
Facebook SSL, great idea, but not an option available to me yet.
Facebook SSL, great idea, but not an option available to me yet.
Guess that's a fail then...
Facebook is giving all users the option of accessing its social networking service via SSL encryption. The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg and less than a month after the company reportedly turned on SSL encryption for anyone viewing the site inside Tunisia, where …
This post has been deleted by its author
This post has been deleted by its author
> Can someone explain how it saves money
SSL uses more data to transfer the same amount of content - you've got overheads in the encryption setup, etc.
By not using SSL, FB will have less bandwidth to pay for. With an organisation of that size, that might make a noticeable difference.
But saving money by doing stupid things with security shouldn't be an option. This sort of penny-pinching is exactly what FireSheep was supposed to highlight. It appears to have failed :=(
Vic.
An SSL login takes a tiny bit of overhead (which is already present, and on only ONE page) but all subsequent pages are handled through that SESSION cookie - the same EXACT cookie is used for EVERY page AND SSL ALSO compresses pages before they are encrypted and your browser decrypts them. You should read Google's own report from November 2010 where a team of 7 employees took 4 (FOUR) hours of Google's time to turn on encryption for ALL of the rest of their services (they had already fully turned on encryption in gmail back in July of 2010). The team estimated the move cost Google just over 70,000 dollars - that is equivalent to 70 cents for you and me. Google has FAR MORE than 500 million users.
Encryption overhead for both servers AND LOCAL ROUTERS IN SCHOOLS AND COFFEE SHOPS have not shown appreciable nor even measurable decreases in headroom when using FULL, BEST encryption for over 8 years.
The REAL problem is that Google has NOT deployed SSL for ALL of its customers yet. Anecdotally, I have 4 FB accounts and only ONE of them has the new settings made available!
Extra computing power is needed to encrypt and decrypt secure communications, so the more people who enable the feature, the more it will cost. The amount it cost Facebook to implement it in the first place is approximately zero - the software is there anyway.
This so-called overhead is more a systems management overhead than a real hardware investment. Facebook, which is the largest internet service now by many measures, would need to spend less than 5 million $ on this technology:
http://en.wikipedia.org/wiki/SSL_accelerator
Compared to hundreds of million revenue that's simply negligible. But their friends in government can't perform easy datamining and snooping, that's much more of an issue.
There's more server & bandwidth overhead with SSL, so it costs the people running the server more money per user in those terms. Having said that, the added expense if probably overstated, as Google claims that switching all gmail access to SSL only added 2% to their overhead. Granted, email is mostly text while Faceook is mostly intellectually masterbatory pictures, which requires more bandwidth than most mail viewing does.
If I'm not mistaken, the https everywhere addon for firefox forces this already? Sure it breaks a few of the more annoying features (like chat), but still.
As for identifying your friends photos for security, I wonder just how they'll implement that one. They surely (being the every privacy conscious bunch that they are) won't display my friends private pictures to any random person purporting to be me?
And that's assuming I can identify them from the random shit they get tagged in when its not them, their baby photos, or the 846,684 people I am "friends" with in addition to anyone I know! Stupid Mafia wars!
My friends are forever changing their pics, and becase I use it to keep in contact with either family, a couple or real friends and lots of horror fans (basically use it as a horror network) it could be next to impossible for me to identify some of the friends. Hardly anyone uses their own picture for their profile anyway! Any that do are just vain!
The photo-based authentication has been in place for several months at least -- I was on holiday in November and when I logged on from Cybercaffs it said I'd connected from a new location and had to verify myself.
You're presented with several pics of the same person (I can't recall the exact number), drawn seemingly at random from tagged photos and a selection of several friends' names to chose from. This happens 4 or 5 times, and you're given the option to skip (I think you get 3 chances to skip) just in case the photos are bad or it's someone you don't really "know" know.
It's a sensible system, but there's two little flaws.
