Facebook is giving all users the option of accessing its social networking service via SSL encryption. The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg and less than a month after the company reportedly turned on SSL encryption for anyone viewing the site inside Tunisia, where malicious …
Facebook SSL, great idea, but not an option available to me yet.
Facebook SSL, great idea, but not an option available to me yet.
Guess that's a fail then...
Scratch one for American stereotypes...
Please read the entire article, not just the headline.
More details from anyone please.
Can someone explain how it saves money by making users turn the feature on themselves instead of FaceBook doing so automatically? Just curious....
SSL and cash
> Can someone explain how it saves money
SSL uses more data to transfer the same amount of content - you've got overheads in the encryption setup, etc.
By not using SSL, FB will have less bandwidth to pay for. With an organisation of that size, that might make a noticeable difference.
But saving money by doing stupid things with security shouldn't be an option. This sort of penny-pinching is exactly what FireSheep was supposed to highlight. It appears to have failed :=(
The cost is in the computing power required
Extra computing power is needed to encrypt and decrypt secure communications, so the more people who enable the feature, the more it will cost. The amount it cost Facebook to implement it in the first place is approximately zero - the software is there anyway.
The crypto needed for SSL takes some processing power, multiply that by millions of users, and you need to buy more hardware.
This so-called overhead is more a systems management overhead than a real hardware investment. Facebook, which is the largest internet service now by many measures, would need to spend less than 5 million $ on this technology:
Compared to hundreds of million revenue that's simply negligible. But their friends in government can't perform easy datamining and snooping, that's much more of an issue.
Nice try, Vic, but...you're dead wrong on the facts
An SSL login takes a tiny bit of overhead (which is already present, and on only ONE page) but all subsequent pages are handled through that SESSION cookie - the same EXACT cookie is used for EVERY page AND SSL ALSO compresses pages before they are encrypted and your browser decrypts them. You should read Google's own report from November 2010 where a team of 7 employees took 4 (FOUR) hours of Google's time to turn on encryption for ALL of the rest of their services (they had already fully turned on encryption in gmail back in July of 2010). The team estimated the move cost Google just over 70,000 dollars - that is equivalent to 70 cents for you and me. Google has FAR MORE than 500 million users.
Encryption overhead for both servers AND LOCAL ROUTERS IN SCHOOLS AND COFFEE SHOPS have not shown appreciable nor even measurable decreases in headroom when using FULL, BEST encryption for over 8 years.
The REAL problem is that Google has NOT deployed SSL for ALL of its customers yet. Anecdotally, I have 4 FB accounts and only ONE of them has the new settings made available!
Brimming over in wrongabililty...
> An SSL login takes a tiny bit of overhead
So there is an overhead.
Which is what I said.
You're arguing the same point as me, then claiming I'm wrong? It's little wonder you post anonymously.
There's more server & bandwidth overhead with SSL, so it costs the people running the server more money per user in those terms. Having said that, the added expense if probably overstated, as Google claims that switching all gmail access to SSL only added 2% to their overhead. Granted, email is mostly text while Faceook is mostly intellectually masterbatory pictures, which requires more bandwidth than most mail viewing does.
Taylor 1 - It uses more computing power to host an SSL session, so times it by 500million users and the cost rises considerably.
Also echoing above, not got the option for SSL yet, but as soon as it turns up, it'll be turned on!
Similar to paris in that respect.
At least in Canada. There are no HTTPS options anywhere that I can find.
Jumped the gun?
No ssl option here for Uk account
Instead of looking for a button, just stick an extra s in the address: https://www.facebook.com
Just tried it and it's rather slow and no chat. Seems to be a bit beta.
We should have a "Going but bit of a lame dog" icon...
Thanks! I couldn't find an option in account settings either. No chat you say? Just keeps getting better and better!
Kind of a fail on the part of the article
Facebook specifically said that they're "rolling it out"- i.e. it's not an instant thing. So I guess everyone just has to wait a bit.
Fail in the US too
Nothing for me in the US either. Are they only allowing certain accounts or have they not yet updated?
If I'm not mistaken, the https everywhere addon for firefox forces this already? Sure it breaks a few of the more annoying features (like chat), but still.
