In February Facebook began to roll out an option in user's Account Settings to browse Facebook over a secure connection using SSL/TSL encryption. This is a presumably an attempt by Facebook to address the concern of users around session hijacking vulnerabilities of websites, particularly social networking sites, that were highlighted late last year with the release of the Firesheep extension by software developer Eric Butler. Firesheep is an add-on to the Firefox web browser that is essentially a new sidebar with a "Capture" button. When clicked, this button will display a user name and photo when individuals on a network visit an insecure website.
SSL/TSL can help provide protection against
vulnerabilities that Firesheep exploits.
Personally I don't think this should be an option that users have to enable, it should just be the default connection used by Facebook, but to enable secure connection simply select Account and select Account Settings in the upper right area of the browser.
If you haven't managed your privacy settings it's worth a look--here you can change what you're sharing with who.
Scroll down to Account Security and select change to expand these settings.
You can also view information about locations and devices used to access your Facebook. Select end activity to disable a suspicious device/location.
Check the box that says Browse Facebook on a secure connection (https) whenever possible. Make sure to also click the Save button. As you browse Facebook from now on you should notice the secure connection lock in your browsers address bar as well as the Facebook web address now being https://www.facebook.com as opposed to http://www.facebook.com
Firesheep is an extension for the Firefox web browser developed to illustrate the failure of many major websites to secure user access and data on their networks. When you log into websites such as Facebook and Twitter they may secure your connection and information when you log in but not as you post updates or otherwise interact on their social network.
This leaves users open to a hacking attack known as session hijacking. Firesheep is effectively a point and click graphical user interface for the otherwise complicated hacking technique. With Firesheep, someone simply has to connect to a public wi-fi network, say at a cafe, open the Firefox web browser and activate Firesheep. There magically appears a list of all users currently logged into Facebook, Twitter, etc. Point, click, and you're posting photos and status updates as someone else, which in some states is ILLEGAL. Some University students have found that campus wireless networks may also be at risk.
So why would anyone every make such a tool again? That's right, to illustrate that popular websites with potentially sensitive data should be using encryption for the entire user session on their websites.
Why don't websites with millions of users encrypt their entire sessions? They say it's because it's costs lots of money. And in fact, some websites have the capability to encrypt entire sessions, such as Facebook. This part is key and it's what allows us as users to bring some level of sanity back into this issue.
If you've already installed NoScript as I suggested in a previous post about securing yourself against clickjacking attacks, you're in luck because it comes built in with functionality to force a redirect to an encrypted page if it's available. Browse to your Add-ons in Firefox and enter the Preferences for NoScript. Go to the Advanced tab. This will open up another set of tabs, click on the HTTPS tab. Here you can add websites to the force secure connections list. In this screenshot I have added Facebook, Twitter, and Google.
If NoScript is too complicated for you there is a somewhat easier extension to battle this encryption elephant in the room. This extension is called HTTPS-Everywhere and it is provided by the lovely and amazing people at the Electronic Frontier Foundation, who in fact always use encryption when users view their website. For added protection on Facebook, users are advised to view Tools>Add-ons>Firesheep Preferences and enable the "Facebook+" option. As it warns in this window, enabling this option may break some Apps.
Both NoScript and HTTPS-Everywhere currently break some functionality on Facebook, mainly the Chat feature.
Chrome/Chromium, Internet Explorer, Safari, and Opera users are out of luck. The current extension development tools for Chrome/Chromium and Opera are such that a redirect to a secure page can only take place after the user has exchanged information with the web server, thus making the encryption after that point already compromised. Google claimed to be fixing this problem in their latest release of Chrome/Chromium 10 but developers of these extensions have been unable to resolve the issue even with the latest 10 release.
You've downloaded and installed Firefox. You've gotten the latest Adblock Plus plug-in for Firefox. Yet somehow you're still hearing that annoying voice screaming out of your speakers, "CONGRATULATIONS!" You've won something that is not real, that doesn't exist, but please click on something so somebody gets paid. While pop-up blockers and other ad blockers are important tools for computer users that spend a lot of time on the Internet, it's becoming increasingly more common for websites to use Flash-based ads.
Due in large part to the popularity of YouTube and other video sharing sites, Flash is estimated to be installed on 95% of Internet-enabled computers, maybe more. Being on 95% of computers makes Flash a target for the bane of all Internet users: advertisers (sometimes indistinguishable from spammers) and hackers. It is for this reason that you should check the Adobe Flash website often for updates to keep ahead of the latest security threats. But what to do about the annoying CONGRATULATIONS advertising voice?
For that, there's FlashBlock. Now you might be thinking, "I installed Flash to watch YouTube videos and check out my favorite band's website, why would I want to block Flash content?" Before you get your video streams all in a bunch, let me explain the glory that is FlashBlock.