1) It seems to select very strongly connected people (one of my brothers or sisters was always included) so if the attacker knows you at all, he's likely to know these people. Of course, this is because they're trying to make it easy for *you* to recognise them, but hey-ho...
2) Judging by the wording of the message, it's about registering the location the first time you connect from there, so if you're in an unscrupulous cybercaff, the same people who sniff your login details will have access to the terminal/subnet/geographic location (whatever it is that Facebook considers a location) you used to connect, which will now (presumably) be whitelisted by Facebook.
It's a step in the right direction, but they've got a very, very long way to go yet....
into the "enhanced security" annoyance box and it didn't care. If I knew how to write SQL injection or something that should get filtered or neutered or rejected, I would. I on one occasion inserted some 150 characters random, letters, numbers and symbols, and it took that happily.
Sigh.
This is pre-empting their recent (but largely expected decision) to make all forms of facebook game virtual currency purchasable only via facebook credits.
When you start forcefully leveraging your micropayment mechanisms into third-party facebook applications, you'd better be sure it's secure.
"If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."
If someone has compromised my account they have access to all my friends so unless they put a fast timer on it they can check to see who that drunk is in the picture ;)
@dpf44, I've had my FB account compromised twice after accessing it over my cell phone via EDGE.
Each time, Facebook has told me where the user logged in from (a business center not far from where I live) and forced me to verify pictures of my friends.
They'll show you (for example) 4 pictures on the page from one of your friends accounts. They then list 5 names of your friends and you have to select which name the photos belong too. Sometimes it can be difficult but your friends might have tagged themselves in a lot of random pictures which aren't actually of them.
You have to go through 4 or 5 pages like this.
Although my numbers may be a little bit off (how many photos are shown and how many friends names are shown, this is the general idea).
All any miscreant has to do is go through a victims friends list, print the list of friends, and then keep them on hand for the subsequent match-up. FB needs some better tool. Having us re-insert our e-mail address and phone number seems bizarre, since if the stream is intercepted, a hacker/cracker/other can see that, too.
Even if a phone display can read thumb prints, that'll get hacked/cracked, too.
"We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future."
Sigh ... With service like this, they seem more like Microsoft everyday ... Maybe their next big thing will be a helpful paperclip type assistant ;-)
I've used this today and it's a nightmare. I really struggled to tell which mr men character one of my friends had been tagged as, or recognise a 30 year old friend from the picture of them when they were 3!
clearly this was designed by someone living in some sort of fantasy world of facebook!
This post has been deleted by its author
I've just been tagged as a branch on a Christmas Tree and before that as a rock on a stony beach. I have no idea why other than, I expect, friends can make me see a picture immediately.
When it comes to identifying me from these pictures I expect that it's going to be rather hard.
In the SF Bay area... And I still don't see any SSL Option...
Curious, since the fb HQ is less than 35 miles from me... Maybe they see my use of Firefox? Nope. Same issue in Iexplorer... Android Phone/Internet Browser? No options present.... Android Phone/Dolphin Browser HD? Nope. Not present.
Most of the time SSL uses symmetric session keys for the heavy crypto lifting. The secret keys and passwords are used to help establish these session keys, but you can't derive any long term secrets from these ephemeral keys which are securely created and agreed by both ends at the start of the session and deleted at both ends at the end of the session.
So plod can come knocking on my door with a proper warrant and get my passwords and secret keys in preference to my going to jail, but that still doesn't give plod access to my encrypted SSL session he sniffed from yesterday which is on his hard disk.
"With today's blog post, the company also introduced what it calls "social authentication". If Facebook suspects your account has been compromised, it may show you pictures of your online friends and ask you to identify them."
I have about 500 'friends' and the only thing we know about each other is we play mafia wars.
I could only name less than 10 by sight.
Social authentication goes wrong very quickly if you're even moderately popular because of your job (author, singer, what have you) and you have a few hundred "friends" or more. Good luck identifying people you've never met.
