Facebook announced on its Developer Blog that North Americans will start using HTTPS over Wi-Fi networks to better protect authentication cookies from being spoofed and used by cyber-crooks.
Encrypting cookies for the duration of the logged in session is thought of as a secure way of communicating between users and Facebook’s servers, and experts suggest that more service providers should adopt this change.
Although Google adhered to HTTPS in December 2010 and Twitter in February, Facebook’s implementation required more planning as third-party developers such as game developer Zynga offer services through the social network.
Using HTTPS ensures that vulnerabilities in the way Facebook cookies are handled cannot be sniffed over Wi-Fi and used to impersonate users. Security buffs praise the new approach and although Facebook said the change only affects North American users, the service will be launched on a global scale sometimes soon.
“As announced last year, we are moving to HTTPS for all users. This week, we’re starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world,†said Facebook on their Developer Blog.
Because implementing HTTPS requires more server processing power for Facebook, experts believe the extra security measure is worth the time and investment. Facebook fans may also be less reluctant to use Wi-Fi networks as the risk of cookie hijacking dims.
With all due respect, I believe that the article is somewhat mis-titled.
Unencrypted communications are a privacy risk. A Wi-Fi link in the connection chain merely increases the risk. The risk is still there on a wired network, as is the risk of their being a shared key or unencrypted network link in the chain between the browser and the server.
The better title might have been: “Facebook adopts HTTPS to Guard User Privacy”. The involvement of Wi-Fi is secondary.