Some users are seeing a prompt at the top of their Facebook home page that reads “Help Protect Your Account with Secure Browsing (https)”. Users can click a button in the prompt to switch to HTTPS and foil attempts by hackers to steal their data.
Following the recent exposure of several security threats, Facebook appears to be ramping up its preventative security measures. Developers should list an HTTPS address to make sure they don’t miss out on traffic from those who follow the prompt.
Facebook introduced HTTPS in January to allow users to browse the site over a secured connection. Though it causes pages to load a little slower, it can keep user data safe when they’re connecting over public networks, such as in coffee shops. Facebook says that as of May 10th, 9.6 million users had enabled secure browsing in their Account settings, showing demand for the option despite little promotion for it.
Alongside HTTPS, Facebook launched the ability for third-party application developers to list secure canvas and tab URLs. If they don’t provide them, users with HTTPS enabled are shown a roadblock that forces them to either switch to HTTP browsing or retreat to official Facebook content when approaching a canvas app, and users won’t see bookmarks of tab apps. Then in response to some data leaks by third-party apps, Facebook announced last month that by October 1st all apps must provide an SSL certificate to allow HTTP browsing.
Still, Facebook is combatting an image of flawed security, in part due to exaggerated risk assessments of leaks by the press. This new home page prompt should increase awareness of enhanced security options amongst those that might have heard of threats but not the protections against them that Facebook has released.
Displayed front and center above the news feed, the prompt explains that “To always view Facebook over a secure connection and help prevent hackers from accessing your info over public networks, turn on Secure Browsing now.” Users can click “Enable Secure Browsing” to reload the home page and continue browsing through HTTPS. They can also click to “Learn more” in the Help Center, and can always enable the option via Account Settings -> Settings -> Account Security. Oddly, the prompt is also being seen by users who have already enabled HTTPS.
The prompt will likely increase the percentage of users that do enable secure browsing, making it more important for apps to add secure canvas and tab URLs before the deadline. An increase in secure browsing should also discourage hackers, reduce the impact of security breaches, and improve Facebook’s public standing.
Update: The HTTPS prompts come at a time when those who access Facebook via public wi-fi networks over HTTP are at more risk than ever. A recently released Android app called FaceNiff allows hackers “to sniff out and use Facebook accounts of other users on the same open wireless network” similar to browser extension FireSheep. They can then view their private content and perform actions using the hacked account. The prompts are not likely a response to FaceNiff, though.
Update 6/7/2011 2:00pm PST: We’ve received word from Facebook that the prompt may appear to users who have manually added HTTPS before the Facebook URL in their address bar rather than selecting the secure browsing setting in their account settings. This is because there were some “misleading instructions circulating that equated changing the address bar with ‘being secure'”, and Facebook wanted to communicate that changing the official setting is the only way for users to “fully protect their Facebook traffic”. The prompt may also appear to those who may have “temporarily disabled HTTPS in order to use an unsupported app”.