Facebook HTTP versus HTTPS options - Facebook Rumour

02/25/11 - Article No: 1224. Filed under: Facebook Scams | Facebook Rumour


While on Facebook, look at your URL address; if you see `http`: instead of `https`: then you don`t have a secure session and you can be hacked. Go to Account|Account Settings|Account Security and click Change. FB defaults to the non-secure setting.


This message circulating throughout Facebook is partly true and partly misleading.

The assertion that having "https" at the start of the URL address means you have a secure session is actually true. The acronym stands for "Hyper-Text Transfer Protocol Secure". Additionally the instructions on the message do indeed explain to users how to use a https connection if one is available.

However the message is also misleading (or overly simplisitic/naive) in its assertion that not having this secure session means you can be "hacked", implying that having a secure session means you cannot be hacked, or at least it would be significantly harder to do so. This is not true.
Having the S after HTTP means that the information passed between your computers browser and the web server hosting the web site you are visiting is encrypted, meaning it cannot be read if intercepted. This means HTTPS is best used when transmitted sensitive data, such as bank details. (in fact you should only enter card details on a site beginning with "https")

However most threats facing social networking users, such as survey scams, rogue Facebook applications or phishing attacks do not rely on the user employing a secure https session, so for the most part having the S at the end of HTTP does not make any difference when it comes to staying safe on Facebook.
The only possible advantage of having a secure session is for Facebook users who log-on mostly or entirely using WiFi hotspots, as there is an effective (though rarely used) tactic that involves intercepting a cookie (piece of information) that could allow a third party to steal a Facebook "session", i.e. giving someone access to your Facebook account. It is called "sidejacking" or "session hijacking" though is a rare attack and can only happen on WiFi networks (or other public LAN networks).

However it is important to note that having HTTPS does not mean you are immune to threats on Facebook as you certainly are not, and it is important not to be lulled into a false sense of security under the assumption that you are safe from attacks because you have opted for the HTTPS option, because in reality this option makes no change in the risks involved whilst using the social networking site.

We recommend not circulating the above message on the grounds that it is misleading and implies people are safer on Facebook using the HTTPS connection than they actually are.

UPDATE: 19 Apr 2011


FB has changed and failed to let us know about it. Take a look at your URL address (the top box on your screen.) If you see "http" instead of "https" you DO NOT have a secure session & can be HACKED. Go to Account - Account Settings - Account Security - click Change. Check box (secure browsing), click Save. FB has automatically set it on the non-secure setting!
Do your friends a huge favor, copy & re-post


This updated version is also misleading like the original message and this also makes matters worse by implying Facebook has changed in some way. Most Facebook pages default to http, not https. This has always been the case, and Facebook has not "changed and failed to let us know about it".

Find this article helpful? Then please help us and your friends by clicking the share button below! Also find us on Facebook and Twitter.

Make a comment; Click here.

About the Author

is an IT graduate from Plymouth, UK and the editor of ThatsNonsense.com

comments powered by Disqus