Feeds

back to article Facebook offers 500 million users SSL crypto

Facebook is giving all users the option of accessing its social networking service via SSL encryption. The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg and less than a month after the company reportedly turned on SSL encryption for anyone viewing the site inside Tunisia, where malicious …

COMMENTS

This topic is closed for new posts.

Page:

FAIL

Facebook SSL, great idea, but not an option available to me yet.

Facebook SSL, great idea, but not an option available to me yet.

Guess that's a fail then...

4
7

This post has been deleted by its author

FAIL

Scratch one for American stereotypes...

Please read the entire article, not just the headline.

1
0

This post has been deleted by its author

Bronze badge

More details from anyone please.

Can someone explain how it saves money by making users turn the feature on themselves instead of FaceBook doing so automatically? Just curious....

0
0
Vic
Silver badge

SSL and cash

> Can someone explain how it saves money

SSL uses more data to transfer the same amount of content - you've got overheads in the encryption setup, etc.

By not using SSL, FB will have less bandwidth to pay for. With an organisation of that size, that might make a noticeable difference.

But saving money by doing stupid things with security shouldn't be an option. This sort of penny-pinching is exactly what FireSheep was supposed to highlight. It appears to have failed :=(

Vic.

3
2
Bronze badge

The cost is in the computing power required

Extra computing power is needed to encrypt and decrypt secure communications, so the more people who enable the feature, the more it will cost. The amount it cost Facebook to implement it in the first place is approximately zero - the software is there anyway.

2
0

SSL overhead

The crypto needed for SSL takes some processing power, multiply that by millions of users, and you need to buy more hardware.

bernard

2
0
Stop

"SSL Overhead"

This so-called overhead is more a systems management overhead than a real hardware investment. Facebook, which is the largest internet service now by many measures, would need to spend less than 5 million $ on this technology:

http://en.wikipedia.org/wiki/SSL_accelerator

Compared to hundreds of million revenue that's simply negligible. But their friends in government can't perform easy datamining and snooping, that's much more of an issue.

0
0
Anonymous Coward

Nice try, Vic, but...you're dead wrong on the facts

An SSL login takes a tiny bit of overhead (which is already present, and on only ONE page) but all subsequent pages are handled through that SESSION cookie - the same EXACT cookie is used for EVERY page AND SSL ALSO compresses pages before they are encrypted and your browser decrypts them. You should read Google's own report from November 2010 where a team of 7 employees took 4 (FOUR) hours of Google's time to turn on encryption for ALL of the rest of their services (they had already fully turned on encryption in gmail back in July of 2010). The team estimated the move cost Google just over 70,000 dollars - that is equivalent to 70 cents for you and me. Google has FAR MORE than 500 million users.

Encryption overhead for both servers AND LOCAL ROUTERS IN SCHOOLS AND COFFEE SHOPS have not shown appreciable nor even measurable decreases in headroom when using FULL, BEST encryption for over 8 years.

The REAL problem is that Google has NOT deployed SSL for ALL of its customers yet. Anecdotally, I have 4 FB accounts and only ONE of them has the new settings made available!

0
0
Vic
Silver badge

Brimming over in wrongabililty...

> An SSL login takes a tiny bit of overhead

So there is an overhead.

Which is what I said.

You're arguing the same point as me, then claiming I'm wrong? It's little wonder you post anonymously.

Vic.

0
0
Boffin

Taylor 1

There's more server & bandwidth overhead with SSL, so it costs the people running the server more money per user in those terms. Having said that, the added expense if probably overstated, as Google claims that switching all gmail access to SSL only added 2% to their overhead. Granted, email is mostly text while Faceook is mostly intellectually masterbatory pictures, which requires more bandwidth than most mail viewing does.

1
0
Paris Hilton

not yet...

Taylor 1 - It uses more computing power to host an SSL session, so times it by 500million users and the cost rises considerably.

Also echoing above, not got the option for SSL yet, but as soon as it turns up, it'll be turned on!

Similar to paris in that respect.

1
1
E 2

Nope, fail.

At least in Canada. There are no HTTPS options anywhere that I can find.

0
3
FAIL

Jumped the gun?

No ssl option here for Uk account

1
2
Go

No option

Instead of looking for a button, just stick an extra s in the address: https://www.facebook.com

Just tried it and it's rather slow and no chat. Seems to be a bit beta.

We should have a "Going but bit of a lame dog" icon...

1
0
Badgers

https

Thanks! I couldn't find an option in account settings either. No chat you say? Just keeps getting better and better!

0
0

Kind of a fail on the part of the article

Facebook specifically said that they're "rolling it out"- i.e. it's not an instant thing. So I guess everyone just has to wait a bit.

