Thanks to some fancy math, it just got a lot harder for someone to snoop on your Facebook conversations. And that's all thanks to Facebook's decision to automatically scramble the communications stream from your keyboard to the actual site itself.
The move actually entails changing the method your communications take before they land on a Facebook page. What used to be a wide-open, snoop-able, stream of communications emanating from your keyboard to your latest status update is now protected by a secure method called "HTTPS."
In January 2011, Facebook allowed users to opt into HTTPS, and alluded to a future default setting. The project of scaling HTTPS for all Facebook users while preserving the site’s performance presented a technical challenge, but Facebook says that it’s addressed those concerns. This is a very welcome move from CDT’s perspective as HTTPS provides a secure connection between users and websites. While users can opt out of the switch, Facebook’s move to HTTPS by default within North America (and to the rest of the world early next year) will provide users with heightened security as they use the world’s most popular social network service.
CDT has previously discussed how easy (and possibly illegal) it is to eavesdrop on non-encrypted HTTP — normal web surfing, while describing the benefits of the secure HTTPS version. Here's how it works: the HTTPS protocol encrypts the communication link from the user to the website, preventing eavesdroppers — for example, on open Wi-Fi networks — from snooping on your web surfing activity. Technically, what happens here is that the user’s browser and the destination server do some fancy math to exchange a secret key. With that secret key, the browser can then wrap communications sent to the server in a “sheath” or “tunnel” of encryption that is virtually impossible to break open. Many institutions, such as banks and payment processors, have long used HTTPS by default in order to protect their users’ security and ensure that sensitive data remains private.
As more and more websites collect and maintain important and possibly sensitive user data, HTTPS can prevent the unwanted collection of your private information. While Facebook facilitates sharing information among individuals, users constantly pick and choose which of their Facebook friends can see specific posts or information. The move to HTTPS ensures that strangers don’t get access to that data that Facebook users believe they have safeguarded.
Of course, Facebook’s move to HTTPS does not inoculate users against security breaches or other kinds of malware. A secure connection to an unintended party could still be a security risk, and phishing schemes — where a seemingly innocuous link actually points to a malicious website — carried out via email could use HTTPS in the URL (such as https://faceb00k.com) and still collect user data. Yet Facebook’s decision to move to HTTPS by default, despite the logistical hurdles and some slowness in the time a page will take to load, signals both the importance of protecting user data, and the importance of popular websites in demonstrating strong security safeguards.
Other companies that handle sensitive user data or communications should follow Facebook’s decision and enable HTTPS by default as well.