Facebook Puts HTTPS Security Guard on Full-Time Duty
Facebook says it will beef up its user security policy by enabling full use of encrypted HTTPS connections, rather than just encrypting data when the user signs on to the service. The feature will roll out on an opt-in basis. The social network will also make use of a more personal approach to CAPTCHAS, asking users to identify photos of friends rather than a set of sloppy numbers and letters.
01/27/11 9:18 AM PT
Facebook announced new measures Wednesday aimed at improving users' security when visiting the site. The news came with an intriguing twist: Mere hours prior to the announcement, it was revealed that the Facebook fan page of the company's CEO, Mark Zuckerberg, was compromised by a hacker.
While some online skeptics linked Facebook's new security features -- broader use of the HTTPS protocol and a new form of authentication -- to the Zuckerberg hack, at least one security expert discounted that connection.
"It was coincidental," Chet Wisniewski, a security adviser with Sophos, a cybersecurity firm based in Burlington, Mass., told TechNewsWorld "The amount of effort it takes for them to enable their systems to provide something like SSL or social authentication is months of research and work on their behalf."
Facebook attributed the Zuckerberg hack to a "bug" which it said it has squashed.
Facebook announced the new security measures at its company blog. It linked the measures to Data Privacy Day, which is being celebrated Friday. The day is an effort to boost security awareness mounted by governments, businesses and advocacy groups around the world.
Facebook already uses HTTPS, which encrypts information sent over a computer network, to protect passwords sent to the system. That has now been expanded to cover all communication with the service, not just the moment when the user signs on. "Starting today, we'll provide you with the ability to experience Facebook entirely over HTTPS," Facebook security engineer Alex Rice wrote in the company's blog.
Maintaining an HTTPS connection throughout one's Facebook session should thwart attempts by hackers snooping on others via public networks by using tools like Firesheep, a Firefox plug-in that Net Security.org.
"You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools," he added.
Members should use HTTPS even more often than that, asserted Wisniewski. "Facebook should turn it on by default," he said. "I don't like the idea that users should be forced to opt in to something that's good for them.
Facebook's Rice warned members that enabling HTTPS could make the service appear to run slower. "That's bupkis," Wisniewski declared.
"If you can tell it's 50 milliseconds slower, then you may notice," he explained, "The reality is that the experience won't really change for users. It will just enhance their security."
A New Kinda CAPTCHA
Another new security feature is something Facebook is calling "social authorization." It's similar to the CAPTCHA systems found at many websites to foil automated spam attacks.
Instead of using a CAPTCHA puzzle -- typically an image consisting of words in distressed and distorted type -- social authorization requires a Facebook member to identify photos of their friends. "Hackers halfway across the world might know your password, but they don't know who your friends are," Rice reasoned.
The system may be effective against automated attacks by "bots" on a member's account, but less effective against more intimate intruders. "The bot won't be smart enough to identify your friends," Wisniewski explained. "But it won't stop your kid sister or your wife or someone who knows you well enough to get past it."
While praising Facebook's latest security moves, some privacy watchers maintained that the social network still has a long way to go in that area.
The security measures can help foil active hackers, noted Michael Fertik, CEO of Reputation.com, a Redwood City, Calif.-based maker of privacy software. The real concern for the public, however, is what happens to private information as it's used by websites, applications and by third parties, he maintained.
Thick Walls Riddled With Open Doors
Although Facebook's move may bolster the security of its system, the issue of what the social network does with the information it holds remaining a burning one. "The walls have gotten thicker, but there are 50 open doors," Fertik told TechNewsWorld.
Additional Facebook security features are always welcome, said Zeljka Zorz, news editor at Net Security.org. However, as much as users might complain and assert that Facebook should stop sharing their information, it's not likely to ever do so.
"Face it -- it's never going to happen," she told TechNewsWorld. "So you might as well use your judgment and decide not to enter information you don't want to share with the world." [*Correction - Jan. 28, 2011]
*ECT News Network editor's note - Jan. 28, 2011: In our original publication of this article, Zeljka Zorz was quoted as saying "Facebook should stop sharing our information, but let's face it. It's never going to happen. You have to use your judgment and decide what information you don't want to share with the world." In fact, her exact words were, "We often complain about Facebook's economic agenda whose goal is to make as much of our private information public and available to advertisers, and every time they do enforce new features, we say that's all good and well, but they should stop with the sharing of our information. Face it -- it's never going to happen. So you might as well use your judgment and decide not to enter information you don't want to share with the world."