Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    eBook    Contact
Bookmark and Share

Facebook Non Secure Browsing Warning

Message warns that Facebook has automatically set itself to the non-secure browsing setting and advises uses that they can get "hacked" if they see "http:" instead of "https:" in the address of their Facebook page. The message explains how to set Facebook to secure browsing.

Brief Analysis
While the message contains elements of truth, it is also potentially misleading. Changing to "Secure Browsing" can improve your account security in certain situations. However, making the change will not always prevent your account from being "hacked" or hijacked as implied in the message.

Bookmark and Share
Detailed analysis and references below example.

Last updated: 13th April 2011
First published: 13th April 2011
Article written by Brett M. Christensen
About Brett Christensen and Hoax-Slayer

ATTENTION!!! FB has automatically set itself to the Non-Secure browsing setting! While on FB, look at your URL address (the very top box on your screen.) If u see "http:" instead of "https:" then u DO NOT have a secure session & can be hacked. Go to Account - Account Settings - Account Security - click Change. Check the box labeled "......Secure Browsing" - Click Save. Copy & Re-post

FB non secure browsing warning

Detailed Analysis
This rapidly circulating message warns Facebook users that Facebook may have automatically set their accounts to non-secure browsing. According to the message, if the Facebook web address displays "http:" instead of "https:", the user has a non secure session and can be "hacked". It instructs users on how to change their accounts to the secure browsing setting and asks that they repost the information to warn others.

The message contains elements of truth, but is nevertheless potentially misleading and counterproductive. As discussed in more detail below, using secure browsing on Facebook may increase security in certain situations. However, it certainly will not stop your account form being "hacked" in every situation. The mistaken belief that simply changing to secure browsing will keep them safe from attack may lull some users into a false sense of security.

Hypertext Transfer Protocol (http) is the "normal", non-secure version of the protocol that is used on the majority of websites. Http allows information, such as the text you are reading right now, to be accessed from the server by your web browser. While http allows for the quick and easy transmission of information, it is not secure and it is possible for a third party to "listen in" to the "conversation" between servers and clients. For normal web browsing purposes, such as reading a website article that is open and available to everyone, this lack of security is of no importance.

Hypertext Transfer Protocol Secure (https) is the secure version of the protocol and is used when there is a need to protect information from being accessed by other users. It is true that "https:" in a web address indicates that your browser is using a secure connection. A secure session is also usually indicated by a small lock icon in the address bar or by an address bar that has turned green. Because information transmitted during a secure session is encrypted, it is much harder for third parties to gain access to it. Therefore, in situations where sensitive information such as that disclosed during financial transactions are involved, it is vital that the session is secure (uses "https:"). Https should ALWAYS be displayed in your browser address bar if you are banking online or conducting online financial transactions.

As suggested in the message it is possible to change your Facebook settings to secure browsing (https). This security feature was introduced by Facebook in January 2011. The official Facebook blog post about the change notes:
If you've ever done your shopping or banking online, you may have noticed a small "lock" icon appear in your address bar, or that the address bar has turned green. This indicates that your browser is using a secure connection ("HTTPS") to communicate with the website and ensure that the information you send remains private. Facebook currently uses HTTPS whenever your password is sent to us, but today we're expanding its usage in order to help keep your data even more secure.

Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.
However, many of the security threats that target Facebook users, such as survey scams, rogue applications, malware and phishing attacks, and advance fee scams, will not be curtailed simply by using secure browsing. Many scams entice users to visit third party websites or install third party applications which will still operate in the same nefarious way whether or not secure browsing is enabled.

As noted in the Facebook blog post, enabling secure browsing may help increase your security if you access your Facebook account from public Internet access points. Secure browsing in such situations can prevent session hijacking (sidejacking) attacks when using public wifi access. Sidejacking describes the practice of intercepting another computer's network traffic by intercepting session keys and cookies. If you are using Facebook in situations other than public Internet access points, there is probably no great security advantage in enabling the secure browsing setting. And, enabling HTTPS may cause some unwanted usage issues. The Facebook blog post also notes:
There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS.
The warning message implies that Facebook has actually changed to the non-secure setting ("FB has automatically set itself to the Non-Secure browsing setting"). However, this is also misleading. Facebook has always used http as the setting for general use on the network and has only recently introduced the secure browsing option for Facebook as a whole. It should also be noted that Facebook already uses secure https when you login to your account in order to protect your login details and has always done so.

Because of the potentially misleading aspects of this warning message, reposting it in its current form may be counterproductive. People who heed the advice in the message and switch to secure browsing on Facebook may mistakenly think that they are effectively protected from the many security threats that target Facebook users when this is simply not the case.

Bookmark and Share References
Difference Between http & https
A Continued Commitment to Security

Last updated: 13th April 2011
First published: 13th April 2011
Article written by Brett M. Christensen
About Brett Christensen and Hoax-Slayer