In October in 2010, Firesheep made it easy for anyone on the same unsecured wireless network as you to take over your Twitter or Facebook session. This was possible because neither Twitter nor Facebook had a default secure browsing (SSL) setting.
Twitter users complained that you actually had to type “s” in your browser bar (like this: https://twitter.com) to secure your session. While Facebook offered no secured browsing setting at all. So Facebook rushed out an https solution in early 2011.
Then Ashton Kutcher—who has replaced Tom from MySpace as everyone’s friend on the Internet—had his Twitter hacked at a TED conference, allegedly. I say allegedly because the tweets—one of which said “Dude, where’s my SSL?” –are still online and Kutcher clearly has control of the account. A little over a month later, Twitter added the default https option.
Sidejacking—while likely illegal and definitely unethical—offers hackers more potential for mischief than financial gain.
If you use unsecured wireless without a VPN, which isn’t a great idea, using URLs that begin with https is the only way to protect your account from a trouble maker. You’ll notice your bank and most login pages automatically send you to a secured page.
If you are a Facebook or Twitter user who ever uses unsecured networks, you should activate secured browsing now. Once you use secured browsing in Facebook and Twitter, not only will your session activity be secured but you’ll also automatically get a secured page when you log in via any browser you’ve used since you secured your account.
(Default secure browsing is only reliable when using Facebook and Twitter through a web browser. From what I see, Facebook mobile apps do not use SSL. Official Twitter apps will use SSL by default if you select the option, but you have to check if your third-party apps offers this feature.)
How to turn on secure browsing in Facebook
(Warning: This feature may slow your Facebook browsing experience. So you may not want to use it if you are in a secured network or use a VPN. )
Go to Account.
Account Settings.
By Account Security click “Change”.
Under “Secure Browsing (https)”, click the box that says “Browse Facebook on a secure connection (https) whenever possible”.
Now, if you ever use an app, you’ll see this message.
WARNING: If you click continue, you are no longer in secured browsing. Whoops.
As soon as you finish with the app, go back and repeat this process. You need to reactivate the page before you log out to a secured login page the next time you want to use your Facebook account.
How to turn on secure browsing in Twitter
While logged in to Twitter via a web browser, go to settings.
Next to “HTTPS Only ” click the box that says “Always use HTTPS. ”
Click “Save”.
Dude, there’s your SSL.
Cheers,
Jason
Facebook
Twitter
RSS
E-mail
7 Comments
This is something I’m been trying to reiterate time and again to my readers, too! How easy and simple to do, and how great it really is! I enjoyed your post!
Thank you very much F-Secure….
Thanks….
I just tried https here https://safeandsavvy.f-secure.com/ and encountered a warning about invalid certificate. Seems it’s registered by wordpress.com instead of f-secure.
That’s correct, Keith. We use WordPress.com’s secure web hosting.
My point was that the certificate does not match the domain of the URL. I realize it’s a WordPress site, but shouldn’t your web page be using your f-secure.com certificate, as it’s done on many other web hosting sites. In my opinion a security information site should offer its web pages as https so readers could be confident that they are not viewing a bogus information.
HTTPS/SSL is not designed to validate the site. It is used to secure your session with a site.
Safe and Savvy uses VIP Word Press hosting (http://vip.wordpress.com/). Though the URL says F-Secure, the blog itself is hosted on a WordPress.com server, so, it’s their certificate.
WordPress doesn’t really use HTTPS/SSL sessions unless you’re logged into your WordPress account’s dashboard.
In theory, tools such as Firesheep can be used to hijack your WordPress session, which could then be used to comment as you on a blog… but as most WP blog comments are moderated, I don’t really see the point. Nobody “follows” my WordPress account and so, the “trust” isn’t there to be protected.
Using HTTPS with Twitter and Facebook isn’t to prevent others from seeing what your browsing, but to protect your “voice” (session) as they are more closely tied to a real-world reputation that most people want to protect.
To secure ones browsing… a VPN is the solution. Not HTTPS/SSL.
One Trackback
[...] Wi-Fi If you’re connecting to a wireless network you don’t control, use a VPN. If you can’t, secure your browsing whenever possible with https [...]