How to force HTTPS on Facebook and Twitter

HTTPS is a way of providing security and privacy for your communication with web sites. You should expect it from sites that deal with your money, such as your bank, or Amazon.com, but you might not realize how important it is for sites like Facebook or Twitter. Think of it this way: When you protect your financial information, you’re protecting yourself, but when you protect your Facebook account, you’re protecting your friends. Using https keeps your accounts and reputation secure.

Many sites, Facebook included, have support for https, but immediately redirect you back to the insecure site, or forget to record your login session in a secure way. A Firefox Add-on called “NoScript” provides a solution to both these problems. Here’s how to make it happen:

  1. Install the Add-on.
  2. Restart Firefox
  3. In Firefox, go to Tools –> Add-ons –> NoScript –> NoScript Preferences –> Advanced tab
  4. In the “Behavior” tab under “Force the following sites to use secure (HTTPS) connections:” add the sites you want to secure. If you want to secure every subdomain of a domain, start with a dot. My entry looks like:
    .facebook.com
    .twitter.com
    
  5. In the “Cookies” tab check “Enable Automatic Secure Cookies Management”.
  6. Under “Force encryption for all the cookies set over HTTPS by the following sites:” add the same sites again. This will keep your login secure even over open wireless.

Now, in the future, your logins to those sites will be secure. NoScript will also do other things, such as block JavaScript and Flash by default for sites it doesn’t know about. If you want Javascript on for a site, you can just whitelist that site. NoScript will make it clear when it’s blocking JavaScript. You’ll see it in action the first time you visit Facebook and Twitter.

Let’s try it:

Go to http://facebook.com. First, notice that the URL changes to https://www.facebook.com. Now, you’ll also see NoScript letting you know that it blocked facebook.com. Just select “Allow all this page” from NoScript’s options.

Now you know enough to surf safely and protect your accounts on sites like facebook.com and twitter.com. For more information, read the NoScript FAQ.