Three months after Firesheep was released into the wild, Facebook has began rolling out secure end to end https encryption as an opt in only feature for users. Secure https browsing vastly increases user security by encrypting traffic at the browser level preventing packet sniffing while members use unsecured wireless connection such as those found at coffee shops.
For years, session cookies which carry user authentication information has been vulnerable to hijacking. Even when users login using a secure page, many sites such as Facebook resend account credentials unsecure allowing anyone on the same network to hijack the session and gain complete access to that account. In a test using Firesheep, I was able to see dozens of Facebook, Yahoo, and other account sessions with a simple click. Up until now, the solution has been to install two Firefox add ons. Https everywhere and Forced TLS in combination offered secured browsing of Facebook but also broke some features such as chat. With the new feature built into Facebook, users should be able to use Facebook securely while maintaining full functionality.
Unfortunately, for whatever reason, Facebook has decided to make this an opt in feature buried several levels deep in account settings. Anyone who use wireless networking on unsecured wifi should immediately change their settings to secure. To do this, follow these steps.
- Go to Account-Account Settings
- Click Change and you should see a new check box for secure browsing. (Facebook is rolling this out in phases so not all users will see this option. Check back later if you do not see it.)