Facebook: 'Don't worry, your posts are SECURE with us' Facebook has announced that it has finished migrating its users to secure browsing, with all 1.15 billion active user accounts now accessing the site over encrypted HTTPS by default. The social network first offered secure browsing as an option in January 2011, and then slowly began making it the default in various regions. It …
Considering the number of phish messages/posts and various other attacks, I have to agree.
I've had to clean my wife's account three times, her computer twice.
Formatted and reloaded after a fixed period of no traffic that was untoward, which would be pretty much anything beyond java, adobe and my update server.
As the US government has contracts with multiple providers for their data, the easiest being providing keys, erm, big fat fucking deal, facebook! Just another PR ploy.
Shit, Skype sold off keys to multiple nations, as was reported three or so years ago.
Google has a contract with the US DoD.
Oh! Facebook doesn't. Can't be served a warrant either, since they're on Mars or something.
Your Faceplant....I mean, Facebook information is secure! We use encryption, so your information is safe.
It will only get to those people WE WANT IT TO. Like every advertiser on the planet. And your mother-in-law. And that stalker ex-friend from high school who you haven't seen in 10 years but insisted on 'friending' you.
Etc., etc. etc.
You obviously haven't been paying attention. What they mean when they say "if you select this option then what you say will stay private" is "... for the next 3-4 months before the next UI overhaul when we're going to reset everyone's privacy settings for the nth time to 'all public'". Based on repeated past experience, if you put it on facebook, it's best to assume anyone in the world will be able to see it at some point in the future
*My* data sources and encryption is secure. That said, I don't trust you enough to provide you security.
Of course, I don't trust myself and require second and tertiary physical oversight.
Security rule one, trust no one. Not even oneself, as all are known for moments of immense stupidity.
Shame about the fact it's using RC4 (almost every browser handshakes SSL_RSA_WITH_RC4_128_SHA) and they haven't enabled forward secrecy (which I'm guessing they left on purpose specifically so the NSA *could* decrypt it).
http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
Oh well. Another time maybe?
Actually, the two preferred ciphers that the facebook servers send are TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384.
Yes, you're right about Forward Secrecy, but you're wrong about the cipher. And Forward Secrecy appears to require that you use a very few select ciphers using DHE or ECDHE, which are both slower than the ones they've left enabled. When you're dealing with the volume of traffic Farcebook does, they probably can't afford the hit.
Yes, they still have RC4 enabled (it's the 3rd most preferred cipher), but they need to because very few browsers support the TLS v1.2 ciphers that allow you to avoid RC4 and CBC (the only two usable ciphers in TLSv1.0 and SSLv3). You could avoid the RC4 problem by using CBC, except it's *more* broken than RC4.
So until browser manufacturers catch up and enable TLSv1.2 by default, web sites *have* to leave TLS v1.0 / SSL v3 ciphers enabled, and that means RC4.
(yes, I recently went through a bunch of ssl code at work to try and make sense of the patchwork mess that different browser implementations have forced on ssl servers)
I think you'd have to be extremely naive to think that Facebook interaction is not able to monitored by the NSA et al. Leaving aside that there may be NSA backdoors put their by FB for the NSA at their insistence and FB wouldn't be able to legally refuse to comply or tell us about (or at least that what they'd be told - as for the actual legality...). Furthermore it's also eminently possible the security services have the root keys for all the trusted browser certificates and can use PRISM to slurp up and de-crypt the data.
It's clear from the Snowden leaks that the Five Eyes want to be able to intercept arbitrary traffic on the Internet and they have made considerable progress in doing so. Do you imagine they would limit themselves against intercepting HTTPS traffic?
Funny, my wife was complaining about our communications while I was deployed with great outrage and annoyance and she-hulk mode objection.
I kindly reminded her of some software I had installed our both of our systems. Software that encrypted HARD all comms between us. Gave us lag, but also gave no middleman anything but shit and constipation.
She then recalled a report from the NSA that was unclassified and hence, was shared with her on my DoD network security posture.
We'll suffice it to say that both the evaluators enjoyed the experience, as did I. We both learned new tricks, but none revealed shirt sleeve tricks held under the cuff when needed.
Though, I did observe some really weird network traffic when the tried those cards on the DoD network...
Yet another reason why various countries are liable to copy the NZ legislation currently being rammed through Parliament with desperate techniques, to expose any application service provider perfectly legally to PRISM or Xkeyscore at the whim of the government.
Post anonymously? What's the point? They know anyway.
Facebook are still going to hand over your details to governments and LEAs alike. If some feminazi on Facebook decides to step up the War on Men another notch, and I organise some opposition or argue back at her, I'd still be arrested for political incorrectness hate speech regardless. So Facebook doing this proves what exactly?
It'll give trouble to anyone between you and their servers so any gang (of Russian/Chinese/Israeli/Pakistani/India/computer crime capital du jour) identity thieves will have to work a bit harder for their money.
No doubt I'll get the irritating whine of "You don't have to use the internet you know" from various assorted idiots.
They make their money from data about you. They don't want network carriers to be able to slurp it in transit.
https does nothing for your privacy on Facebook as the data is theirs no matter how it gets there and they will share that with advertisers to make money and with governments if requested.
"Facebook has announced that it has finished migrating its users to secure browsing, with all 1.15 billion active user accounts now accessing the site over encrypted HTTPS by default"
Except where your local company/college has installed fake root CA certs in order to be security compliant.
'Deep Packet Inspection for SSL Encrypted Traffic (DPI-SSL): DPI-SSL transparently decrypts, inspects and re-encrypts SSL encrypted traffic to allow security services to be applied to all traffic that traverses Dell SonicWALL Next-Generation Firewalls'. link
Facebook: 'Don't worry, your posts are SECURE with us'
Sorry I must have read my request wrong, I was sure I said SECURE from you. I am almost positive that is what I wrote, and very sure that is what I proof-read (sorry, I try to code fast and break things, but I keep breaking things I ought not to break ... what? that's ok? but I thought ... no,no,no I'm not contradicting you, I'm sure you're right, but ... but no I'm doing it again. sorry, I'll stop. Thank you for your understanding. Mother doesn't 'LIKE' me anymore! Oh please, I said I was sorry, it will never happen again ...)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