FlashBlock operates by replacing Flash content on a page with a simply box that shows the Flash "F" logo. When you click once on this box, Firefox will load the Flash content. To put it simply, it puts one more click in between you and any Flash content you come across on the web. But it that's not all it does. FlashBlock also has a white list function, meaning you can add sites like YouTube to this list and all Flash content on the YouTube domain will be auto-loaded without the
extra click. To add sites to the white list, simply right-click on Flash content from a site (say a YouTube video) and select the "Allow Flash (always)." You can also right-click on Flash content and select the "Options" button then navigating the the "White List" tab and add websites manually.
FlashBlock is a simply and powerful plugin that can go the last mile in blocking annoying ads, especially those with audio. There is also a version of FlashBlock for the Chrome and Chromium web browsers. I guess the other, simpler option is surfing the web with your speakers or headphones muted ;-)
A note on ad blocking: Blocking ads is, to some, controversial. You see, people's livelihoods depend on shattering your zen-like Internet experience with flashy blinking ads and loud noise. Aside from the desire to have a semblance of privacy from the never-satiable consumption pushers, there's also the matter of Internet bandwidth. This is becoming a much larger issue in the mobile world where data service plans often have a capped amount of bandwidth for the month. If 10% of your mobile bandwidth is being used to serve you ads (a conservative estimate in the Flash and Silverlight era) that means you are in a very real way footing the advertisers bill. FlashBlocking and ad blocking is thus useful for those with a limited monthly Internet cap or those that are still stuck on dial up Internet, or even individuals with Internet speeds that are no longer considered broadband by the FCC (sub 3 Mbps Internet service, which includes me!).
While the days of e-mail viruses certainly are not over, the proliferation of social networking sites all over the world has provided many computer hackers and script kiddies alike with easy access to millions of unsuspecting computer users. For many years IT experts and administrators were able to quell the stream of e-mail viruses with the simple phrase "don't open e-mail attachments." Easy for the computer experts to say, not so easy for everyday users in practice. Just as most people ignored computer geeks when they said, "don't open e-mail attachments," likewise will all attempts at getting people to "just not use Facebook or MySpace" fail.
Below are a few solutions for those who can't give up their favorite social network and are tired of getting or sending links to free iPads to and from their Facebook friends. First let me take a moment to briefly explain how one of these many popular exploits work in the ever-evolving Web 2.0 age.
One technique rising in popularity that is used today to gain access to confidential information or to take control of a user's social networking account is called clickjacking. This technique employs layering a sometimes real web page with a another transparent layer over the top (which the user is actually interacting with). When the user attempts to click buttons on the underlying page, the transparent layer executes code that can compromise a computer system or user account.
This technique is very popular on Facebook and has exploited the Like feature with great success. Facebookers may recall the Justin Bieber phone number clickjack from earlier this year in which a user's friend may have Liked an apparent link to Justin Bieber's presumably leaked cell phone number. The unsuspecting Bieberite Liked it themselves or clicked on the link in a desperate attempt to send a text message to the teen pop star. This particular Bieber vector didn't seem to execute any viruses or malware but others utilizing this Facebook exploit have, perhaps resulting in thousands of computers being added to a spam or criminal botnet. Many may instinctively know that if J. Biebs cellly shows up on the Fbook it's probably too good to be true but there are always going to some that just can't take the chance to miss out on the Bieber digits, no matter how far-fetched the idea may be--in fact, the more far-fetched the message or idea, often the more the successful attack will be.
So what about prevention? As most Firefox users are aware of by now, there's an extension for almost any Internet nuisance or nuance! In this case it's called NoScript and it provides great (free!) protection from clickjacking based on what is called a white list. This means that NoScript will not let JavaScript, Flash, Silverlight, or any executable content run unless the site has been approved by the user. Approval can be granted on a temporary or permanent basis, which means the program will adapt to your browsing habits (cataloged in the white list) and eventually run in the background (until it reveals itself as needed). It may seem annoying at first when you have to click an extra button or two to get YouTube videos to run or see the cool navigation bar on your favorite Foodie Blog but it is well worth it in terms of security. This also comes with the added bonus of blocking all Flash-based ads by default which can save time and money if you have a slower connection or your bandwidth is metered (a practice that is becoming increasingly popular especially over wireless networks). Flash ads also have a tendency to be amplified what seems like five or ten times the normalized volume level. Did I mention that this solution is free?
Right about now is when most computer users may say, "What's Firefox?" Hopefully that's not you but if it is, there is hope for you yet. For Internet Explorer (and Firefox users) there is a commercial (read: costs $) solution called GuardedID. I've never used this program so I can't vouch for its effectiveness or how large it is in terms of hard drive space and system resources. Microsoft also claims that IE8 comes with clickjacking protection built in, but some are skeptical of those claims.
If you haven't switched to Firefox yet, now is as good a time as any to do that.
Or, I guess you can always stop using Facebook, MySpace, etc.