Sick of having its users ask what’s wrong with Facebook privacy, security vendor Sophos has taken its concerns public in this open letter. It may well be restating things that intelligent and informed users could already have worked out for themselves, but Sophos’ complaint adds to public concerns raised by credible sources. …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 19th April 2011 08:57 GMT Anonymous Coward

MySpace

I dont remember MySpace having all this privacy hoo-har...

Furthermore, since when did it become a good idea to post private information into an internet based service of which is designed to share information between people and then moan that your shits not private?

Stop wasting bandwidth.

WTF because of the sheer naivety of the half-concerned net-muggles jumping up and down on their pedestals about privacy because it appears to be a hot topic lately.

2 10
1. Tuesday 19th April 2011 09:16 GMT Elmer Phud
  
  HTTPS
  
  Funny y'know, I just changed my bookmark to add the 'S' for Facebook and it goes to a secure login. I still get occasional mails from Fiends Reunited - not heard any moans about that site for a while, either it's upped the game or it's just not fashionable to slag them off anymore.
  
  "As to application developers, Sophos is harsher in its terminology. Because it has more than a million un-vetted application developers, the letter calls the Facebook apps market “riddled with rogue applications and viral scams”.
  
  Isn't that a broad description of the internet anyway? So, yup I'll give it a 'WTF?' too.
  
  0 2
  1. Tuesday 19th April 2011 09:32 GMT Anonymous Coward
    
    Whooooooosh!
    
    "I just changed my bookmark to add the 'S' for Facebook and it goes to a secure login"
    
    0 1
    1. Tuesday 19th April 2011 23:05 GMT Anonymous Coward
      
      Whooooooosh! ??
      
      "I just changed my bookmark to add the 'S' for Facebook and it goes to a secure login"
      
      So, they fooled you good, didn't they. good luck with that.
      
      0 0
  2. Tuesday 19th April 2011 10:31 GMT Dave Murray
    
    See that point soaring over your head?
    
    "Funny y'know, I just changed my bookmark to add the 'S' for Facebook and it goes to a secure login."
    
    You had to tell it to use https so you only get a secure login if you know how. And, a secure login does not protect you once you've logged in and Facebook stop encrypting the traffic. If an idiot like you can't work that out imagine what a mess the rest of the idiots, sorry Facebook users, are in.
    
    0 0
    1. Tuesday 19th April 2011 11:39 GMT Anonymous Coward
      
      You might have the S but I don't and I see your data too
      
      Just because you made changes to the way you access facebook and use https, if any of your friends don't and view the data you share with them then that is now travelling on http.
      
      1 0
    2. Tuesday 19th April 2011 11:54 GMT Anonymous Coward
      
      Not only, but also...
      
      @Dave Murray - You're right Facebook reverts to http after login, but I find it more worrying that somebody who claims to be tech savvy should put so much trust in SSL anyway.
      
      0 0
      1. Tuesday 19th April 2011 13:03 GMT san1t1
        
        browse on SSL especially when you are on open wifi. kthxbai.
        
        Facebook has an option to stay on SSL after login - breaks some things (notably the crappy applications you don't really need). You have to select this yourself - and you should.
        
        Sophos would like this to be the default. SSL always.
        
        This is especially important if you are connecting over unencrypted wi-fi (such as BT FON, or Openzone, or most other 'open' wifi connections).
        
        Once you've logged on anyone else with a connection to that hotspot can steal your cookies, and hijack your session, using something like firesheep.
        
        Blocking third party cookies helps too - with so many sites integrating facebook, your cookies leak all over the place.
        
        This applies to many other site - potentially even more dangerous than the risk of getting 'fraped' - your gmail account may be hijacked simply from doing a google search, even when you don't think you are logged into gmail.
        
        I like the HTTPS everywhere firefox plug in.
        
        0 1
2. Tuesday 19th April 2011 09:22 GMT Anonymous Coward
  
  The Great Unwashed
  
  "Furthermore, since when did it become a good idea to post private information into an internet based service of which is designed to share information between people and then moan that your shits not private?"
  
  Personal privacy is obvious, if you come from an educated position.
  
  The vast majority of the public is totally uneducated in privacy, and don't understand the implication until they smack them in the face. So while you might think it's fine to get on your high horse because your sensible, we ALL have responsibility to educate and protect our fellow citizens. Facebook (and all other sites) should operate from a stance of Informed Consent - everything is secure, and only the informed people will consent to opening the door.
  
  7 0
3. Tuesday 19th April 2011 09:22 GMT Anonymous Coward
  
  YourSpace
  
  MySpace is rapidly dying off with it seems as everyone and they dog (literally in some cases) having a Facebook page. The problem is that you want *some* people to view the information like your address and date of birth. I would be happy for my friends to view it but not everyone else so I have to mess about to make sure this is the case.
  
