Feeds

back to article Facebook: 'Don't worry, your posts are SECURE with us'

Facebook has announced that it has finished migrating its users to secure browsing, with all 1.15 billion active user accounts now accessing the site over encrypted HTTPS by default. The social network first offered secure browsing as an option in January 2011, and then slowly began making it the default in various regions. It …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

"Turning on https by default is a dream come true ..."

Jesus. Now I know what happened to my damn jetpack and flying car.

6
0
Silver badge

Pride comes before a........ Ooops

Oh dear, remember the saying 'Pride Comes Before A Fall'?

Talk about setting yourself up.

0
0
Bronze badge
Headmaster

Re: Pride comes before a........ Ooops

Pride goe[s|th] before destruction, and a[n] haughty spirit before a fall.

0
0
Stop

Ha

secure browsing is a good thing, but since the NSA can scoop up everything on FB and everywhere else no matter what, how does this really help, except the kiddy hacker?

4
0
Bronze badge

Re: Ha Cyborg FB

I believe the kiddy hackers have already played their hands.

" 1.15 billion active user accounts..."

Apparently half of FB is now a botnet. Half bot, half human...true cyborg..

1
0
Bronze badge

Re: Ha

As the US government has contracts with multiple providers for their data, the easiest being providing keys, erm, big fat fucking deal, facebook! Just another PR ploy.

Shit, Skype sold off keys to multiple nations, as was reported three or so years ago.

Google has a contract with the US DoD.

Oh! Facebook doesn't. Can't be served a warrant either, since they're on Mars or something.

1
0
Bronze badge

Re: Ha Cyborg FB

Considering the number of phish messages/posts and various other attacks, I have to agree.

I've had to clean my wife's account three times, her computer twice.

Formatted and reloaded after a fixed period of no traffic that was untoward, which would be pretty much anything beyond java, adobe and my update server.

1
0
Anonymous Coward

Don't worry!

Your Faceplant....I mean, Facebook information is secure! We use encryption, so your information is safe.

It will only get to those people WE WANT IT TO. Like every advertiser on the planet. And your mother-in-law. And that stalker ex-friend from high school who you haven't seen in 10 years but insisted on 'friending' you.

Etc., etc. etc.

4
0
Silver badge
Facepalm

Re: Don't worry!

Call me mr. Silly, but if you'are halfway conservative about accepting FB "friends" and make use of the group feature you can easily avoid having things visible to peeps you don't want to see stuff.

But hey , imagine actually bothering to learn to use a UI properly.

2
2
Bronze badge

Re: Don't worry!

*My* data sources and encryption is secure. That said, I don't trust you enough to provide you security.

Of course, I don't trust myself and require second and tertiary physical oversight.

Security rule one, trust no one. Not even oneself, as all are known for moments of immense stupidity.

1
0

Re: Don't worry!

You obviously haven't been paying attention. What they mean when they say "if you select this option then what you say will stay private" is "... for the next 3-4 months before the next UI overhaul when we're going to reset everyone's privacy settings for the nth time to 'all public'". Based on repeated past experience, if you put it on facebook, it's best to assume anyone in the world will be able to see it at some point in the future

1
0
Bronze badge

Shame about the fact it's using RC4 (almost every browser handshakes SSL_RSA_WITH_RC4_128_SHA) and they haven't enabled forward secrecy (which I'm guessing they left on purpose specifically so the NSA *could* decrypt it).

http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

Oh well. Another time maybe?

3
0

Actually, the two preferred ciphers that the facebook servers send are TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384.

Yes, you're right about Forward Secrecy, but you're wrong about the cipher. And Forward Secrecy appears to require that you use a very few select ciphers using DHE or ECDHE, which are both slower than the ones they've left enabled. When you're dealing with the volume of traffic Farcebook does, they probably can't afford the hit.

Yes, they still have RC4 enabled (it's the 3rd most preferred cipher), but they need to because very few browsers support the TLS v1.2 ciphers that allow you to avoid RC4 and CBC (the only two usable ciphers in TLSv1.0 and SSLv3). You could avoid the RC4 problem by using CBC, except it's *more* broken than RC4.

So until browser manufacturers catch up and enable TLSv1.2 by default, web sites *have* to leave TLS v1.0 / SSL v3 ciphers enabled, and that means RC4.

