It took a bit longer than I expected, but Facebook now offers the option for HTTPS all of the time. You can read the full details here:
Facebook has finally made the change, are you protecting your users?
This is nothing new, but a recently released tool demonstrates how easy it is for someone to hijack your sessions and pose as you on certain websites. This problem has been around as long as there have been websites where you login. It is not a complex attack and has been made easier to execute with the proliferation of wireless networks.
Imagine that you’re out of the office, on the road or at the coffee shop and decide to read up on those that you follow on Twitter. You post an update or two, replying to your followers and continue working. Later that day, you realize that someone has posted updates as you on Twitter. Has someone hacked into your computer? Nope, but someone hijacked your session after you logged in to Twitter. The same thing could happen to you on Facebook, your blog (WordPress included) and many other web sites that don’t properly protect your data. Even if you use WPA/WPA2 encryption on your wireless network, you can still be vulnerable to this type of attack.
What can you do to protect yourself?
- Don’t use wireless networks (yeah, right…)
- Use a VPN to send your Internet traffic to a “trusted” network, then out to the Internet. This will protect you from attackers on the wireless network, but it only pushes out the problem out to your “trusted” network. Combine that with the fact that some VPN clients sometimes just disconnect without warning and send all of your network traffic unprotected over the network without notifying you.
- Only use websites that send everything over SSL (check for the https:// in the URL) – Check out the HTTPS Everywhere extension for Firefox.
You run a website, what can you do to protect your users?
- Serve every part of your site over SSL when a user is logged in. It only costs $30/year for an SSL certificate to protect your users. There really is no excuse. Some certificate issuers charge over 50x that per year (yes, $1,500/year) The level of encryption is the same on those very expensive certificates as it is on the $30 certificates.
- Don’t serve mixed content. When you serve content over HTTPS and some images over HTTP a warning pops up in the browser about some items on the page being insecure. Don’t desensitize your users to security warnings like this.
- When setting cookies for your users, set the Secure attribute on the cookie. This will make the browser only send that cookie with HTTPS requests.
Be cautious about what you do when accessing the Internet over wireless networks. And remember, the work involved in using SSL/HTTPS is minimal compared to the protection it offers your users.
Contact us if you would like assistance configuring your web site & servers for SSL/HTTPS. If we are managing your servers, we’ll configure SSL/HTTPS at no additional cost.