1
3

Fail in the US too

Nothing for me in the US either. Are they only allowing certain accounts or have they not yet updated?

0
4

HTTPS Everywhere

If I'm not mistaken, the https everywhere addon for firefox forces this already? Sure it breaks a few of the more annoying features (like chat), but still.

As for identifying your friends photos for security, I wonder just how they'll implement that one. They surely (being the every privacy conscious bunch that they are) won't display my friends private pictures to any random person purporting to be me?

And that's assuming I can identify them from the random shit they get tagged in when its not them, their baby photos, or the 846,684 people I am "friends" with in addition to anyone I know! Stupid Mafia wars!

1
0
Anonymous Coward

Forever changing

My friends are forever changing their pics, and becase I use it to keep in contact with either family, a couple or real friends and lots of horror fans (basically use it as a horror network) it could be next to impossible for me to identify some of the friends. Hardly anyone uses their own picture for their profile anyway! Any that do are just vain!

1
0

"Social authentication" - old news

The photo-based authentication has been in place for several months at least -- I was on holiday in November and when I logged on from Cybercaffs it said I'd connected from a new location and had to verify myself.

You're presented with several pics of the same person (I can't recall the exact number), drawn seemingly at random from tagged photos and a selection of several friends' names to chose from. This happens 4 or 5 times, and you're given the option to skip (I think you get 3 chances to skip) just in case the photos are bad or it's someone you don't really "know" know.

It's a sensible system, but there's two little flaws.

1) It seems to select very strongly connected people (one of my brothers or sisters was always included) so if the attacker knows you at all, he's likely to know these people. Of course, this is because they're trying to make it easy for *you* to recognise them, but hey-ho...

2) Judging by the wording of the message, it's about registering the location the first time you connect from there, so if you're in an unscrupulous cybercaff, the same people who sniff your login details will have access to the terminal/subnet/geographic location (whatever it is that Facebook considers a location) you used to connect, which will now (presumably) be whitelisted by Facebook.

It's a step in the right direction, but they've got a very, very long way to go yet....

0
0

The title is required, and must contain letters and/or digits.

https://www.eff.org/https-everywhere

Should work with facebook, though some apps don't work.

1
0
Bronze badge

I put in a web address

into the "enhanced security" annoyance box and it didn't care. If I knew how to write SQL injection or something that should get filtered or neutered or rejected, I would. I on one occasion inserted some 150 characters random, letters, numbers and symbols, and it took that happily.

Sigh.

0
0
Anonymous Coward

SSL a necessary step to...

This is pre-empting their recent (but largely expected decision) to make all forms of facebook game virtual currency purchasable only via facebook credits.

When you start forcefully leveraging your micropayment mechanisms into third-party facebook applications, you'd better be sure it's secure.

0
0
WTF?

How will that help

"If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."

If someone has compromised my account they have access to all my friends so unless they put a fast timer on it they can check to see who that drunk is in the picture ;)

2
0
FAIL

has been around for ages actually.

however it stops you using FB chat so i turned it off

0
0

verifying friends captcha

@dpf44, I've had my FB account compromised twice after accessing it over my cell phone via EDGE.

Each time, Facebook has told me where the user logged in from (a business center not far from where I live) and forced me to verify pictures of my friends.

They'll show you (for example) 4 pictures on the page from one of your friends accounts. They then list 5 names of your friends and you have to select which name the photos belong too. Sometimes it can be difficult but your friends might have tagged themselves in a lot of random pictures which aren't actually of them.

You have to go through 4 or 5 pages like this.

Although my numbers may be a little bit off (how many photos are shown and how many friends names are shown, this is the general idea).

0
0
Bronze badge

What a poor security proof tool

All any miscreant has to do is go through a victims friends list, print the list of friends, and then keep them on hand for the subsequent match-up. FB needs some better tool. Having us re-insert our e-mail address and phone number seems bizarre, since if the stream is intercepted, a hacker/cracker/other can see that, too.

Even if a phone display can read thumb prints, that'll get hacked/cracked, too.

0
0
FAIL

From the FB blog

"We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future."

Sigh ... With service like this, they seem more like Microsoft everyday ... Maybe their next big thing will be a helpful paperclip type assistant ;-)

0
0

social authentication

I've used this today and it's a nightmare. I really struggled to tell which mr men character one of my friends had been tagged as, or recognise a 30 year old friend from the picture of them when they were 3!

clearly this was designed by someone living in some sort of fantasy world of facebook!

5
0
Bronze badge

Mr or...

"I really struggled to tell which mr men character one of my friends had been tagged as,"

Then, in that case, that makes them MYSTERY MEN...

