On Wednesday, Facebook announced two new security features including the option to encrypt your Facebook session (HTTPS) at all times and an easier account authentication process (Social Authentication).
HTTPS- SSL/TLS Encryption
Previously, Facebook used HTTPS only on pages that required users to enter a password. Now, extending HTTPS to all pages means better security because tools such as Firesheep — an automated browser extension able to hijack sessions with Web 2.0 sites — as well as packet sniffers will no longer work against the site.
“You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools,” wrote Facebook security engineer Alex Rice.
Keep in mind, however, that this extra security could result in longer load times. Some third-party apps are also not supported in HTTPS. “We’ll be working hard to resolve these remaining issues,” Rice said.
The option will be rolling out slowly in the next few weeks. When it’s live, you can go to “Account Security” in Account Settings and click the “Secure Browing” option. “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future,” Rice wrote.
If Facebook correctly implements the protocol any slowdowns should be minor. For example Google made HTTPS non-optional for all Gmail users in January 2010 as a way to boost security after finding that the protocol required no additional hardware and consumed very few resources. Facebook faced criticism for not following Google’s lead more quickly, especially after the arrival of the Firesheep. Its author, Eric Butler, said he built the tool to highlight the inherent vulnerability of using Facebook on an unencrypted Wi-Fi network.
Facebook is also trying out something known as “social authentication” rather than captchas. Traditionally, Web sites have used captchas to verify that an actual human is trying to access a site. They consist of squiggly or stretched out words that a user is required to type in. A computer can’t read these captchas, but unfortunatley, humans sometimes have a problem deciphering them as well.
To make this process easier, Facebook said it will use a more social authentication process. Instead of a captcha, for example, users will see photos of their friends (below) and be asked to identify them.
“Hackers halfway across the world might know your password, but they don’t know who your friends are,” Rice said.
Most people won’t face the authentication process; they are usually only shown if Facebook detects odd behavior on your account – “like if you logged in from California in the morning and then from Australia a few hours later,” Rice said.
“We will continue to test social authentication and gather feedback from you and the security community on how to make this and other social features safe and useful,” he concluded.
Happy Data Privacy Day Facebook!
If you enjoyed reading this post, please consider leaving a comment below or subscribing to our feeds