it made the site a little slower, it was well worth it knowing your emails were safe from prying eyes.

Better late than never, Facebook recently announced that they too will include an option to browse the site via https by default. This option is gradually rolling out to all users starting today (I don’t have it yet at the time of this writing), with the full transition taking a few weeks.

To enable https connections by default on Facebook, expand the Account Security section of your Account Settings page. Click the check box under Secure Browsing (https) to enable the new feature.


As with all encrypted connections, there are a few things to know before making the switch. Https connections will probably be a little slower than standard unencrypted connections, and not all 3rd-party plugins will work right away. Facebook says they are working hard to resolve any issues with https connections.

Facebook is working to improve security in other ways as well. If Facebook detects suspicious activity on your account, they’ve started using a new feature called “Social Authentication” to confirm you are who you say you are. If you use Facebook in North Dakota at 8am and access it later that day from Moscow, a screen will appear asking you to identify a friends in a series of pictures. If you correctly identify your friends, Facebook has better certainty your account hasn’t been hacked.


If you’re interested in other ways to keep your Facebook account secure (like preventing your friends from writing terrible status updates on your profile), check out my previous guide about enabling account security with login notifications.






3 responses to “Farewell Firesheep, Facebook Rolls Out Secure HTTPS Option”

  1. Bryant Sombke Avatar

    In my opinion, this shouldn’t even be an “option.” HTTPS should be the standard for sites like Facebook, and HTTP could be available for exception cases. The average user is going to: A) Be too lazy B) Not care about the option C) be unaware of the option

  2. […] This post was mentioned on Twitter by carol walsh, Ray Selby. Ray Selby said: Farewell Firesheep, Facebook Rolls Out Secure HTTPS Option http://t.co/5aOdHJY via @techerator […]

  3. Pbvinge Avatar

    If your on a open network you are still screwed.


    Been around for a while, works almost flawlessly

Leave a Reply