0
1

This post has been deleted by its author

Bronze badge
FAIL

clearly this was designed by someone

I've just been tagged as a branch on a Christmas Tree and before that as a rock on a stony beach. I have no idea why other than, I expect, friends can make me see a picture immediately.

When it comes to identifying me from these pictures I expect that it's going to be rather hard.

0
0
Bronze badge

In the SF Bay area... And I still don't see any SSL Option...

In the SF Bay area... And I still don't see any SSL Option...

Curious, since the fb HQ is less than 35 miles from me... Maybe they see my use of Firefox? Nope. Same issue in Iexplorer... Android Phone/Internet Browser? No options present.... Android Phone/Dolphin Browser HD? Nope. Not present.

0
3
Bronze badge

3-thumbs down, huh?

35 miles from fb's HQ is NOT that far away. One would think on the domestic front that they'd pilot that feature almost immediately in the local area where it's likely to get some real-world hammering.

0
0
Anonymous Coward

ssl facebook has been around for months

If you install HTTPS-Anywhere for firefox it automatically tries https:.// for every site you visit, facebook has been encrypted for me for months...

0
0
Silver badge

Like it

I like the way they promote it as doing more to keep your data secure. Perhaps they might then want to consider not rearranging and resetting privacy/security options and pimping the data out to 3rd parties? Oh sorry, I forgot, that's its reason for existence isn't it?

2
1
Joke

The real question

If your data is sensitive enough to need SSL encryption, is letting the shady guy in the corner of the coffee shop intercept it any worse than giving it to Facebook?

0
0

Eh?

Next thing you know plod will get up to speed with RIPA and start lead piping suspects for encrypting communications.

... Back to the Lingerie Pages then. Do they still deliver catalogues?

0
0
Boffin

RIPA doesn't beat perfect forward secrecy

Most of the time SSL uses symmetric session keys for the heavy crypto lifting. The secret keys and passwords are used to help establish these session keys, but you can't derive any long term secrets from these ephemeral keys which are securely created and agreed by both ends at the start of the session and deleted at both ends at the end of the session.

So plod can come knocking on my door with a proper warrant and get my passwords and secret keys in preference to my going to jail, but that still doesn't give plod access to my encrypted SSL session he sniffed from yesterday which is on his hard disk.

0
0
FAIL

oh feel a fail coming on...

"With today's blog post, the company also introduced what it calls "social authentication". If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."

I have about 500 'friends' and the only thing we know about each other is we play mafia wars.

I could only name less than 10 by sight.

1
0
Thumb Up

Of course, say you're actually popular...

Social authentication goes wrong very quickly if you're even moderately popular because of your job (author, singer, what have you) and you have a few hundred "friends" or more. Good luck identifying people you've never met.

Incidentally, this feature has been in use at least since July, which is when I first saw it and went "how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"

0
0
Anonymous Coward

Knowing Your Friends

"how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"

I've never understood people who are friends with folk they don't know. In my day, you had to know someone first before you considered them a friend. Now, get off my lawn!

PS I do have a facebook account (sadly) and every single one of my facebook friends I knew first in real life. But that's what happens when you grew up in the pre-facebook era.

1
0
Silver badge
FAIL

Like putting a bloody great padlock on a field

The weak security IS Facebook as well as it's policies.

Putting on front end security will do little good if Zuckerberg is selling the info.

1
0
Thumb Up

Photo Validation

I was travelling for four months across India, Sri Lanka and Nepal. Every time I logged in from a new region in India or a new country this photo validation fired up.

It's surprisingly well written and designed actually - they realise that not all photos are perfectly tagged so it's not one strike and you're out. It randomly pics a few photos (so unlikely to expose anything) PLUS you need to have got your password right first to see the pics!!!!

Credit where credits due - I thought this was a very novel approach to ensuring account security and having had a few other accounts hacked from internet cafe key logging I'm all for it! HTTPS won't do anything for the key logging!

0
0
Jobs Horns

Facebook Friends>??

That is the one thing that I avoided like the plague on Face Book... because MOST of the people were "stamp collection" friends...

Remember their names?

I would not even remember "having added" them or having "been added" by them, the next day.

If you want REAL WORLD friends, then offer to do an hours worth of work for everyone in your neighbourhood, every day, for a year.

Fuck Facebook and this imaginary online drivel......

0
0
Heart

over your head?

for those who predictably say... "FAIL can't see this option!" did you absorb paragraph 4?

"Facebook says that the new tool will be rolled out "slowly" over the next few weeks. Once it's available to you, you can turn on your HTTP connection by visiting the "Account Security" section of Facebook's Account Settings page."

You do you must want somit' to pout about ;)

0
0

Page:

This topic is closed for new posts.