Helping people with computers... one answer at a time.

Facebook is enabling the "https" option, and you should turn it on, particularly if you visit open WiFi hotspots. I'll show you how.

I've heard that Facebook has https now? Where? How do I turn it on?

This is important. You should do this right away.

Recent news has highlighted an application called "FireSheep" that make it super easy to capture the usernames and logins from people who might be logging into services like Facebook while at a coffee shop or other location with an open WiFi connection.

Https is one answer, and Facebook seems to have taken action.

Turning On Https in Facebook

Log in to Facebook, click on the Account drop-down in the upper right, and click on the Account Settings option:

Facebook account settings link

On the resulting page click on the change link next to Account Security:

The Change link on the Facebook Security item

That will expose the "Secure Browsing (https)" option:

https option in Facebook

(As I write this, the https option is in the process of being rolled out, so not everyone may have it yet. Keep checking.)

Make sure this is checked.

Now. Just go do it.

Contrary to some statements I've seen, https will not noticeably impact the speed of either your computer or Facebook.

Why is this Important?

The problem is our old friend: open WiFi hotspots.

The program I mentioned, "FireSheep", is an addon to the Firefox browser that simply captures and displays the usernames and passwords of people who are on an open WiFi hotspot and are logging in to services like Facebook.

And it does so very, very simply.

Because most folks don't take appropriate precautions when using an open WiFi hotspot they're frequently logging into those services and exposing their login credentials to anyone who might be in range.

This isn't really a new problem, FireSheep is just an example program that shows how easy it is to do. The author released it with the hope that internet services like Facebook would be forced (or shamed?) into taking action.

Action like supporting https.

Used properly https encrypts the entire conversation with the internet service - including your username and password. Anyone eavesdropping at your open WiFi hotspot will see only gibberish.

That's why computer folks have been insisting you use https for banking for a long time.

As it turns out your login credentials for services like Facebook and others are often just as important to keep secure.

And now you can.

Go do it.

Now.

Article C4724 - January 27, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

19 Comments
Beamer Smith
January 28, 2011 8:30 PM

I wish your items were date stamped so I would know how new they are. This one (https on facebook) says that my account may not have it yet, but I do not know how long I have been waiting/ or should wait.

All articles are datestamped at the end of the article on the right - just abouve the sharing buttons.
Leo
29-Jan-2011

Cameron C. Cook
January 29, 2011 11:06 AM

The https is NOT available on my facebook page. Not where it says it is anyway. I've been unable to find it. I'm using a MAC computer, but I tried on my Win XP laptop with the same result. It only give me the opportunity to put a checkmark in a box to send me an email if another computer logs into my account. What am I doing wrong?

You missed this statement in the article: "(As I write this, the https option is in the process of being rolled out, so not everyone may have it yet. Keep checking.)"
Leo
29-Jan-2011

Cameron C. Cook
January 30, 2011 7:02 AM

Ah, yes. I did indeed miss that. Thanks Leo. I'll keep checking...

dsinclair10
February 1, 2011 8:53 AM

Did it. Just now. Easy-peasy!! Thanks!

steve
February 1, 2011 9:30 AM

thank you for the info. changed it on my wifes and my own computers.

sirpaul2
February 1, 2011 9:39 AM

If you don't have the option in your account settings yet, you can manually enable the 'https' on Facebook simply by adding an 's' after the 'http' in the address bar.

Ggugvrunt
February 1, 2011 2:36 PM

If I understand it correctly, Firesheep does not allow other people to see or change your Facebook password, it simply lets them spoof your current connection and make posts or upload photos as if they were you. Not the end of the world but could be extremely embarassing.
I agree that this setting should definitely be changed if available though.

Regardless, other tools readily available most certainly can and do expose user ids and passwords in unencrypted connections.
Leo
01-Feb-2011

David Powell
February 1, 2011 3:50 PM

It's pretty obvious, but the article doesn't specifically tell you to "save" the change under Secure Browsing.

Kathy
February 2, 2011 7:35 AM

It was easy to do but the first game I went to play said it couldn't be accessed using the https and it switched me back to http. I play a LOT of games on Facebook so I'm not sure this will help me. But I will definitely keep in mind if I ever take the laptop to a WIFI zone.

dgupton
February 2, 2011 6:46 PM

FB now has a "save" button to save your "https" settings.

Sven
February 3, 2011 5:12 AM

I use https to log in, but then let it revert to http. That way, the chat/instant messenger works.

Michael
February 3, 2011 8:09 PM

Does turning on https interfere with my FB connection with Twitter? My tweets used to post on Facebook as well, but now they don't. My posts on my Wall still show in Twitter though.

I wouldn't expect it to, but it probably depends on what technique you're using to get the tweets into Facebook.
Leo
04-Feb-2011

Vishnu
April 6, 2011 1:19 PM

If I don't use WiFi, is it important to turn on https?

Perhaps not as important, but I still do it to thwart anyone who might be listening in on a non-WiFi connection. Significantly less likely, but why not be safe?
Leo
10-Apr-2011

Pet
August 9, 2011 10:12 PM

I don't see this by following the instructions above. I'm in Thailand. You mentioned it's being rolled out but that was in January - surely it would be worldwide by now?

Dale
August 11, 2011 6:28 AM

These instructions are not correct you might want to update them Account in the upper right / select Account Settings / select Security on the top left column / "Secure Browsing Edit Secure browsing is currently enabled. if says this your fine if not click on Edit to correct.

Tefkir
September 12, 2011 12:05 PM

Hi All,

For mobile https facebook access, check this :

http://www.goodreflex.com/why-facebook-cannot-be-logged-in-securely-through-https-on-mobile-devices/

Juliet
September 26, 2011 10:22 AM

What about Business Fan Pages, I keep reading that pages need to be protected by a SSL certificate by 1st October but don't know how to get one? Thank you for any help you can give!

I don't believe fan pages are affected - they just work as they are off of the facebook.com domain. What DOES need to change are Facebook application - if you don't know what those are, or you know you've never created one, then you don't need to worry either.
Leo
30-Sep-2011

suneth
December 29, 2011 6:16 AM

thank you for this artical
100%

Wade B
April 3, 2012 1:36 PM

thank you, I've had issues on my home comp. that only allowed me to browse it in https format. Now I don't need to type it every second

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.