Far too many people still aren’t taking the Web security holes that Firefox exposed seriously. I can still sit in any coffee house and look over most users’ shoulders to see what they’re doing on the Web. Facebook to its credit though has taken the threat seriously and is now offering secure Internet connections using HTTPS to its users.
According to Alex Rice, a Facebook security engineer, “Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the ‘Account Security’ section of the Account Settings page.”
Rice adds, “There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We’ll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.”
That’s not quite true. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) used to be costly in terms of computer performance. Today, though, if you have a newer PC and you’re not running multiple applications running at once, you shouldn’t notice any significant performance penalty.
If you’re using a smartphone or a tablet, like an iPad, it’s a different story though. As Jason Perlow pointed out a while back, “The problem is that smartphone embedded processors, as they exist today, are completely unequipped to do end-to-end SSL and TLS encryption all of the time. They’re just not powerful enough to do the constant integer math required to do all their web communication fully encrypted for every running app talking to the Internet, it would significantly bog down performance.”
The real reason most major sites haven’t switched over to TLS, SSL, or HTTPS is that providing that level of security to millions of users at once requires either additional server hardware or SSL accelerator appliances. If privacy really does matter though to companies, eventually all the social networking sites will start offering encrypted Internet connections.
In addition, Facebook is adding a new kind of CAPTCHA (Completely Automated Public Turing Test) to tell bots or hackers trying to break into your account from you. The older CAPTCHA techniques were pretty much all busted by 2008. You still see those wiggly letter tests everywhere, but they’re not a serious defense against any serious cracker. If a computer can’t break one, there are lots of underemployed Indians willing to do it for cash.
So, Facebook, which had been burned multiple times by hackers creating new accounts despite CAPTCHA “protection” is now trying “social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are.”
Well, not yet anyway. Image-based CAPTCHA has been tried before, but to the best of my knowledge this is the first time anyone has tried it on such a large scale and on a personal level. Earlier forms of image CAPTCHA required you to trace out an outline or identify a generic image-e.g. find the kitten in a set of photos mostly of puppies.
I’m not sure how well this will work in the long run-for example, I’ve never met many of my Facebook friends in person and I’m none too sure I could pick some of them out-but it’s worth a try. Now, if Facebook could only start working on its own internal security holes, I’d be totally happy with Facebook’s renewed interest in security and privacy.