As for identifying your friends photos for security, I wonder just how they'll implement that one. They surely (being the every privacy conscious bunch that they are) won't display my friends private pictures to any random person purporting to be me?
And that's assuming I can identify them from the random shit they get tagged in when its not them, their baby photos, or the 846,684 people I am "friends" with in addition to anyone I know! Stupid Mafia wars!
My friends are forever changing their pics, and becase I use it to keep in contact with either family, a couple or real friends and lots of horror fans (basically use it as a horror network) it could be next to impossible for me to identify some of the friends. Hardly anyone uses their own picture for their profile anyway! Any that do are just vain!
"Social authentication" - old news
The photo-based authentication has been in place for several months at least -- I was on holiday in November and when I logged on from Cybercaffs it said I'd connected from a new location and had to verify myself.
You're presented with several pics of the same person (I can't recall the exact number), drawn seemingly at random from tagged photos and a selection of several friends' names to chose from. This happens 4 or 5 times, and you're given the option to skip (I think you get 3 chances to skip) just in case the photos are bad or it's someone you don't really "know" know.
It's a sensible system, but there's two little flaws.
1) It seems to select very strongly connected people (one of my brothers or sisters was always included) so if the attacker knows you at all, he's likely to know these people. Of course, this is because they're trying to make it easy for *you* to recognise them, but hey-ho...
2) Judging by the wording of the message, it's about registering the location the first time you connect from there, so if you're in an unscrupulous cybercaff, the same people who sniff your login details will have access to the terminal/subnet/geographic location (whatever it is that Facebook considers a location) you used to connect, which will now (presumably) be whitelisted by Facebook.
It's a step in the right direction, but they've got a very, very long way to go yet....
The title is required, and must contain letters and/or digits.
Should work with facebook, though some apps don't work.
I put in a web address
into the "enhanced security" annoyance box and it didn't care. If I knew how to write SQL injection or something that should get filtered or neutered or rejected, I would. I on one occasion inserted some 150 characters random, letters, numbers and symbols, and it took that happily.
SSL a necessary step to...
This is pre-empting their recent (but largely expected decision) to make all forms of facebook game virtual currency purchasable only via facebook credits.
When you start forcefully leveraging your micropayment mechanisms into third-party facebook applications, you'd better be sure it's secure.
How will that help
"If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."
If someone has compromised my account they have access to all my friends so unless they put a fast timer on it they can check to see who that drunk is in the picture ;)
has been around for ages actually.
however it stops you using FB chat so i turned it off
verifying friends captcha
@dpf44, I've had my FB account compromised twice after accessing it over my cell phone via EDGE.
Each time, Facebook has told me where the user logged in from (a business center not far from where I live) and forced me to verify pictures of my friends.
They'll show you (for example) 4 pictures on the page from one of your friends accounts. They then list 5 names of your friends and you have to select which name the photos belong too. Sometimes it can be difficult but your friends might have tagged themselves in a lot of random pictures which aren't actually of them.
You have to go through 4 or 5 pages like this.
Although my numbers may be a little bit off (how many photos are shown and how many friends names are shown, this is the general idea).
What a poor security proof tool
All any miscreant has to do is go through a victims friends list, print the list of friends, and then keep them on hand for the subsequent match-up. FB needs some better tool. Having us re-insert our e-mail address and phone number seems bizarre, since if the stream is intercepted, a hacker/cracker/other can see that, too.
Even if a phone display can read thumb prints, that'll get hacked/cracked, too.
From the FB blog
"We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future."
Sigh ... With service like this, they seem more like Microsoft everyday ... Maybe their next big thing will be a helpful paperclip type assistant ;-)
I've used this today and it's a nightmare. I really struggled to tell which mr men character one of my friends had been tagged as, or recognise a 30 year old friend from the picture of them when they were 3!
clearly this was designed by someone living in some sort of fantasy world of facebook!
"I really struggled to tell which mr men character one of my friends had been tagged as,"
Then, in that case, that makes them MYSTERY MEN...
clearly this was designed by someone
I've just been tagged as a branch on a Christmas Tree and before that as a rock on a stony beach. I have no idea why other than, I expect, friends can make me see a picture immediately.
