Friday, January 28, 2011

Secure Facebook, ooh er

In the same week as Data Privacy Day and the suspected hacking of CEO Mark Zuckerberg's Facebook page, Facebook have added the new option of always-on SSL encryption for users accessing their service.

In a blog post yesterday the social networking giant announced two new security features. “Social authentication” is a new form of user authentication designed to thwart automated attacks, by asking the user to identify photos of their Facebook friends.
Facebook have also added the option of “Secure Browsing” to their Account security settings. When enabled, this causes Facebook to use SSL encrypted connections (HTTPS) rather than plain old HTTP. The changes give protection against various attacks “on the wire”, such as the Firesheep tool seen last year and the more sinister actions of the Tunisian government.

Ostensibly this is good news for us Facebookers, however the situation in the workplace may be less clear. With 4 out of 10 workplaces apparently blocking Facebook, we can assume that a good proportion of the remaining 6 use filtering and monitoring procedures instead. If Facebook access becomes “invisible” through encryption, more of these firms may be forced to bring down the ban hammer on facebook.com.
Or they could try a filter that understands HTTPS, like Guardian? Because it is the 21st century after all.

1 comment:

  1. I really like the "social authentication" idea. IT protects well against remote and unknown attackers, so will help reduce instances of accounts being phished. Of course it will be much less successful against attackers who know the victim, but it's still a great tool - not one i'd ever use to replace a password, or allow access to lost passwords though.

    I wonder if any other applications can be found? Would it be wrong for a bank to ask you to identify the "real" transaction out of 10 falsies? As long as this wasn't before the "regular" login, there's be no worry that "£50 from Joe's A1 Adult Emporium" would crop up when you least expect! Could be a fine defence against bank phishing, come on hsbc, get yer act together, when a social network is out innovation you on security... erk.

    ReplyDelete