Facebook secures your Internet Connection

Facebook secures your Internet Connection

Summary: Maybe Facebook still isn't doing much for your privacy once you're on the site, but at least the social network is working on securing your Internet connection.


Far too many people still aren't taking the Web security holes that Firefox exposed seriously. I can still sit in any coffee house and look over most users' shoulders to see what they're doing on the Web. Facebook to its credit though has taken the threat seriously and is now offering secure Internet connections using HTTPS to its users.

According to Alex Rice, a Facebook security engineer, "Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the 'Account Security' section of the Account Settings page."

Rice adds, "There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future."

That's not quite true. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) used to be costly in terms of computer performance. Today, though, if you have a newer PC and you're not running multiple applications running at once, you shouldn't notice any significant performance penalty.

If you're using a smartphone or a tablet, like an iPad, it's a different story though. As Jason Perlow pointed out a while back, "The problem is that smartphone embedded processors, as they exist today, are completely unequipped to do end-to-end SSL and TLS encryption all of the time. They're just not powerful enough to do the constant integer math required to do all their web communication fully encrypted for every running app talking to the Internet, it would significantly bog down performance."

The real reason most major sites haven't switched over to TLS, SSL, or HTTPS is that providing that level of security to millions of users at once requires either additional server hardware or SSL accelerator appliances. If privacy really does matter though to companies, eventually all the social networking sites will start offering encrypted Internet connections.

In addition, Facebook is adding a new kind of CAPTCHA (Completely Automated Public Turing Test) to tell bots or hackers trying to break into your account from you. The older CAPTCHA techniques were pretty much all busted by 2008. You still see those wiggly letter tests everywhere, but they're not a serious defense against any serious cracker. If a computer can't break one, there are lots of underemployed Indians willing to do it for cash.

So, Facebook, which had been burned multiple times by hackers creating new accounts despite CAPTCHA "protection" is now trying "social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."

Well, not yet anyway. Image-based CAPTCHA has been tried before, but to the best of my knowledge this is the first time anyone has tried it on such a large scale and on a personal level. Earlier forms of image CAPTCHA required you to trace out an outline or identify a generic image-e.g. find the kitten in a set of photos mostly of puppies.

I'm not sure how well this will work in the long run-for example, I've never met many of my Facebook friends in person and I'm none too sure I could pick some of them out-but it's worth a try. Now, if Facebook could only start working on its own internal security holes, I'd be totally happy with Facebook's renewed interest in security and privacy.

Topics: Social Enterprise, Browser, Hardware, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Firefox Noscript plugin asserts https for any site that supports SSL

    Set Options->Advanced "Force the following sites to use secure (HTTPS) connections: *.facebook.com
    Dietrich T. Schmitz, ~ Your Linux Advocate
  • Not good enough...

    ...faceplant couldn't buy a security clue with all it's ad dollars.
  • Misleading title and...

    Facebook doesn't secure your "internet" connection, they just enabled HTTPS. Also, what's the point in doing this if they open more and more of your private data, photos etc to outsiders as regular as clockwork?
  • Too bad it doesn't work yet

  • Simple

    Just don't use Facebook. Shocker: The internet can be accessed without it!
  • Smart Move

    Bravo! Facebook has helped us take a big step toward a safer online experience. I work for Symantec, and we commend this development. You note that users shouldn?t notice a lag in performance, and I think that even if there is a slight delay, it?s worth it. Gmail made SSL their default a year ago, and it has worked just fine.
  • Privacy ?

    This is of course a GREAT leap in social authentication.

    But consider this one too.
    If facebook is showing your personal images and friends, those images might show where you've been, what you've did, what you did with who and what.

    It makes no sense at all if the hacker is half way across the world. But what if he is couple of blocks away from your house ? Normally who ever hacks you in the practical world are near you.
    With this image thing, they might get the info about you just by typing your username.
    Madushan Siriwardena