back to article Facebook offers 500 million users SSL crypto

Facebook is giving all users the option of accessing its social networking service via SSL encryption. The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg and less than a month after the company reportedly turned on SSL encryption for anyone viewing the site inside Tunisia, where …


This topic is closed for new posts.
  1. allan wallace

    Facebook SSL, great idea, but not an option available to me yet.

    Facebook SSL, great idea, but not an option available to me yet.

    Guess that's a fail then...

  2. This post has been deleted by its author

    1. Anonymous Coward

      Scratch one for American stereotypes...

      Please read the entire article, not just the headline.

    2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    More details from anyone please.

    Can someone explain how it saves money by making users turn the feature on themselves instead of FaceBook doing so automatically? Just curious....

    1. Vic

      SSL and cash

      > Can someone explain how it saves money

      SSL uses more data to transfer the same amount of content - you've got overheads in the encryption setup, etc.

      By not using SSL, FB will have less bandwidth to pay for. With an organisation of that size, that might make a noticeable difference.

      But saving money by doing stupid things with security shouldn't be an option. This sort of penny-pinching is exactly what FireSheep was supposed to highlight. It appears to have failed :=(


      1. Anonymous Coward
        Anonymous Coward

        Nice try, Vic,'re dead wrong on the facts

        An SSL login takes a tiny bit of overhead (which is already present, and on only ONE page) but all subsequent pages are handled through that SESSION cookie - the same EXACT cookie is used for EVERY page AND SSL ALSO compresses pages before they are encrypted and your browser decrypts them. You should read Google's own report from November 2010 where a team of 7 employees took 4 (FOUR) hours of Google's time to turn on encryption for ALL of the rest of their services (they had already fully turned on encryption in gmail back in July of 2010). The team estimated the move cost Google just over 70,000 dollars - that is equivalent to 70 cents for you and me. Google has FAR MORE than 500 million users.

        Encryption overhead for both servers AND LOCAL ROUTERS IN SCHOOLS AND COFFEE SHOPS have not shown appreciable nor even measurable decreases in headroom when using FULL, BEST encryption for over 8 years.

        The REAL problem is that Google has NOT deployed SSL for ALL of its customers yet. Anecdotally, I have 4 FB accounts and only ONE of them has the new settings made available!

        1. Vic

          Brimming over in wrongabililty...

          > An SSL login takes a tiny bit of overhead

          So there is an overhead.

          Which is what I said.

          You're arguing the same point as me, then claiming I'm wrong? It's little wonder you post anonymously.


    2. handle

      The cost is in the computing power required

      Extra computing power is needed to encrypt and decrypt secure communications, so the more people who enable the feature, the more it will cost. The amount it cost Facebook to implement it in the first place is approximately zero - the software is there anyway.

    3. BernardBrezlow

      SSL overhead

      The crypto needed for SSL takes some processing power, multiply that by millions of users, and you need to buy more hardware.


      1. Ubuntu Is a Better Slide Rule

        "SSL Overhead"

        This so-called overhead is more a systems management overhead than a real hardware investment. Facebook, which is the largest internet service now by many measures, would need to spend less than 5 million $ on this technology:

        Compared to hundreds of million revenue that's simply negligible. But their friends in government can't perform easy datamining and snooping, that's much more of an issue.

  4. Anonymous Coward

    Taylor 1

    There's more server & bandwidth overhead with SSL, so it costs the people running the server more money per user in those terms. Having said that, the added expense if probably overstated, as Google claims that switching all gmail access to SSL only added 2% to their overhead. Granted, email is mostly text while Faceook is mostly intellectually masterbatory pictures, which requires more bandwidth than most mail viewing does.

  5. Oli 1
    Paris Hilton

    not yet...

    Taylor 1 - It uses more computing power to host an SSL session, so times it by 500million users and the cost rises considerably.

    Also echoing above, not got the option for SSL yet, but as soon as it turns up, it'll be turned on!

    Similar to paris in that respect.

  6. E 2

    Nope, fail.

    At least in Canada. There are no HTTPS options anywhere that I can find.

  7. XMAN

    Jumped the gun?

    No ssl option here for Uk account

    1. Yossarian

      No option

      Instead of looking for a button, just stick an extra s in the address:

      Just tried it and it's rather slow and no chat. Seems to be a bit beta.

      We should have a "Going but bit of a lame dog" icon...

      1. Anonymous Coward


        Thanks! I couldn't find an option in account settings either. No chat you say? Just keeps getting better and better!

  8. Alastair 7

    Kind of a fail on the part of the article

    Facebook specifically said that they're "rolling it out"- i.e. it's not an instant thing. So I guess everyone just has to wait a bit.

  9. Mark McGuire

    Fail in the US too

    Nothing for me in the US either. Are they only allowing certain accounts or have they not yet updated?

