God knows I understand that going from one Web site to another with one login and password scheme after the other is a real pain-in-the-rump. After the Gawker password fiasco it's become clearer than ever that using the same brain-dead simple login and password from one system to another is clearly dumb. But, the idea of using Facebook (Facebook!?) Connect as a universal Internet login and password system makes me want to gag.
You see Facebook is insecure by design and privacy is given only a minimal amount of programming and lip-service. Sure, you can make your Facebook information safe, well safer, anyway, but who has the time to be constantly plugging in Facebook's privacy holes? Especially since Facebook keeps opening up more and more or your personal information to vendors.
For example, Facebook quietly announced just before the recent three-day weekend that they were opening up a way for third-party Facebook apps developers to get to your snail-mail addresses and phone numbers. Isn't that nice of them? I know I want the likes of Zynga, makers of FarmVille, and all their partners, to have my home address and phone number.
Facebook has back off a bit on this. While still insisting that "you need to explicitly choose to share this data before any application or website can access it, and you can not share your friends' address or mobile number with applications," Facebook also acknowledged though that they need to make "people more clearly aware of when they are granting access to this data. … [and] are making changes to help ensure you only share this information when you intend to do so. We'll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready. We look forward to re-enabling this improved feature in the next few weeks."
Fine and dandy, but I still trust Facebook about as much as I do Goldman Sachs' fouled up Facebook IPO. Regardless of that, though, hundreds of millions trust Facebook enough to keep using it. What I'm more concerned about today is that more and more Web sites are using Facebook Connect for their login and password management.
I started noticing this myself in the last few weeks as I kept stumbling over more and more sites, such as the Internet Movie Database (IMDB) and ESPN, that would let me login into them using Facebook. I was beginning to think about looking about this trend, when I found that others were already looking into it.
According to a Technology Review report, more and more Websites are essentially out-sourcing their identity systems to Facebook. The Websites get more than just an easy way to log you into their site though. Those sites also gets access to some, or all, depending on your privacy settings and whatever security blunder Facebook is currently making, of your personal data. Does ESPN need to know who my friends are? I don't think so.
Worse still, besides Facebook's privacy problems, Facebook's login and password system still has two major security holes: its use of a single user name and password and an unencrypted tracking cookie. It's that last that enables Firesheep, the easy to use network eaves-dropper program, to snoop on your Facebook sessions. And, oh yes, if you login into a site using Facebook Connect, those Web sessions as well.
So, what can you do? Well, for starters if you're going to use Facebook, lock it down using ZDNet's The Definitive Facebook Lockdown Guide and every time Facebook asks you for some new permission to share your data, just say no.
As for using Facebook to access other sites, are you crazy? It's bad enough that Facebook is such a security mess, but to trust it to be my universal Internet drivers' license? No. Just no. This is a security disaster that's just waiting to happen and I have no intention of being caught in it.