Enable HTTPS on Facebook!

Posted: June 7th, 2011 | Author: | Filed under: fitm, personal, random, security | Tags: , , , , , , , , , , , , , , , | No Comments »

A couple of month passed since Facebook introduced full SSL support. This optional feature lets you browse Facebook via a secure connection (https) whenever possible. Facebook via https is now available to all users and why are so few people using it? I suppose because the option is disabled per default. -> Enable this option!

SOPHOS How-To enable the Facebook HTTPS option.
They also provide a video How-To:

Using Facebook without a secure communication puts your account data at high risk. First Firesheep and now Faceniff offer script-kiddie tools to hijack Facebook accounts over wireless. Research we conducted shows that unencrypted Facebook sessions are low-hanging fruits for large scale spam attacks. We published our first findings in 2010 (technical report), a revised version has been published in the current issue of IEEE’s Internet Computing.

Friend-in-the-middle (FiTM) attacks

In our article we present friend-in-the-middle attacks that extract social networking data in an automated fashion. The harvesting of data is possible because people do not use a secure connection with Facebook. We show that the extracted social data can be exploited for large-scale context-aware spam and social-phishing attacks. Our attack simulations on Facebook showed that an attacker could easily spam a high number of users with context-aware spam (e.g. spam that appears to be coming from a friend) in a short period of time (Over 300,000 spammed users with 4,000 uncrypted Facebook sessions we observed over two weeks).

Download the preprint: FITM_InternetComputing_preprint.pdf

More information on Friend-in-the-Middle Attacks can be also found here: http://www.sba-research.org/2011/02/02/ieee-internet-computing-special-issue-on-security-and-privacy-in-social-networks/