When it comes to identifying me from these pictures I expect that it's going to be rather hard.
In the SF Bay area... And I still don't see any SSL Option...
In the SF Bay area... And I still don't see any SSL Option...
Curious, since the fb HQ is less than 35 miles from me... Maybe they see my use of Firefox? Nope. Same issue in Iexplorer... Android Phone/Internet Browser? No options present.... Android Phone/Dolphin Browser HD? Nope. Not present.
3-thumbs down, huh?
35 miles from fb's HQ is NOT that far away. One would think on the domestic front that they'd pilot that feature almost immediately in the local area where it's likely to get some real-world hammering.
ssl facebook has been around for months
If you install HTTPS-Anywhere for firefox it automatically tries https:.// for every site you visit, facebook has been encrypted for me for months...
I like the way they promote it as doing more to keep your data secure. Perhaps they might then want to consider not rearranging and resetting privacy/security options and pimping the data out to 3rd parties? Oh sorry, I forgot, that's its reason for existence isn't it?
The real question
If your data is sensitive enough to need SSL encryption, is letting the shady guy in the corner of the coffee shop intercept it any worse than giving it to Facebook?
Next thing you know plod will get up to speed with RIPA and start lead piping suspects for encrypting communications.
... Back to the Lingerie Pages then. Do they still deliver catalogues?
RIPA doesn't beat perfect forward secrecy
Most of the time SSL uses symmetric session keys for the heavy crypto lifting. The secret keys and passwords are used to help establish these session keys, but you can't derive any long term secrets from these ephemeral keys which are securely created and agreed by both ends at the start of the session and deleted at both ends at the end of the session.
So plod can come knocking on my door with a proper warrant and get my passwords and secret keys in preference to my going to jail, but that still doesn't give plod access to my encrypted SSL session he sniffed from yesterday which is on his hard disk.
oh feel a fail coming on...
"With today's blog post, the company also introduced what it calls "social authentication". If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."
I have about 500 'friends' and the only thing we know about each other is we play mafia wars.
I could only name less than 10 by sight.
Of course, say you're actually popular...
Social authentication goes wrong very quickly if you're even moderately popular because of your job (author, singer, what have you) and you have a few hundred "friends" or more. Good luck identifying people you've never met.
Incidentally, this feature has been in use at least since July, which is when I first saw it and went "how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"
Knowing Your Friends
"how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"
I've never understood people who are friends with folk they don't know. In my day, you had to know someone first before you considered them a friend. Now, get off my lawn!
PS I do have a facebook account (sadly) and every single one of my facebook friends I knew first in real life. But that's what happens when you grew up in the pre-facebook era.
Like putting a bloody great padlock on a field
The weak security IS Facebook as well as it's policies.
Putting on front end security will do little good if Zuckerberg is selling the info.
I was travelling for four months across India, Sri Lanka and Nepal. Every time I logged in from a new region in India or a new country this photo validation fired up.
It's surprisingly well written and designed actually - they realise that not all photos are perfectly tagged so it's not one strike and you're out. It randomly pics a few photos (so unlikely to expose anything) PLUS you need to have got your password right first to see the pics!!!!
Credit where credits due - I thought this was a very novel approach to ensuring account security and having had a few other accounts hacked from internet cafe key logging I'm all for it! HTTPS won't do anything for the key logging!
That is the one thing that I avoided like the plague on Face Book... because MOST of the people were "stamp collection" friends...
Remember their names?
I would not even remember "having added" them or having "been added" by them, the next day.
If you want REAL WORLD friends, then offer to do an hours worth of work for everyone in your neighbourhood, every day, for a year.
Fuck Facebook and this imaginary online drivel......
over your head?
for those who predictably say... "FAIL can't see this option!" did you absorb paragraph 4?
"Facebook says that the new tool will be rolled out "slowly" over the next few weeks. Once it's available to you, you can turn on your HTTP connection by visiting the "Account Security" section of Facebook's Account Settings page."
You do you must want somit' to pout about ;)