Thursday 18 August 2011

A secure session on Facebook?

Here's another Facebook frightener that is doing the rounds again.

"Apparently Facebook has changed and said nothing (again). Take a look at your URL (top box on your screen.) If you see "http" or just "www" instead of "https" you DO NOT have a secure session & can be hacked. Go to Account Settings - Click Security on the left top corner - click Edit, Check box (secure browsing), click Save. FB has automatically set it on the non-secure setting! Do everyone a huge favour, copy & re-post."

Here we go again. For a start, Facebook has not 'changed and said nothing' - the inference here is that it was previously secure and it isn't now. In fact, it's the other way round: Facebook introduced the ability to have a secure connection (https) as an additional feature in early January 2011. Before that time, all Facebook browsing was http (non-secure) and there was no choice in the matter. This useful article on Mashable gives the full story.

NB: If you do choose to use an https setting (as explained in the Facebook help pages here) there are some applications that will not work (for example, I can't play my favourite word game of Lexulous on this setting).

More to the point, do you need the secure browsing setting? It does (as the Mashable article explains) protect you from hacking in an unprotected environment: "Without it you’re exposed to sniffing attacks on the network; for example, if you’re using a public Wi-Fi to access Facebook via plain HTTP, someone using the Firesheep add-on for Firefox can easily retrieve your data. HTTPS makes it a lot harder to do that." However, if you're sitting at home, using your own password-protected wifi network, this is not the case.

I'm not saying that you should be cavalier about your security settings - far from it. There are plenty of hazards lurking on Facebook (and in many other places on the internet) - hoaxes, phishing attacks, malware and much more - and we all need to be clued up about them. However, this means that misleading and sensationalist postings can (in the manner of the 'boy who cried wolf') deflect our attention from the genuinely dangerous stuff. It's much important that you realise what these settings really mean - rather than perpetuating the myth that 'Facebook does everything wrong', 'they never tell us anything' and the rest.

Please, please - before copying and pasting these warning messages, take just a minute or two to have a proper look at the facts. Type the phrase into Google, look in the Facebook Help section, or ask a passing geek. Then make your decisions based on facts, rather than on a game of Chinese Whispers.

It would, by the way, be far more accurate to post:

"Facebook has implemented a new security measure, which you can take advantage of if you want to. Take a look at your URL (top box on your screen.) If you see "http" or just "www" instead of "https" you do not have a secure session, and it's possible that you may be hacked [but only if you are using an unsecured public network; this doesn't apply if you are using a password-protected private network]. Visit the FB help page for more information here: Please note: FB has automatically set it on the non-secure setting, as many applications do not work on the HTTPS setting, but you can change it if you wish."

You wouldn't try to drive a car without understanding the rules of the road; you wouldn't base your navigation, speed or behaviour on hearsay, rumour, part-truth and guesswork. Why should using your computer be any different?

UPDATE: Here's another useful link with more information on this situation. Of especial interest is the highlighting of the fact that "it is important not to be lulled into a false sense of security under the assumption that you are safe from attacks because you have opted for the HTTPS option, because in reality this option makes no change in the risks involved whilst using the social networking site."