Gawker is reporting that Facebook is finally making https protocol available to provide at least some protection against Firesheep and other credential-sniffing hackerware.
Facebook has at long last offered an option to use the encrypted “HTTPS” protocol, a feature it will begin rolling out today but won’t finish for a “few weeks.” You should check now if it’s available, and sign up as soon as it is enabled for your account. The performance overhead is minor—zippy Gmail, for example, uses HTTPS for everything—and it’s an important step to keep your Facebook account safe from being hijacked on an open or poorly secured wireless network.
By default, Facebook sends your access credentials in the clear, with no encryption whatsoever. Switching to HTTPS is important because a browser extension called Firesheep has made it especially easy for anyone sharing your open wireless network—at cafe or conference, for example—to sniff your credentials and freely access your account. One blogger sitting in a random New York Starbucks was able to steal 20-40 Facebook identities in half an hour. HTTPS solves this longstanding problem by encrypting your login cookies and other data; in fact the inventor of Firesheep made the software to encourage companies like Facebook to finally lock down their systems.
You can sign up for Facebook HTTPS by going to Account Settings and then selecting “Account Security,” third from the bottom. Then click under “Secure Browsing” — if it’s there. Facebook says everyone should have this by the end of the day, but in the meantime you might be missing the relevant option toggle.
Check your account and switch to https security now (!), especially if you use a laptop at internet cafés. Otherwise, who knows who might be reading your mail…