  10. dpf44

    HTTPS Everywhere

    If I'm not mistaken, the https everywhere addon for firefox forces this already? Sure it breaks a few of the more annoying features (like chat), but still.

    As for identifying your friends photos for security, I wonder just how they'll implement that one. They surely (being the every privacy conscious bunch that they are) won't display my friends private pictures to any random person purporting to be me?

    And that's assuming I can identify them from the random shit they get tagged in when its not them, their baby photos, or the 846,684 people I am "friends" with in addition to anyone I know! Stupid Mafia wars!

    1. Anonymous Coward
      Anonymous Coward

      Forever changing

      My friends are forever changing their pics, and becase I use it to keep in contact with either family, a couple or real friends and lots of horror fans (basically use it as a horror network) it could be next to impossible for me to identify some of the friends. Hardly anyone uses their own picture for their profile anyway! Any that do are just vain!

    2. The Indomitable Gall

      "Social authentication" - old news

      The photo-based authentication has been in place for several months at least -- I was on holiday in November and when I logged on from Cybercaffs it said I'd connected from a new location and had to verify myself.

      You're presented with several pics of the same person (I can't recall the exact number), drawn seemingly at random from tagged photos and a selection of several friends' names to chose from. This happens 4 or 5 times, and you're given the option to skip (I think you get 3 chances to skip) just in case the photos are bad or it's someone you don't really "know" know.

      It's a sensible system, but there's two little flaws.

      1) It seems to select very strongly connected people (one of my brothers or sisters was always included) so if the attacker knows you at all, he's likely to know these people. Of course, this is because they're trying to make it easy for *you* to recognise them, but hey-ho...

      2) Judging by the wording of the message, it's about registering the location the first time you connect from there, so if you're in an unscrupulous cybercaff, the same people who sniff your login details will have access to the terminal/subnet/geographic location (whatever it is that Facebook considers a location) you used to connect, which will now (presumably) be whitelisted by Facebook.

      It's a step in the right direction, but they've got a very, very long way to go yet....

  11. Fuzzysteve

    The title is required, and must contain letters and/or digits.

    Should work with facebook, though some apps don't work.

    1. dssf

      I put in a web address

      into the "enhanced security" annoyance box and it didn't care. If I knew how to write SQL injection or something that should get filtered or neutered or rejected, I would. I on one occasion inserted some 150 characters random, letters, numbers and symbols, and it took that happily.


  12. Anonymous Coward
    Anonymous Coward

    SSL a necessary step to...

    This is pre-empting their recent (but largely expected decision) to make all forms of facebook game virtual currency purchasable only via facebook credits.

    When you start forcefully leveraging your micropayment mechanisms into third-party facebook applications, you'd better be sure it's secure.

  13. Nappy

    How will that help

    "If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."

    If someone has compromised my account they have access to all my friends so unless they put a fast timer on it they can check to see who that drunk is in the picture ;)

  14. Matthew 4

    has been around for ages actually.

    however it stops you using FB chat so i turned it off

  15. XMAN

    verifying friends captcha

    @dpf44, I've had my FB account compromised twice after accessing it over my cell phone via EDGE.

    Each time, Facebook has told me where the user logged in from (a business center not far from where I live) and forced me to verify pictures of my friends.

    They'll show you (for example) 4 pictures on the page from one of your friends accounts. They then list 5 names of your friends and you have to select which name the photos belong too. Sometimes it can be difficult but your friends might have tagged themselves in a lot of random pictures which aren't actually of them.

    You have to go through 4 or 5 pages like this.

    Although my numbers may be a little bit off (how many photos are shown and how many friends names are shown, this is the general idea).

    1. dssf

      What a poor security proof tool

      All any miscreant has to do is go through a victims friends list, print the list of friends, and then keep them on hand for the subsequent match-up. FB needs some better tool. Having us re-insert our e-mail address and phone number seems bizarre, since if the stream is intercepted, a hacker/cracker/other can see that, too.

      Even if a phone display can read thumb prints, that'll get hacked/cracked, too.

  16. mr0c

    From the FB blog

    "We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future."

    Sigh ... With service like this, they seem more like Microsoft everyday ... Maybe their next big thing will be a helpful paperclip type assistant ;-)

  17. Sooty

    social authentication

    I've used this today and it's a nightmare. I really struggled to tell which mr men character one of my friends had been tagged as, or recognise a 30 year old friend from the picture of them when they were 3!

    clearly this was designed by someone living in some sort of fantasy world of facebook!

    1. dssf

      Mr or...

      "I really struggled to tell which mr men character one of my friends had been tagged as,"

      Then, in that case, that makes them MYSTERY MEN...

