Facebook praised for encrypting Web access by default

Facebook’s decision to encrypt all communications with its millions of North American users won praise Monday from security experts, who said the move would protect users on public Wi-Fi networks.

Facebook quietly rolled out secure hypertext transfer protocol (HTTPS) last week, announcing in its Developer Blog (https://developers.facebook.com/blog/post/2012/11/14/platform-updates–operation-developer-love/) that all communications would be over the secure connection by default. Before the announcement, users had to opt-in, which typically leads to low adoption rates.

HTTPS keeps the session cookie encrypted between logging in and logging out, preventing hackers from hijacking the session and impersonating the user. Google started rolling out HTTPS for all its services in 2010, while Twitter enabled the encrypted protocol by default in February. (http://www.csoonline.com/article/700427/twitter-enables-https-by-default)

Facebook joining the pack was welcome news to security experts who favor HTTPS use by all major Internet companies. “It’s an important thing and everyone should do it,” Wolfgang Kandek, chief technology officer for Qualys, said. “It’s especially important since Facebook is moving more into e-commerce.”

The importance of HTTPS was highlighted in 2010 with the release of a browser-based plug-in called Firesheep. The Wi-Fi sniffing tool published by security developer Eric Butler demonstrated the security vulnerabilities in the way session cookies for Facebook and Twitter were exchanged between servers and users’ PCs. 

The relatively simple tool was able to capture the session cookie traveling across a public wireless network without HTTPS turned own. If a user shut off his PC without logging out, then a hacker could use the cookie to impersonate the user on the site.

[See related: Google protects its current HTTPS traffic against future attacks]

The damage that can be done by such a hack was seen when actor Ashton Kutcher had his Twitter account hijacked during the brainbox TED conference last year. The hackers accessed the account over an unencrypted Wi-Fi connection and posted graffiti in his name. 

For years, the use of HTTPS was avoided by sites out of fear of degrading performance due to higher demand on servers’ processing power. However, the today’s more powerful processors and other technological advancements have mitigated any impact on performance.

“SSL is certainly more processing power, but it’s really small and incremental,” Chester Wisniewski, senior security adviser for Sophos, said. SSL, or Secure Sockets Layer, is the cryptographic protocol used in HTTPS communications.

In Facebook’s case, implementing HTTPS was likely complicated by the fact that many third-party websites offer services through the social network. Examples would include online game makers such as Zynga.

Because many of those sites may not use HTTPS, Facebook had to figure out how to use its servers as an intermediary for communications with users. “Those are valid technical problems that are not easy to solve,” Wisniewski said.

Nevertheless, Internet companies have to accept basic security, like HTTPS, as a necessary expense. “If you’re going to run your business, you should do it in a secure and safe way for your customers,” Wisniewski said. “And if it costs you money and a bunch of equipment, tough nuts. It’s part of the cost of doing business.