Secure Your Facebook Account With SSL and Login Alerts

Recently Facebook has rolled out few new features that will enable the users to user their Facebook account with better sense of security. The newly introduced Secure Browsing feature allows users to always  use secure connection(https) for Facebooking. While facebook were already using secure connection for their login sessions, regular user activity was not protected.

Enabling Secure Browsing ensures that your data can't be seen by ISPs,your company Admins or other users. This is especially important in cases,where you are using Facebook from public computers or while surfing on an unencrypted wireless network.

To enable Secure Browsing functionality in your account go to Account -> Account Settings -> Account Security.
Check the option "Browse Facebook on a secure connection (https) whenever possible". From now onwards all your facebook conversations will be over https(you can verify this from the https:// prefix in the address bar).

 

There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.

Two more useful features are also available now, Login alerts and Activity viewer.
Login alerts will send you login notifications to your email or phone(if you have added a mobile device to your account) when a login occurs from an unknown computer.This will act as a early warning  in case somebody tries to access you account.
Activity monitor will let you check the recent activities happened in you account, how many logins happened in the recent past,how many sessions are still open.If you finds that there is any unauthorised activity in you account, there is an option to end that particular session also.

You can read the facebook blog post about new features here

How to Stay safe on public Wi-Fi

I have found an interesting article about staying safe on public wifi, so thought putting some points of my own. You can read the article here.

What are the safety concerns associated with public Wifi?
         Public Wi-Fi networks will be mostly un-encrypted, which means anyone with a wireless card and a laptop will be able to see the pages you are visiting, you emails etc.People hesitate to turn on the encryption on a public network inorder to avoid the hassle of key management.Every encyptd network needs a key( like a password) for decypting the traffic, how do you share the key among the users, say in an airport where people come and go very fast. Thats not the case in your home network where you once setup the network, set the passkey and tell all of your family members.
         Even if the network in encrypted, still all the people in the network will be able to see the traffic you are generating. Yet another problem ( its not exactly with public wifi, but with windows wifi implementation) is that if a default access point is set in your XP machine, it will automatically try to connect that SSID. If it didn't find such a AP, it will create an ad-hoc network with that particular SSID. An attacker can listen for the broadcast signals from your machine for the SSID and can create a fake wireless network with that SSID, allowing them to connect to your PC.
So some one else can see my traffic, whats the big deal??
         Well, eavesdropping in the traffic won't do any harm if you are using the net for only, say seeing the cricket score or checking the weather or any other activity which does not require a login or some other kind of authentication. If you are checking mails, or logging into a social networking site, then there is a chance that your password might get compromised, as your login information will be send over the network which could be read by an attacker.Most site has an option to use SSL(Secure Sockets Layer ) to protect its users from such attacks.But most of them may not use this by default( use of SSL can be recognized by looking at the URL, SSL uses https:// instead of the normal http:// )
or some even donot have such an option!!!. 
        Another problem is the usage of email clients like Microsoft outlook or Thunderbird. These softwares will not use any encryption for mail transfer, which basically means if you use you laptop in a public wifi to dowload your work mail using Outlook, its almost like printing the mails and giving it all the people around you!!.

What are the precautions that can be taken??
       Whenever possible try not to use a public wifi, especially for financial transactions or offcial purpose. The best thing to do is to switch off your wireless card when in a public place.Even if you are not using the network, malicious softwares can still sneak in, if your system is just connected to the network, through the bugs in your installed softwares using what is know as remote exploits.
       It may not be always possible to stay away, especially if you have to kill hours or have to send some urgent mails etc. You can do the following things to keep you secure as much as possible.

•        Keep your softwares and OS up to date, that means windows updates as well.If you are having a pirated OS, your are in trouble. Either buy an original version or switch to a linux flavor.
•        Install and keep  updating  an antivirus and firewall software
•        Always use SSL ( URLs  beginning with https:// ) for the whole session,by default most sites protect its login pages with SSL, but not after that, you are still at risk as some one can steel your authentication tokens send with each request or read your mails.( Its worth mentioning that gmail now by default uses SSL for all the communications.).How to do that, use https:// always. For example instead of going to http://www.twitter.com goto https://www.twitter.com.
•      Never open Outlook while in a public wifi, as it will automatically download the mails through an unencrypted channel. Always use the webmail, as most of the standard installations protect all the communication with SSL by default.
•      If you have VPN access to your company network, use it. It will not only protect your mail transactions,also it will protect your all other traffic. If you are using VPN, then it will be OK to use Outlook, since the communication will be happening over the encrypted VPN tunnel.In fact if you are under a VPN, you are protected from most the above described threats.  
•    Never use a website that does not offer SSL for during any serious transactions. A good example will IRCTC website. They donot offer any SSL. So its best NOT to use it while on a public Wifi.