    2. This post has been deleted by its author

    3. BongoJoe

      clearly this was designed by someone

      I've just been tagged as a branch on a Christmas Tree and before that as a rock on a stony beach. I have no idea why other than, I expect, friends can make me see a picture immediately.

      When it comes to identifying me from these pictures I expect that it's going to be rather hard.

  18. dssf

    In the SF Bay area... And I still don't see any SSL Option...

    In the SF Bay area... And I still don't see any SSL Option...

    Curious, since the fb HQ is less than 35 miles from me... Maybe they see my use of Firefox? Nope. Same issue in Iexplorer... Android Phone/Internet Browser? No options present.... Android Phone/Dolphin Browser HD? Nope. Not present.

    1. dssf

      3-thumbs down, huh?

      35 miles from fb's HQ is NOT that far away. One would think on the domestic front that they'd pilot that feature almost immediately in the local area where it's likely to get some real-world hammering.

  19. Anonymous Coward
    Anonymous Coward

    ssl facebook has been around for months

    If you install HTTPS-Anywhere for firefox it automatically tries https:.// for every site you visit, facebook has been encrypted for me for months...

  20. Mark 65

    Like it

    I like the way they promote it as doing more to keep your data secure. Perhaps they might then want to consider not rearranging and resetting privacy/security options and pimping the data out to 3rd parties? Oh sorry, I forgot, that's its reason for existence isn't it?

  21. Ben 42

    The real question

    If your data is sensitive enough to need SSL encryption, is letting the shady guy in the corner of the coffee shop intercept it any worse than giving it to Facebook?

  22. Camilla Smythe


    Next thing you know plod will get up to speed with RIPA and start lead piping suspects for encrypting communications.

    ... Back to the Lingerie Pages then. Do they still deliver catalogues?

    1. copsewood

      RIPA doesn't beat perfect forward secrecy

      Most of the time SSL uses symmetric session keys for the heavy crypto lifting. The secret keys and passwords are used to help establish these session keys, but you can't derive any long term secrets from these ephemeral keys which are securely created and agreed by both ends at the start of the session and deleted at both ends at the end of the session.

      So plod can come knocking on my door with a proper warrant and get my passwords and secret keys in preference to my going to jail, but that still doesn't give plod access to my encrypted SSL session he sniffed from yesterday which is on his hard disk.

  23. tony trolle

    oh feel a fail coming on...

    "With today's blog post, the company also introduced what it calls "social authentication". If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."

    I have about 500 'friends' and the only thing we know about each other is we play mafia wars.

    I could only name less than 10 by sight.

  24. Mike Kamermans
    Thumb Up

    Of course, say you're actually popular...

    Social authentication goes wrong very quickly if you're even moderately popular because of your job (author, singer, what have you) and you have a few hundred "friends" or more. Good luck identifying people you've never met.

    Incidentally, this feature has been in use at least since July, which is when I first saw it and went "how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"

    1. Anonymous Coward
      Anonymous Coward

      Knowing Your Friends

      "how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"

      I've never understood people who are friends with folk they don't know. In my day, you had to know someone first before you considered them a friend. Now, get off my lawn!

      PS I do have a facebook account (sadly) and every single one of my facebook friends I knew first in real life. But that's what happens when you grew up in the pre-facebook era.

  25. JaitcH

    Like putting a bloody great padlock on a field

    The weak security IS Facebook as well as it's policies.

    Putting on front end security will do little good if Zuckerberg is selling the info.

  26. cheesey_toastie
    Thumb Up

    Photo Validation

    I was travelling for four months across India, Sri Lanka and Nepal. Every time I logged in from a new region in India or a new country this photo validation fired up.

    It's surprisingly well written and designed actually - they realise that not all photos are perfectly tagged so it's not one strike and you're out. It randomly pics a few photos (so unlikely to expose anything) PLUS you need to have got your password right first to see the pics!!!!

    Credit where credits due - I thought this was a very novel approach to ensuring account security and having had a few other accounts hacked from internet cafe key logging I'm all for it! HTTPS won't do anything for the key logging!

    1. Anonymous Coward
      Jobs Horns

      Facebook Friends>??

      That is the one thing that I avoided like the plague on Face Book... because MOST of the people were "stamp collection" friends...

      Remember their names?

      I would not even remember "having added" them or having "been added" by them, the next day.

      If you want REAL WORLD friends, then offer to do an hours worth of work for everyone in your neighbourhood, every day, for a year.

      Fuck Facebook and this imaginary online drivel......

  27. Matthew 3

    And what if they're not real friends?

    Several people I know have racked up hundreds of FB 'friends' just so that their Mafia / Farm etc gets some sort of bonus: they don't actually know these people and don't interact with them outside these games.

    Unless FB offers a way to filter out 'real friends' from 'random people who accepted my friend request', how will one be able to know them by name for this picture identification idea?