  The other option is that we don't post anything online and sit behind our anonymous screens having to interact with friends in real life. This is obviously not what Facebook wants because it makes no money from that.
  
  1 0
  1. Tuesday 19th April 2011 11:54 GMT Anonymous Coward
    
    Dogs
    
    "MySpace is rapidly dying off with it seems as everyone and they dog (literally in some cases) having a Facebook page. "
    
    Which is where all that misleading marketing shit comes from. There aren't really 30 million individual Facebook users (or whatever it is they are claiming) in the UK. There may be 30 million accounts, but how many of those are owned by people who have one for their dog or goldfish? How many people have more than one page? How many people have an account they never use? I got a facebook account because my sister once sent me a link to some photos she'd posted on facebook and it insisted I register. Never used the account since. I wonder how many other people have similar facebook accounts.
    
    1 0
4. Tuesday 19th April 2011 13:02 GMT Peter H. Coffin
  
  MySpace
  
  "I dont remember MySpace having all this privacy hoo-har..."
  
  MySpace A) didn't much provide access to your data to random other developers. 2) It never gave any pretense that one was expected to provide any real information for the bios, which is completely the reverse of what Facebook's thing is. The entire point of Facebook is being real, though it occasionally goes about it in somewhat dubious manners, c) MySpace was also such an obviously oozing sore that no one really expected any security, reliability, or even bare functionality from the site. If anything worked, it was mostly by guess and happenstance, and anything someone else did could come along and break the page at any time anyway. Only idiots would possibly take it seriously.
  
  0 0
Tuesday 19th April 2011 09:14 GMT Anonymous Coward

Dear Sophos

Welcome to 2011. You're 3 years late. Your dinner is in the dog.

Lets hope your def files are more up to date...

0 0
Tuesday 19th April 2011 09:16 GMT Anonymous Coward

Point missed

'Mind you, Sophos didn't think to put its own open letter on an HTTPS connection. The open letter says HTTPS should be enforced "all the time, by default"'

Er... They mean it in the context of Facebook, not the entire of the Internet. This is to do with account hijacking, not anonymous browsing of public domain content where HTTPS serves no purpose.

6 0
1. Tuesday 19th April 2011 09:54 GMT Buzzword
  
  Agreed
  
  Quite right. Why on earth would you put HTTPS on something that is not private?
  
  1 0
  1. Wednesday 20th April 2011 00:33 GMT Goat Jam
    
    Why on earth would you put HTTPS on something that is not private?
    
    Indeed.
    
    I once found a public facing company web page for a "security firm" that used SSL.
    
    The only trouble was that their cert had expired.
    
    Oops
    
    0 0
2. Tuesday 19th April 2011 11:52 GMT dephormation.org.uk
  
  Serves no purpose?
  
  It stops content thieving surveillance crooks like BT/Phorm monitoring everythin you read and write.
  
  Personally, I'm all for encrypting the web.
  
  You can't trust ISPs or Governments to respect the law.
  
  1 0
3. Tuesday 19th April 2011 23:05 GMT Anonymous Coward
  
  surely you realize . . .
  
  IMHO Sophos spreads FUD it an attempt to appear useful... they FAIL
  
  0 0
Tuesday 19th April 2011 09:22 GMT a53

And that's why,

I wouldn't touch Facebook with yours.....

1 0
1. Tuesday 19th April 2011 11:54 GMT Anonymous Coward
  
  Facebook
  
  The reason I wouldn't touch Facebook because I simply don't see the point of it.
  
  0 0
Tuesday 19th April 2011 10:17 GMT Anonymous South African Coward

lolwhut?

nuff zed.

0 0
Tuesday 19th April 2011 11:54 GMT Dave Murray

Engage brain before writing

"Sophos didn't think to put its own open letter on an HTTPS connection. The open letter says HTTPS should be enforced "all the time, by default""

Kind of spoils the point of having an OPEN letter if you hide it behind https don't you think?

0 0
1. Tuesday 19th April 2011 13:39 GMT Aaron Em
  
  "Engage brain before writing" indeed
  
  You do know that the use of SSL doesn't imply any sort of login or authentication requirement, right? That, just because a URL starts with https://, it doesn't necessarily mean you'll need to log in when you get there. You know this perfectly well, I'm sure, and are just taking the piss, instead of making yourself look both unjustifiably smug and too foolish to recognize your own folly. Right?
  
  1 1
Tuesday 19th April 2011 12:59 GMT Lamont Cranston

Here, here.

