Wednesday, January 26, 2011

Facebook Beefs Up Security With Full-Time HTTPS & Social Captchas

Via techcrunch.com -

Facebook is introducing two new measures to beef up security: expanding HTTPS connections as an all-the-time option and using social captchas to authenticate users who have lost passwords. Let’s take these one at a time.

HTTPS is a secure connection (more secure than plain-vanilla HTTP connections), and Facebook already uses HTTPS for when you log into an outside site through Facebook Connect and send your passwords back to Facebook. But now you will have the option to set HTTPs as the default connection for everything you do on Facebook itself.

[...]

Some app developers will need to use a new “Secure Canvas URL” so that their apps can also be accessed over HTTPS.

The social captcha feature is pretty clever. It will replace regular captchas (those slightly warped letters you are asked to re-enter to prove you are human) with a picture of one of your friends. You will need to identify the person to authenticate yourself when you are trying to retrieve a lost password or Facebook detects suspicious login activity on your account. You do know what all your “friends” look like, don’t you?


---------------------------------------------------------------------------------

Overall, I think this is a very positive step, but one of my friends said it best - "a security feature that has to be enabled will never be used by the masses. A for effort, but C for implementation."

Long story short, he is correct. When security is opt-in, people are less likely to do it, for various reasons.

Hopefully this is just the first step.

Google rolled out SSL to Gmail users in the same way. First it was an option, then it become default.

Let's hope Facebook will follow suit...and just in case that isn't in their roadmap, the security community should applause this change, but contiune to push for more.

1 comment:

  1. I also hope that SSL becomes the default for Facebook. There seems to be some concern over performance when using SSL, but Google seems to have made it work. I work for Symantec, so I am a huge proponent of SSL and think that Facebook’s announcement is an important step toward online security. Looking forward to see how it unfolds.

    ReplyDelete