    1. John Robson Silver badge


      They know how often you message people or graffiti their "wall", "like" their "status" or any number of other interactions...

      And how many photos you are both tagged in...

    2. Anonymous Coward
      Anonymous Coward

      A lesson here?

      "they don't actually know these people and don't interact with them outside these games."

      That'll learn them to not to interact with people outside the narrow confines of an online game.

  28. Paul 666

    over your head?

    for those who predictably say... "FAIL can't see this option!" did you absorb paragraph 4?

    "Facebook says that the new tool will be rolled out "slowly" over the next few weeks. Once it's available to you, you can turn on your HTTP connection by visiting the "Account Security" section of Facebook's Account Settings page."

    You do you must want somit' to pout about ;)

    1. Nick 10

      Over their heads?

      Let's try and remember they're facebook users. A lot of them won't have the attention span to read as far as paragra...hey, look! a butterfly!

  29. lil_eddie
    Thumb Up

    social auth

    That social authentication has been about for about a year now, it is nothing new. When i was on holiday and logged into facebook, it showed me pictures of friends to name them before allowing me any further into my account, nothing 'new' there, just because they blogged about it doesn't make it new.

    Good job on the SSL though fb :)

  30. Wize

    "We will show you a few pictures of your friends and ask you to name the person in those photos"

    There are quite a lot on my list who have photos of their kids/grandchildren as their profile picture.

    How the hell do I tell all their brats apart?

  31. Harry

    So, one small piece becomes a bit more secure ...

    ... but what's the point in encrypting traffic to and from facebook, while facebook continues to abuse the privacy of its users (eg by constantly inventing new ways they can disclose private data and setting them by default to disclose without your permission) once your information has arrived there.

  32. Kay Burley ate my hamster
    Thumb Up

    I agree that FB should force SSL connections but you can just go to and be protected against sniffing on open networks.

    1. Goopy


      That only works for the login page and nowhere else, once at the profile page, it is not forced and is back to non-ssl state (just look in the addy bar).

      The near future, only the new FB setting (once it appears in your Settings page) or the FF plugin will force FB to be SSL.

      Maybe in the future, FB will auto-force SSL on each and every page. I doubt it.

  33. SpaMster

    Questionable quote

    "Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are,"

    Can't people browsing facebook see who your friends are anyway? you can usually view somebodys friends without actually being friends with them in the first place

    1. crashtest

      Not since a long time now

      Security options have been in place since two years ago that configure many things to be visible by all, some or none; among those are photos, info, posts and of course your friends.

      So the people showing their friends list to non-friends are either ignorant of the ability to hide it or simply naive enough to think it is of no consequence.

    2. Goopy

      Tagging, so far....

      I believe, but dont know for sure, that photo tags only show to friends, and you can turn off friends of friends and everyone, however, YOU have to make that change - FB doesnt default to anything "safe" and the choir hears me preach!

    Jobs Horns


    SSL will save everyone. Quick, turn it on!

  35. Anonymous Coward

    And the beat goes on . . .

    The joke that is facebook just keep on going, and going, and going.

  36. ManUtdUSA

    SSL available now

    I now have the HTTPS option but, a word of warning, any Facebook Connect apps you may use will no longer login if you enable this option.

    I'll just have to decide what's more important, security or Bejeweled Blitz! ;-)

    1. Goopy

      Soon to be fixed with another rollout

      Title says it all.

  37. Anonymous Coward
    Anonymous Coward

    The Goldman Sack $50 Billion ponzi

    Isn't it wonderful?

    (I started as sarcasm I swear)

  38. Goopy

    SSL "costs"? Google busts the myth, publicly.

    SSL "overhead" has been largely, at least for the last 8 years, a myth and barely measurable. Just ask Google. (this is a widely reported and important link, mods, but feel free to edit it if the register already reported on this Google SSL story especially if there is an internal register link). Google turned on SSL for ALL of their services around November 2010, not just for gmail anymore.

    This is a Facebook ROLLOUT (actually BECAUSE of the recent hack of Zuck's account, Zack's hack didnt cause the push - Facebook had planned to release SSL for everyone all at once, but decided move it quicker by rollout, based on the public story of Zuck's hacked account)

    FB has been working at turning SSL for its whole site since July of 2010, and since about December, I at least have been able to force each page to SSL using the FF plugin mentioned numerous times here.

    Unfortunately, out of 4 accounts, 1 has the setting Sophos was talking about recently, I have the baited breath for the other 3 to be SSL'd soon!

  39. Goopy

    "Social Confirmation" tickles me....

    That trick will work just as long as FB security team shows you pics of your friends that are tagged. I can see that as problematic, too. And, if you arent following what I am saying - read the whole article, as I have.

This topic is closed for new posts.

Other stories you might like