Blog Post

Facebook Beefs Up Site Security, At Long Last

Facebook will start allowing users to do all their social networking via HTTPS connections-also known as SSL encryption, the most widely used form of security on the web. Until now Facebook has only used HTTPS on its login page, where users type in their passwords. The change comes almost a year after the Federal Trade Commission called on Facebook and other internet companies to start using HTTPS encryption by default, a suggestion that was widely echoed by privacy advocates. Facebook has been under close scrutiny when it comes to privacy issues, and with three major browser companies having recently proposed improvements to protect user privacy, the company surely understands that it can’t be seen to be a laggard while the online privacy movement gathers steam.

When users access web services over public networks, like WiFi in a coffee shop, and they aren’t using HTTPS, they’re vulnerable to hackers who could intercept information they’re exchanging online, or even hijack their accounts.

Facebook security engineer Alex Rice explained the change in a post on the corporate blog. While users can now experience the whole site with the security of HTTPS, it won’t happen by default-they’ll have to go and change their user settings, which Rice’s post explains how to do.

Another drawback is that some Facebook features and some third-party apps that interact with Facebook still won’t support HTTPS, but that should be resolved within the next few weeks, Rice writes.

The other change announced is a novel security mechanism the company is calling “social authentication.” When user accounts show suspicious activity-like “if you logged in from California in the morning and then from Australia a few hours later”-the site will ask a user to verify their identity by showing a few user photos and naming those friends.

The whole thing could be filed under “interesting timing,” because it’s all happening the day after the “fan page” of Facebook CEO Mark Zuckerberg got hacked. That is a coincidence, though, because in reality changing a website as big as Facebook-now the world’s most popular-can’t be done in a day.

Lots of popular web services, including email providers, still aren’t using HTTPS security as their default setting. Google (NSDQ: GOOG) switched Gmail users over to an HTTPS-by-default setting just over one year ago, but Gmail continues to be an outlier in that regard.