Incidentally, this feature has been in use at least since July, which is when I first saw it and went "how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"
"how is this useful unless you know everyone in your firends list? which isn't how people use facebook?"
I've never understood people who are friends with folk they don't know. In my day, you had to know someone first before you considered them a friend. Now, get off my lawn!
PS I do have a facebook account (sadly) and every single one of my facebook friends I knew first in real life. But that's what happens when you grew up in the pre-facebook era.
I was travelling for four months across India, Sri Lanka and Nepal. Every time I logged in from a new region in India or a new country this photo validation fired up.
It's surprisingly well written and designed actually - they realise that not all photos are perfectly tagged so it's not one strike and you're out. It randomly pics a few photos (so unlikely to expose anything) PLUS you need to have got your password right first to see the pics!!!!
Credit where credits due - I thought this was a very novel approach to ensuring account security and having had a few other accounts hacked from internet cafe key logging I'm all for it! HTTPS won't do anything for the key logging!
That is the one thing that I avoided like the plague on Face Book... because MOST of the people were "stamp collection" friends...
Remember their names?
I would not even remember "having added" them or having "been added" by them, the next day.
If you want REAL WORLD friends, then offer to do an hours worth of work for everyone in your neighbourhood, every day, for a year.
Fuck Facebook and this imaginary online drivel......
Several people I know have racked up hundreds of FB 'friends' just so that their Mafia / Farm etc gets some sort of bonus: they don't actually know these people and don't interact with them outside these games.
Unless FB offers a way to filter out 'real friends' from 'random people who accepted my friend request', how will one be able to know them by name for this picture identification idea?
for those who predictably say... "FAIL can't see this option!" did you absorb paragraph 4?
"Facebook says that the new tool will be rolled out "slowly" over the next few weeks. Once it's available to you, you can turn on your HTTP connection by visiting the "Account Security" section of Facebook's Account Settings page."
You do you must want somit' to pout about ;)
That social authentication has been about for about a year now, it is nothing new. When i was on holiday and logged into facebook, it showed me pictures of friends to name them before allowing me any further into my account, nothing 'new' there, just because they blogged about it doesn't make it new.
Good job on the SSL though fb :)
... but what's the point in encrypting traffic to and from facebook, while facebook continues to abuse the privacy of its users (eg by constantly inventing new ways they can disclose private data and setting them by default to disclose without your permission) once your information has arrived there.
That only works for the login page and nowhere else, once at the profile page, it is not forced and is back to non-ssl state (just look in the addy bar).
The near future, only the new FB setting (once it appears in your Settings page) or the FF plugin will force FB to be SSL.
Maybe in the future, FB will auto-force SSL on each and every page. I doubt it.
"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are,"
Can't people browsing facebook see who your friends are anyway? you can usually view somebodys friends without actually being friends with them in the first place
Security options have been in place since two years ago that configure many things to be visible by all, some or none; among those are photos, info, posts and of course your friends.
So the people showing their friends list to non-friends are either ignorant of the ability to hide it or simply naive enough to think it is of no consequence.
SSL "overhead" has been largely, at least for the last 8 years, a myth and barely measurable. Just ask Google.
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html (this is a widely reported and important link, mods, but feel free to edit it if the register already reported on this Google SSL story especially if there is an internal register link). Google turned on SSL for ALL of their services around November 2010, not just for gmail anymore.
This is a Facebook ROLLOUT (actually BECAUSE of the recent hack of Zuck's account, Zack's hack didnt cause the push - Facebook had planned to release SSL for everyone all at once, but decided move it quicker by rollout, based on the public story of Zuck's hacked account)
FB has been working at turning SSL for its whole site since July of 2010, and since about December, I at least have been able to force each page to SSL using the FF plugin mentioned numerous times here.
Unfortunately, out of 4 accounts, 1 has the setting Sophos was talking about recently, I have the baited breath for the other 3 to be SSL'd soon!