Security and privacy experts yesterday welcomed Facebook’s deployment of new security tools using HTTPS (hypertext transfer protocol secure) and what it called “social authentication.”
The measures were announced less than 24 hours after the Facebook fan page of Mark Zuckerberg were defaced in a cyber-attack.
HTTPS is a combination of hypertext transfer protocol with transport layer security and secure socket layer (SSL) cryptographic protocols used to encrypt communication and secure identification of a Web server typically for use in online payment transactions and transmission of sensitive data.
The second measure involves a CAPTCHA-like authentication mechanism that instead of relying on illegible printed words employ photographs of a Facebook user’s friends.
Meanwhile, Facebook has remained officially mum regarding yesterday’s apparent hacking incident that saw someone insert a message onto Zuckerberg’s Facebook fan page, which has attracted 2.8 million Facebook users. While it was removed relatively quickly, some 1,800 of those users managed to “like” the page and more than 400 left comments beforehand.
The message read:
“Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Price [sic] winner Muhammad Yunus described it? #hackercup2011”.
One social media space watcher, however, told ITBusiness.ca that Facebook was moving in the right direction.
“This is a very positive development for Facebook users and businesses with a Facebook presence,” said Kevin Bankston, a senior staff attorney specializing in free speech for the Electronic Frontier Foundation (EFF), a San Francisco-based non-profit digital rights advocacy group.
“We at EFF have been advocating for other social media sites to deploy HTTPS to protect their uses. I hope that these sites follow Facebook’s lead,” said Bankston.
Another information security specialist however said he doubted there would be major benefits to businesses on Facebook.
“Admittedly,” Andrew Walls, research director for Gartner Research said, “there are attack scenarios that target business pages that might incorporate session highjacking or fraudulent authentication that may be mitigated to some extent by the new features, but the actual mitigation is slight.”
Walls specializes in information security practices, tools and markets in social media.
Two new features
A blog post by Facebook’s security engineer Alex Rice ties the security announcement to Friday being “Data Privacy Day,” but the press and bloggers are having a high time connecting the news and Zuckerberg’s victimization, whether or not there is actually any connection.HTTPS takes Facebook users’ security beyond password exchanges, according to Rice:
“Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the ‘Account Security’ section of the Account Settings page.”
The use photographs of a Facebook user’s own friends, Rice said, further boosts authentication.
“Instead of showing you a traditional CAPTCHA on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are,” Rice said.
Things could be better
While Bankston applauds Facebook’s move, he said the social media site could go one step further.
“They could have offered the HTTPS feature as a default. At the moment users need to opt in,” he said.
He said the need for HTTPS was raised recently when a researcher released Firesheep, a Firefox browser plug-in to demonstrate the security risks associated with session hijacking. Firesheep enables its users to “eavesdrop” on online transmissions on sites like Facebook, Twitter and Hotmail in order to snoop out information that could compromise online payment transactions.The EFF later released a free tool to foil Firesheep.
Related story – How cyber crooks break CAPTCHAs
“These features fundamentally bring Facebook up to the level of security present in many other social media environments that incorporate continuous HTTPS and various forms of CAPTCHAs, such as Google and LinkedIn,” said Walls of Gartner.
But Walls said, the new social authentication feature may be less effective when the attacker is non-automated and knows the user well. “A friend that attempts to login to your profile may be able to correctly identify the photographs of your friends,” he said
Facebook, Walls noted, is simultaneously improving security and privacy and driving controversy on what privacy means in modern societies. However, social media is a mere extension of social practices that people has been carrying out for thousands of years, he said.
For decades people have relied on obscurity to conceal private data. For instance, an individual’s birthday, age, dating history and social insurance number are not really private – they are known by a few select people.
“Social networks simple expand the number of people with access to the data,” said Walls.
There is also the problem of the authenticity of user data within Facebook, he said.
Services such as Facebook Connect are dependent on the accuracy and validity of user information within Facebook but there are a multitude of user profiles that incorporate fictitious names.
Any high security process (such as online banking) requires a user database that is probably accurate and up-to-date.
“Facebook is positioning itself to leverage users’ social graphs to provide cloud authentication services (with features like Facebook connect and social authentication), but the viability of this service is limited by the corruption within the Facebook user database,” said Walls.