02/25/11 - Article No: 1224

Facebook HTTP versus HTTPS options - Facebook Rumour


While on Facebook, look at your URL address; if you see `http`: instead of `https`: then you don`t have a secure session and you can be hacked. Go to Account|Account Settings|Account Security and click Change. FB defaults to the non-secure setting.


This message circulating throughout Facebook is partly true and partly misleading.

The assertion that having "https" at the start of the URL address means you have a secure session is actually true. The acronym stands for "Hyper-Text Transfer Protocol Secure". Additionally the instructions on the message do indeed explain to users how to use a https connection if one is available.

However the message is also misleading (or overly simplisitic/naive) in its assertion that not having this secure session means you can be "hacked", implying that having a secure session means you cannot be hacked, or at least it would be significantly harder to do so. This is not true.
Having the S after HTTP means that the information passed between your computers browser and the web server hosting the web site you are visiting is encrypted, meaning it cannot be read if intercepted. This means HTTPS is best used when transmitted sensitive data, such as bank details. (in fact you should only enter card details on a site beginning with "https")

However most threats facing social networking users, such as survey scams, rogue Facebook applications or phishing attacks do not rely on the user employing a secure https session, so for the most part having the S at the end of HTTP does not make any difference when it comes to staying safe on Facebook.
The only possible advantage of having a secure session is for Facebook users who log-on mostly or entirely using WiFi hotspots, as there is an effective (though rarely used) tactic that involves intercepting a cookie (piece of information) that could allow a third party to steal a Facebook "session", i.e. giving someone access to your Facebook account. It is called "sidejacking" or "session hijacking" though is a rare attack and can only happen on WiFi networks (or other public LAN networks).

However it is important to note that having HTTPS does not mean you are immune to threats on Facebook as you certainly are not, and it is important not to be lulled into a false sense of security under the assumption that you are safe from attacks because you have opted for the HTTPS option, because in reality this option makes no change in the risks involved whilst using the social networking site.

We recommend not circulating the above message on the grounds that it is misleading and implies people are safer on Facebook using the HTTPS connection than they actually are.

UPDATE: 19 Apr 2011


FB has changed and failed to let us know about it. Take a look at your URL address (the top box on your screen.) If you see "http" instead of "https" you DO NOT have a secure session & can be HACKED. Go to Account - Account Settings - Account Security - click Change. Check box (secure browsing), click Save. FB has automatically set it on the non-secure setting!
Do your friends a huge favor, copy & re-post


This updated version is also misleading like the original message and this also makes matters worse by implying Facebook has changed in some way. Most Facebook pages default to http, not https. This has always been the case, and Facebook has not "changed and failed to let us know about it".





Social media and the Internet is rife with rumour, misinformation, propaganda and untruth. It is like this because people can be irresponsible with what information they choose to share.

Our community works hard to try and debunk and assist in as many cases as possible, as well as teach people how to share responsibly. We believe it is important that anyone who uses the Internet be able to identify false rumours and fully understands the possible consequences of spreading false information.

If you are interested in this, feel free to read our two-part blog. Part 1 deals with how to spot and debunk Internet rumours and Part 2 deals with the reasons why you should never circulate false information.

Additionally if you have fallen for this rumour or have Facebook friends that have, you can join our growing Facebook page here or sign up to our mailing list here.

comments powered by Disqus