Helping people with computers... one answer at a time.

Facebook is enabling the "https" option, and you should turn it on, particularly if you visit open WiFi hotspots. I'll show you how.

I've heard that Facebook has https now? Where? How do I turn it on?

This is important. You should do this right away.

Recent news has highlighted an application called "FireSheep" that make it super easy to capture the usernames and logins from people who might be logging into services like Facebook while at a coffee shop or other location with an open WiFi connection.

Https is one answer, and Facebook seems to have taken action.

Turning On Https in Facebook

Log in to Facebook, click on the Account drop-down in the upper right, and click on the Account Settings option:

Facebook account settings link

On the resulting page click on the change link next to Account Security:

The Change link on the Facebook Security item

That will expose the "Secure Browsing (https)" option:

https option in Facebook

(As I write this, the https option is in the process of being rolled out, so not everyone may have it yet. Keep checking.)

Make sure this is checked.

Now. Just go do it.

Contrary to some statements I've seen, https will not noticeably impact the speed of either your computer or Facebook.

Why is this Important?

The problem is our old friend: open WiFi hotspots.

The program I mentioned, "FireSheep", is an addon to the Firefox browser that simply captures and displays the usernames and passwords of people who are on an open WiFi hotspot and are logging in to services like Facebook.

And it does so very, very simply.

Because most folks don't take appropriate precautions when using an open WiFi hotspot they're frequently logging into those services and exposing their login credentials to anyone who might be in range.

This isn't really a new problem, FireSheep is just an example program that shows how easy it is to do. The author released it with the hope that internet services like Facebook would be forced (or shamed?) into taking action.

Action like supporting https.

Used properly https encrypts the entire conversation with the internet service - including your username and password. Anyone eavesdropping at your open WiFi hotspot will see only gibberish.

That's why computer folks have been insisting you use https for banking for a long time.

As it turns out your login credentials for services like Facebook and others are often just as important to keep secure.

And now you can.

Go do it.


Article C4724 - January 27, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Beamer Smith
January 28, 2011 8:30 PM

I wish your items were date stamped so I would know how new they are. This one (https on facebook) says that my account may not have it yet, but I do not know how long I have been waiting/ or should wait.

All articles are datestamped at the end of the article on the right - just abouve the sharing buttons.

Cameron C. Cook
January 29, 2011 11:06 AM

The https is NOT available on my facebook page. Not where it says it is anyway. I've been unable to find it. I'm using a MAC computer, but I tried on my Win XP laptop with the same result. It only give me the opportunity to put a checkmark in a box to send me an email if another computer logs into my account. What am I doing wrong?

You missed this statement in the article: "(As I write this, the https option is in the process of being rolled out, so not everyone may have it yet. Keep checking.)"

Cameron C. Cook
January 30, 2011 7:02 AM

Ah, yes. I did indeed miss that. Thanks Leo. I'll keep checking...

February 1, 2011 8:53 AM

Did it. Just now. Easy-peasy!! Thanks!

February 1, 2011 9:30 AM

thank you for the info. changed it on my wifes and my own computers.

February 1, 2011 9:39 AM

If you don't have the option in your account settings yet, you can manually enable the 'https' on Facebook simply by adding an 's' after the 'http' in the address bar.

February 1, 2011 2:36 PM

If I understand it correctly, Firesheep does not allow other people to see or change your Facebook password, it simply lets them spoof your current connection and make posts or upload photos as if they were you. Not the end of the world but could be extremely embarassing.
I agree that this setting should definitely be changed if available though.

Regardless, other tools readily available most certainly can and do expose user ids and passwords in unencrypted connections.

David Powell
February 1, 2011 3:50 PM

It's pretty obvious, but the article doesn't specifically tell you to "save" the change under Secure Browsing.

February 2, 2011 7:35 AM

It was easy to do but the first game I went to play said it couldn't be accessed using the https and it switched me back to http. I play a LOT of games on Facebook so I'm not sure this will help me. But I will definitely keep in mind if I ever take the laptop to a WIFI zone.

February 2, 2011 6:46 PM

FB now has a "save" button to save your "https" settings.

February 3, 2011 5:12 AM

I use https to log in, but then let it revert to http. That way, the chat/instant messenger works.

February 3, 2011 8:09 PM

Does turning on https interfere with my FB connection with Twitter? My tweets used to post on Facebook as well, but now they don't. My posts on my Wall still show in Twitter though.

I wouldn't expect it to, but it probably depends on what technique you're using to get the tweets into Facebook.

April 6, 2011 1:19 PM

If I don't use WiFi, is it important to turn on https?

Perhaps not as important, but I still do it to thwart anyone who might be listening in on a non-WiFi connection. Significantly less likely, but why not be safe?

August 9, 2011 10:12 PM

I don't see this by following the instructions above. I'm in Thailand. You mentioned it's being rolled out but that was in January - surely it would be worldwide by now?

August 11, 2011 6:28 AM

These instructions are not correct you might want to update them Account in the upper right / select Account Settings / select Security on the top left column / "Secure Browsing Edit Secure browsing is currently enabled. if says this your fine if not click on Edit to correct.

September 12, 2011 12:05 PM

Hi All,

For mobile https facebook access, check this :

September 26, 2011 10:22 AM

What about Business Fan Pages, I keep reading that pages need to be protected by a SSL certificate by 1st October but don't know how to get one? Thank you for any help you can give!

I don't believe fan pages are affected - they just work as they are off of the domain. What DOES need to change are Facebook application - if you don't know what those are, or you know you've never created one, then you don't need to worry either.

December 29, 2011 6:16 AM

thank you for this artical

Wade B
April 3, 2012 1:36 PM

thank you, I've had issues on my home comp. that only allowed me to browse it in https format. Now I don't need to type it every second

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.