Wednesday, January 26, 2011

Yet Another Facebook Security Hole to Plug

Yeah Facebook transfers your credentials in the clear without encryption unless you make the change outlined in this article.

Facebook has at long last offered an option to use the encrypted "HTTPS" protocol, a feature it will begin rolling out today but won't finish for a "few weeks." You should check now if it's available, and sign up as soon as it is enabled for your account. The performance overhead is minor—zippy Gmail, for example, uses HTTPS for everything—and it's an important step to keep your Facebook account safe from being hijacked on an open or poorly secured wireless network.

By default, Facebook sends your access credentials in the clear, with no encryption whatsoever. Switching to HTTPS is important because a browser extension called Firesheep has made it especially easy for anyone sharing your open wireless network—at cafe or conference, for example—to sniff your credentials and freely access your account. One blogger sitting in a random New York Starbucks was able to steal 20-40 Facebook identities in half an hour. HTTPS solves this longstanding problem by encrypting your login cookies and other data; in fact the inventor of Firesheep made the software to encourage companies like Facebook to finally lock down their systems.

Oh well, yet another thing you have to make sure to set when you are using Facebook. Why HTTPS isn't in place as a default I have no idea but oh well.

No comments: