Facebook is rolling out a more secure way to connect to its website, which will protect users from a widely publicized wireless networking attack called Firesheep.
The social-networking site starting Wednesday will let users connect to Facebook using an HTTPS secure Web connection, which offers extra assurance that they’re connecting to the website that they intend to reach, while also encrypting the data sent between the PC and Facebook.
This encryption makes it safer for people who log onto Facebook in places that have insecure wireless networks. It’s easy to sniff unencrypted Web traffic on unsecured Wi-Fi networks, so a hacker could walk into a Starbucks, for example, and start stealing information from people who are logged onto the network. Security researcher Eric Butler last year released Firesheep, a Firefox plugin that lets anyone log into a victim’s Facebook or Twitter account.
The new HTTPS option will thwart the Firesheep attack, said Roger Thompson, vice president of Web threat research with security vendor AVG.
But it won’t stop the biggest scams on Facebook. It won’t stop phishing, the Koobface worm, or viral scams that entice victims with the promise of interesting videos, but end up trying to sell them paid mobile-phone services, he said.
Over the past few years, consumer websites have begun using more HTTPS in order to make things more secure. It’s now used by default on Gmail and it’s an option for Hotmail users as well.
Right now, Facebook users will need to change their security settings to turn on the HTTPS option — and it isn’t yet available to all users — but the company expects it to gradually become more widespread. “We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon,” Facebook said Wednesday in a blog post announcing the feature. “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.”
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is email@example.com