Facebook steps up security, but it’s opt-in?


Facebook logo with padlockFacebook’s Alex Rice, a security engineer, posted a message to their corporate blog today announcing several initiatives they are implementing to enhance user security.

This is a very welcome announcement which consists of two initiatives. The first, which Facebook says they are starting to roll out today, is the option to use HTTPS while using Facebook to protect your account and privacy.

In standard Facebook fashion this option is of course opt-out, ahem, opt-in? Yes. Facebook has decided that when it comes to protecting your privacy you must choose to opt-out of sharing, but when it comes to enhancing your privacy you must opt-in.

Aside from this minor quibble, it is great news for those who are concerned about tools like Firesheep stealing their online identities while using unencrypted WiFi. Firesheep is a Firefox extension that was released in October 2010 to enable people to steal authentication cookies from other users on unencrypted WiFi.

Facebook is just one of the services that could be compromised through the use of the tool, and by enabling HTTPS in your profile you are protected against this type of attack.

In Alex’s post he only suggests enabling this feature if you frequently access Facebook from insecure locations. While to a degree this is true, I wouldn’t want to count on having to remember to fiddle with my settings when I am out and about on my iPad/netbook/laptop/smart phone.

The safe thing to do is to turn this on. Hopefully after Facebook enables this feature for all of their users they will consider making it a default option like Google did for the Gmail service.

The second announcement talks about a new form of reverse-Turing test, known more commonly as a CAPTCHA. Facebook is calling this “Social Authentication”.

If they believe your account may have been compromised or is exhibiting suspicious activity they may prompt you for additional information after successfully receiving your correct username and password. The new system when deployed will show you photos of your friends and ask you to identify who they are in the pictures.
Facebook screenshot of Social Authentication
This is a clever approach to a difficult problem and will hopefully be a significant speed bump for all of the phishers and scammers who have been targeting Facebook users. Until Facebook begins using this technique it is difficult to say how well it will work, but it is easier and more intuitive than traditional CAPTCHA solutions.

It would appear Social Authentication is there only to thwart bots though, not your angry girlfriend (or birds for that matter). It is another good reason not to expose your photos, friends, and relationship status on your Facebook public profile as well.

If you’re a Facebook user who wants to stay on top of the latest security threats, why not join our Facebook page?