Facebook provides a useful service to many people, so it would be nice if they could do so in a responsible fashion.

That said, I'll not be holding my breath.

0 0
Tuesday 19th April 2011 12:59 GMT Mike Bell

@https numpties

There is an option in Facebook under Account | Account Settings | Account Security to specify your preference that the site uses https when possible.

0 0
1. Tuesday 19th April 2011 15:13 GMT Graham Cluley
  
  Facebook's https option
  
  As our letter makes clear, Facebook doesn't turn on https by default - and if you do turn it on they only use it "whenever possible".
  
  What they mean by "whenever possible" is whenever it's convenient for them.
  
  So not, for instance, when you visit the mobile version of their website. And not when you visit third party apps running on the Facebook platform.
  
  It should be on, by default, all the time you're connected to Facebook. Period.
  
  [ps. can we have a Zuck avatar?]
  
  2 1
2. Tuesday 19th April 2011 15:44 GMT Anonymous Coward
  
  Nice...if it worked reliably
  
  There are several situations where it reverts to http though. Their phone apps, mobile and touch interface all revert to http for example. The apps don't make this clear at all, and most mobile browsers don't make it obvious either.
  
  0 0
  1. Thursday 21st April 2011 13:35 GMT Anonymous Coward
    
    HTTPs
    
    "There is an option in Facebook under Account | Account Settings | Account Security to specify your preference that the site uses https when possible."
    
    I wouldn't know since I've never used Facebook. There is one thing about your statement that is totally damning of Facebook. "Uses https when possible"? What do they mean by that? If they developed their site properly there should be no situation where using https isn't possible.
    
    0 0
Tuesday 19th April 2011 23:05 GMT Anonymous Coward

Ahh Sophos

The Lame Duck of security. The incompetence is overwhelming.

FUD spreaders unsurpassed for trying to gain credibility through so called reporting.

FOAD Sophos.

0 0
Tuesday 19th April 2011 23:05 GMT Oninoshiko

wtf?

*Mind you, Sophos didn't think to put its own open letter on an HTTPS connection. The open letter says HTTPS should be enforced "all the time, by default".

That would be because the point of an OPEN letter is for everyone to read it. In other news, my local plod hasn't locked a cover on the octagonal signs.

0 0
Tuesday 19th April 2011 23:57 GMT Bro. Steve Winter

Facebook seems to have no problem with death threats while they censor Bible verses

Please pardon the stretch of topic here but I think this is worth your time to be aware of.

4-15-2011 Facebook seems to have no problems with islamic death threats against me and my family while they continue to censor Bible verses and links to Winterband music videos from wall comments. I have created a new page to document the death threat thing. http://www.facebookcensorship.com/facebook_death_threats.html When I tried to mention which video had upset the young lady Facebook CENSORED it.

Bro. Winter http://www.facebookcensorship.com

0 0
Wednesday 20th April 2011 09:52 GMT Stephen Gray

Facebook is useful

I've hooked up with a couple of friends again after losing touch using Farcebook, its sheer popularity helps there. Mind you all the "private" information I supply to websites other than my bank is all false but conforms to the same standard. They can hack the shit out of my accounts on any website but if they then try and use that info at the bank, they fail.

0 0
Wednesday 20th April 2011 16:06 GMT SecBoy

Seriously?

It's seriously worrying the amount of people posting comments on here that don't understand the fundamentals of the article and its because of ill informed people like you that all sites that transmit logins or other personal info should be HTTPS by default!

1) Sophos doesn't need to encrypt the link to the PDF as it's OPEN and doesn't require any sensitive/personal information to be transmitted

2) Although the idea of a fully encrypted Internet to avoid eavesdropping by government etc is great it's highly unlikely

3) Facebook isn't HTTPS by default which is the problem Sophos comment on although there is the option to set HTTPS in your profile it a) isn't a default (as it breaks crappy apps which should be forced to support SSL anyway which is part of Sophos' request that only decent people publish apps) and b) it's only when facebook choose to implement it

4) Until the industry develop something better SSL is the main, easily accessible way to secure content for none IT literate users. Yes there are ways and means to add more security but normal users can't even think of secure passwords so whats the chances of getting them to change their habits easily

5) I love the register but this is an example of when trying to be funny takes away from good journalism. Did anyone see the HTTPS when logging into the forum? No? FAIL for TheRegister as well then eh?

/SecBoy

0 0
Thursday 21st April 2011 07:29 GMT Stuart Halliday

There are idiots and IDIOTS

Since when did anyone with a brain put their real date of birth online?

My real friends all know my true birthday.

I suggest everyone change their facebook birthday field.

0 0