Facebook announced today that it is now offering users the ability to use encryption to protect their accounts from being compromised when they are interacting with the site, something security experts have been seeking for a while.
The site currently uses HTTPS (Hypertext Transfer Protocol Secure) when users log in with their passwords, but now everything a user does on the site will be encrypted if he turns the feature on, the company said in a blog post.
Enabling full-session HTTPS eliminates the ability for attackers to use tools like the Firefox plug-in called Firesheep to snoop on communications between a person's computer and the site's server over Wi-Fi.
"Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries, or schools," the post says. "The option will exist as part of our advanced security features, which you can find in the Account Security section of the Account Settings page."
Using HTTPS may mean that some pages will take a little bit longer to load, and some third-party applications aren't currently supported, the company said. The option is rolling out over the next few weeks. "We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future," the post says.
"Every user's Facebook page is unique and it's been complex pulling together all the different parts," said Facebook Chief Security Officer Joe Sullivan when asked what the time frame is to making HTTPS the default setting. "It's an interesting technical challenge for the company."
While banking and e-commerce sites use encryption, social media and other sites have been somewhat slow to move in that direction--the exception being Google. Google has always offered Gmail users the ability to use HTTPS and set it as a default a year ago. The company also offers encryption for use with Google Docs and Web search.