Improve Your Security on Facebook, Twitter and Google With HTTPS

In October 2010 a Firefox plugin called Firesheep hit the news. Using this tool anyone can become a hacker and break into someones’ Facebook or Twitter account, without any hassle.

It does this by sniffing network traffic on open Wi-Fi networks and capturing a users’ cookie. With this cookie Firesheep can pretend to be the victim and peek into his or her account, or even change the credentials and locking the victim out of his/her account.

No care for the details? Skip to the solution.

Why am I at risk?

The way computer networks work is by sending data to all the computers that are connected to the same local network. Each data packet contains a unique address and each computer that doesn’t match the address should ignore it. Firesheep, instead, reads all the data that should be ignored and this way it can capture your cookie(s).

Cookies—also known as sessions—are used by websites to keep identifying information about a user. When Firesheep captures the cookie and sends it back to the website, the website will think that it is from the original user and granting access to the account.

Is there a solution? Yes, but…

There is a solution to this problem that is exists for years, it is called HTTPS, or SSL. This is a technique where all the data that is send between a website and the browser is encrypted. All modern browsers support this technique, only thing is that HTTPS has to be implemented by the website owner. Because implementation is expensive and adds extra weight to the performance, most websites lack support, rendering them vulnerable for Firesheep. Popular websites that are vulnerable include Facebook, Twitter, Google, Gmail, Foursquare and many more.

How to protect yourself?

Since the release of Firesheep, popular websites like Facebook and Twitter started to announce HTTPS implementations. Although that’s a good thing, they didn’t enable it as a default setting. You have to enable it for yourself.

Let me explain how you can enable this for some of the popular websites.

Facebook

In january Facebook rolled out a secure way to connect to its website. You can start connecting secure by navigating to https://www.facebook.com. Facebook will should show you a message with a setting to set HTTPS as a default.

Alternatively you can go to Account settings > Account Security and check ‘Browse Facebook on a secure connection (https) whenever possible’.

Twitter

In March Twitter announced that they added a user setting to let you always use HTTPS when accessing Twitter. You find this setting under Settings > Account.

Gmail

Gmail offers its users an option ‘Always use https’. When you select this option, your browser will always be redirected to the secure version of Gmail.

You can set the options via Mail settings > General.

Google Search

Google offers secure search. It requires you to do your search via a different url: https://encrypted.google.com. Secure search is currently in beta and offers less functionality than the regular Google Search, but—more importantly—it is secure! To take full advantage of this secure search, you have to update your bookmark(s), so that you always search via https://encrypted.google.com.

Foursquare

Foursquare recently tweeted that they completely switched to HTTPS, for their website, the mobile website and all the clients. You don’t have to do anything as HTTPS is the default.

Conclusion

Firesheep showed the world once more that the internet isn’t a secure place. Most people take their security for granted because their accounts are password protected—but they are wrong.

I strongly suggest that you start using HTTPS wherever possible.

Do you have any questions? Or do you know other popular places with HTTPS options that we should know of? Please tell me using the comment form below.