In October in 2010, Firesheep made it easy for anyone on the same unsecured wireless network as you to take over your Twitter or Facebook session. This was possible because neither Twitter nor Facebook had a default secure browsing (SSL) setting.
Twitter users complained that you actually had to type “s” in your browser bar (like this: https://twitter.com) to secure your session. While Facebook offered no secured browsing setting at all. So Facebook rushed out an https solution in early 2011.
Then Ashton Kutcher—who has replaced Tom from MySpace as everyone’s friend on the Internet—had his Twitter hacked at a TED conference, allegedly. I say allegedly because the tweets—one of which said “Dude, where’s my SSL?” –are still online and Kutcher clearly has control of the account. A little over a month later, Twitter added the default https option.
Sidejacking—while likely illegal and definitely unethical—offers hackers more potential for mischief than financial gain.
If you use unsecured wireless without a VPN, which isn’t a great idea, using URLs that begin with https is the only way to protect your account from a trouble maker. You’ll notice your bank and most login pages automatically send you to a secured page.
If you are a Facebook or Twitter user who ever uses unsecured networks, you should activate secured browsing now. Once you use secured browsing in Facebook and Twitter, not only will your session activity be secured but you’ll also automatically get a secured page when you log in via any browser you’ve used since you secured your account.
(Default secure browsing is only reliable when using Facebook and Twitter through a web browser. From what I see, Facebook mobile apps do not use SSL. Official Twitter apps will use SSL by default if you select the option, but you have to check if your third-party apps offers this feature.)
How to turn on secure browsing in Facebook
(Warning: This feature may slow your Facebook browsing experience. So you may not want to use it if you are in a secured network or use a VPN. )
Go to Account.
By Account Security click “Change”.
Under “Secure Browsing (https)”, click the box that says “Browse Facebook on a secure connection (https) whenever possible”.
Now, if you ever use an app, you’ll see this message.
WARNING: If you click continue, you are no longer in secured browsing. Whoops.
As soon as you finish with the app, go back and repeat this process. You need to reactivate the page before you log out to a secured login page the next time you want to use your Facebook account.
How to turn on secure browsing in Twitter
While logged in to Twitter via a web browser, go to settings.
Next to “HTTPS Only ” click the box that says “Always use HTTPS. ”
Dude, there’s your SSL.
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018