Facebook Announces Social Verification and HTTPS option

Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:09:40


Facebook announced yesterday that they will begin offering
secure HTTPS connections and a new verification method called social
verification to users of the most popular social network in the world.

The move comes, conveniently, just a day after Facebook CEO
and founder Mark
Zuckerberg’s personal Facebook account was reportedly hacked
, and amid
rising concerns over the widespread use of social networks as
tools for spreaders of spam and malware

HTTPS, signified by a padlock in the address bar of your
browser or the address bar itself turning green, has been a constant feature of
banking and commerce websites for some time. HTTPS indicates that any data
passing between a browser and the website they are browsing is encrypted and
that the communication is therefore secue. Facebook has always utilized HTTPS
when passwords are sent to them, but are now expanding its role. For the time
being, HTTPS is a feature that users must actively turn on in their security
settings, but it Facebook claims that in the coming months the social network will
migrate completely to HTTPS.

Facebook Blog
warns users that while the switch to HTTPS will increase
security, it will also slow down browsing on Facebook as encrypted pages
generally take longer to load. In addition, many third party applications will
become unavailable to those on secure connections because the developers of
those programs themselves aren’t connected via HTTPS.

The network is also rolling out another significant security
feature called social authentication. This will replace the captcha verification
method (that confusing jumble of blurry, wavy letters that supposedly prevents
non-human players from gaining access and presumably spreading spam). The
problem with captcha, other than that it is difficult to determine the letters
and that it doesn’t work particularly well, is that isn’t designed to prevent
actual people from gaining access to information. The new method, social
verification, will ask users to identify pictures of their friends. So the
rationale goes, if some human or bot half-way across the world tries to gain
access to your account, they’ll first have to identify a friend or acquaintance
of yours. I’m not sure how this will work. It seems to me that unless they have
a way of making sure social verification asks the user to identify someone with
whom he/she communicates regularly, they may run into issues with users who
have a vast amount of friends and perhaps cannot identify all of them.

I attempted, unsuccessfully, to switch my personal Facebook
account to https just before publication by following the instructions on the
Facebook Blog. So they either have yet to actually implement the option or
their instructions are lacking.