(yes, I recently went through a bunch of ssl code at work to try and make sense of the patchwork mess that different browser implementations have forced on ssl servers)

2
0

PRISM

I think you'd have to be extremely naive to think that Facebook interaction is not able to monitored by the NSA et al. Leaving aside that there may be NSA backdoors put their by FB for the NSA at their insistence and FB wouldn't be able to legally refuse to comply or tell us about (or at least that what they'd be told - as for the actual legality...). Furthermore it's also eminently possible the security services have the root keys for all the trusted browser certificates and can use PRISM to slurp up and de-crypt the data.

It's clear from the Snowden leaks that the Five Eyes want to be able to intercept arbitrary traffic on the Internet and they have made considerable progress in doing so. Do you imagine they would limit themselves against intercepting HTTPS traffic?

2
0
Bronze badge

Re: PRISM

Chris, you obviously don't understand the protocol involved.

Have the key, the castle is yours.

Never saw an agreement with FB when I was military, but say agreements with Google and other vendors that were reported recently (again).

Erm, this one is a no brainer!

1
0
Bronze badge

HTTPS isn't all that

Lots of people happily posting while at work thinking it is secure thanks to HTTPS. Despite the fact almost every modern workplace firewall has a man-in-the-middle cert deployed to inspect traffic.

1
1
Bronze badge

Re: HTTPS isn't all that

Funny, my wife was complaining about our communications while I was deployed with great outrage and annoyance and she-hulk mode objection.

I kindly reminded her of some software I had installed our both of our systems. Software that encrypted HARD all comms between us. Gave us lag, but also gave no middleman anything but shit and constipation.

She then recalled a report from the NSA that was unclassified and hence, was shared with her on my DoD network security posture.

We'll suffice it to say that both the evaluators enjoyed the experience, as did I. We both learned new tricks, but none revealed shirt sleeve tricks held under the cuff when needed.

Though, I did observe some really weird network traffic when the tried those cards on the DoD network...

0
0
Black Helicopters

So, time to copy NZ?

Yet another reason why various countries are liable to copy the NZ legislation currently being rammed through Parliament with desperate techniques, to expose any application service provider perfectly legally to PRISM or Xkeyscore at the whim of the government.

Post anonymously? What's the point? They know anyway.

1
0
Silver badge

So what difference does https make?

Facebook are still going to hand over your details to governments and LEAs alike. If some feminazi on Facebook decides to step up the War on Men another notch, and I organise some opposition or argue back at her, I'd still be arrested for political incorrectness hate speech regardless. So Facebook doing this proves what exactly?

2
0
Gold badge
Unhappy

So what. US company with most servers in US. *All* data accessible to US government.

It'll give trouble to anyone between you and their servers so any gang (of Russian/Chinese/Israeli/Pakistani/India/computer crime capital du jour) identity thieves will have to work a bit harder for their money.

No doubt I'll get the irritating whine of "You don't have to use the internet you know" from various assorted idiots.

0
0
Silver badge

This is for Facebook's benefit, not yours.

They make their money from data about you. They don't want network carriers to be able to slurp it in transit.

https does nothing for your privacy on Facebook as the data is theirs no matter how it gets there and they will share that with advertisers to make money and with governments if requested.

2
0
Bronze badge
Trollface

"how to upgrade users to secure connections 'in flight' if they happened to navigate to a Facebook page from an insecure link."

RedirectMatch (.*)$ https://facebook.com$1

Boy, that sure was hard...

0
0

Suck it, Zuck

Given that the NSA has all the root keys anyway this switch to https by default is pointless. Or not really because going https makes it easier for Friendface to drill through firewalls and dodge corporate IT rules.

0
0
Big Brother

Secure browsing and Facebook ..

"Facebook has announced that it has finished migrating its users to secure browsing, with all 1.15 billion active user accounts now accessing the site over encrypted HTTPS by default"

Except where your local company/college has installed fake root CA certs in order to be security compliant.

'Deep Packet Inspection for SSL Encrypted Traffic (DPI-SSL): DPI-SSL transparently decrypts, inspects and re-encrypts SSL encrypted traffic to allow security services to be applied to all traffic that traverses Dell SonicWALL Next-Generation Firewalls'. link

0
0
Bronze badge

Facebook: 'Don't worry, your posts are SECURE with us'

Sorry I must have read my request wrong, I was sure I said SECURE from you. I am almost positive that is what I wrote, and very sure that is what I proof-read (sorry, I try to code fast and break things, but I keep breaking things I ought not to break ... what? that's ok? but I thought ... no,no,no I'm not contradicting you, I'm sure you're right, but ... but no I'm doing it again. sorry, I'll stop. Thank you for your understanding. Mother doesn't 'LIKE' me anymore! Oh please, I said I was sorry, it will never happen again ...)

0
0
This topic is closed for new posts.