Robin pointed out an article about Facebook security today that made me think about some things that everyone who browses the web should know about but which the article unfortunately neglects to discuss. The article is about the fact that, until today, Facebook has been available only through the hypertext transfer protocol (“HTTP”) and not through the encrypted hypertext transfer protocol secure (“HTTPS”). That sounds a bit technical and boring but if you ever use Facebook on an open wireless network (in a cybercafe, for example), you probably want to pay attention to this particular issue. If you don’t care about the details of how this works, at least read the next to the last paragraph where I explain all the steps (including one not mentioned in the orginal article) to keep yourself secure when using Facebook.
When you use your browser (Internet Explorer or Firefox are two of many, many examples) to browse the web, you are making connections from your computer to computers all over the world. That is, when you put an address in the address box or you click a link on a page, you are sending a message from your computer to a computer out on the Internet, requesting some sort of service. These computers all over the Internet come from many different hardware manufacturers and run many different operating systems. To make sure that your computer can communciate with that computer out on the Internet, your browser must specify the protocol to use. A protocol is simply a set of rules that specify a kind of language that the two computers agree to communicate in. HTTP is one of these sets of rules while HTTPS is a different set of rules. The difference between these two protocols has to do with security. If your computer communicates using HTTP, every request for service is sent as plain text which means that if someone can listen to your request (by grabbing your messages from the wireless network, for example), that request can be read. If, on the other hand, your computer communicates using HTTPS, your request is encrypted which means that someone listening to your request (other than the computer that you’re making the request of) will hear jibberish.
What do protocols have to do with you and Facebook? Up until today, Facebook has only allowed communication to occur in plain text. So if someone on the same wireless network as you listened in on your communication with the Facebook computers, they would be able to read everything that you sent, including your username and password. So anytime you used a wireless network in a cybercafe to check your Facebook account, anyone else within that cafe (who had a bit of technical skill) would be able to capture your username and password. This vulnerability is not something unusual within computing circles. And the fact that Facebook has ignored it until now is pretty unconscionable. A Seattle programmer named Eric Butler decided to push the issue and created a browser extension called Firesheep that made it extremely easy for anyone to capture HTTP messages on public networks. In response, Facebook has finally allowed HTTPS (encrypted) communication to its computers.
There are two things you need to do in order to use Facebook securely. First, you need to change your account settings within Facebook. The original article that Robin posted explains how to do this. Go to Account Settings (under the Account menu in the upper right corner) and scroll down the third to the last item in the list, which is called Account Security. Choose change and check the box that says “Browse Facebook on a secure connection (https) whenever possible.” But it is really important that you also take a second step in order to be secure when you are browsing on an open network. Up until today, whenever any of us has started to communicate with Facebook’s computers, we have typed in (or clicked a link to) the following address: http://www.facebook.com Notice the letters before the colon–HTTP. We begin our communication with Facebook’s computers in an insecure way. We then enter our usernames and passwords in an insecure way. When Facebook then realizes that this is an account that has requested secure communication, it changes the way the two computers communicate with each to HTTPS. The problem is that we have already sent our username and password in an insecure way. So the second step you have to take is that when you type in Facebook’s address, you MUST type: https://www.facebook.com so that the communication begins securely. This second step is the one that the original article neglects to mention.
I set up my account to communicate securely with Facebook whenever possible. Unfortunately, many applications on Facebook cannot use a secure connection. That is, every time I play Scrabble or Go, for example, I have to change to an insecure connection. So for now, I’m leaving my settings so that I communicate via HTTP rather than HTTPS. I guess I’ll just have to remember to change my security settings before I leave home to use any computer (including my own) on an open public network. That’s my only option because I’m definitely not going to stop playing my games.