Facebook offers HTTPS browsing, but not yet by default

Facebook has finally added a new feature to browse the popular social network on a secure connection. However, it is not yet turned on by default.
Written by Ryan Naraine, Contributor

Facing a wave of criticism for not offering a secured browsing option, Facebook has finally added a new feature to browse the popular social network on a secure connection (https).

However, the https:// browsing is not turned on by default and must be manually activated from an “Account Settings” page on Facebook.

Here's the company's explanation:

If you've ever done your shopping or banking online, you may have noticed a small "lock" icon appear in your address bar, or that the address bar has turned green. This indicates that your browser is using a secure connection ("HTTPS") to communicate with the website and ensure that the information you send remains private. Facebook currently uses HTTPS whenever your password is sent to us, but today we're expanding its usage in order to help keep your data even more secure.

Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.

Facebook offers peek at incoming malware attacks

However, instead of being on by default (as it is with GMail, for example), Facebook is urging users to activate secure browsing via the "Account Security" section of the Account Settings page.

The new feature will effectively kill tools like Firesheep which were created to highlight the weaknesses of Web sites that don't offer a secure browsing option.   Firesheep, released as a Firefox plug-in, offered a point-and-click interface to fully compromise Facebook browsing sessions.

Facebook says the new feature may slow down surfing on the site because encrypted sessions typically take longer to load.  In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS, which will cause problems.

The company says it hopes to offer HTTPS as a default setting "sometime in the future."

Editorial standards