Facebook recently announced that it’s in the process of rolling out HTTPS by default for all North American users, with plans to expand to the rest of the world soon.
“Way back in January 2011, Facebook announced it was implementing HTTPS to allow its many millions of users the ability to automatically encrypt their communications with the social network — preventing hackers and attackers from sniffing your sensitive data while using unencrypted wifi hotspots,” writes Sophos’ Graham Cluley. “However, Facebook made this enhancement to security ‘opt-in’ only. Which meant that most people never turned it on.”
“The use of HTTPS by default is a significant change for Facebook, a site that handles millions and millions of Web requests every day, just from its North American users alone, and is under constant attack by hackers,” notes Threatpost’s Dennis Fisher. “One of the common techniques used to compromise many users is a man-in-the-middle attack, through which attackers intercept traffic between a client and the server for which it’s intended. This attack is made much easier when that traffic is unencrypted and attackers don’t need to do anything fancy in order to get to it.”
“When this rolls in, users currently not using HTTPS will experience a slight slowdown changing to HTTPS — but [it’s] not that bad,” writes TweakTown’s Anthony Garreffa. “People will obviously complain of the slowdown, but there would be a hundred times more [complaints] if their accounts were hacked. You can’t have it both ways (at the moment), but we would highly recommend keeping the opted-in HTTPS option.”
“Personal info-driven business models like Facebook’s are built on trust,” notes TechCrunch’s Josh Constine. “It needs users to feel secure enough to keep donating their data, and that’s why this little green lock could turn into greenbacks over time.”
“Other online services, including Gmail, already use HTTPS by default,” notes CNN’s John D. Sutter.