Forgot your password?
typodupeerror
Facebook Security

Facebook Launches Social Login and HTTPS 273

Posted by samzenpus
from the secure-friend-request dept.
dkd903 writes "Facebook has introduced two new features. First is a really innovative way to verify real users rather than using CAPTCHAS. Using the Social Login feature (or Social Authentication as Facebook calls it), users will be shown a few pictures of their friends and then they will be asked to name the person in those photos. They've also launched HTTPS. The company says: 'Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.'"
This discussion has been archived. No new comments can be posted.

Facebook Launches Social Login and HTTPS

Comments Filter:
  • by nospam007 (722110) * on Wednesday January 26, 2011 @04:56PM (#35013206)

    News at 11.

    • Re: (Score:3, Informative)

      HTTPS at facebook's scale is not insignificant.
      • by Enry (630) <enryNO@SPAMwayga.net> on Wednesday January 26, 2011 @05:02PM (#35013272) Journal

        Wait, what?

        All you're talking about is scale. Instead of having a regular HTTP site, you now have HTTPS sites, and perhaps a few more to handle the load. HTTPS is not the CPU hog it was 10 years ago, and HTTPS is not some obscure technology noone uses. Wikipedia offers HTTPS, Google offers HTTPS. What makes it so difficult for Facebook to do the same?

        • by severoon (536737) on Wednesday January 26, 2011 @06:08PM (#35014172) Journal
          Of course, social login won't last long when they realize most of their users can't ID most of the people in their "friend" list.
      • by icebike (68054) on Wednesday January 26, 2011 @05:20PM (#35013560)

        One thing FaceBook has going for it is that Https impact is far less significant as a percentage of time and actual server loading on sites where content can't be (or isn't typically) cached, and delivery is more than a few words.

        Setup is expensive, but once negotiated data transmission is not that bad.

        Fetching a tweet would really hurt under ssl, but a facebook page is usually fairly significant in size. Making lots of short requests over HTTPS will be quite a bit slower than HTTP, but if you transfer a lot of data in a single request, the difference will be insignificant. If Facebook implements http keep-alive oh https connections you should be able to reuse the the connection.

        Yes the handshake is longer (usually 5 traverses vs 2). We are talking about 200ms vs 500ms for the first connection. But during that time the web server isn't having to pound content down the pipe so it might not be as bad as it sounds.

        • by afidel (530433)
          Twitter would only have a significant issue for those clients with a broken stack, HTTP1.1 means they can open the connection once and leave it open for the AJAX piece polling in the background.
      • by nospam007 (722110) *

        On a sidenote as I just notice when reading your post:
        HTTPS seems to be working on /. again with the new 'design'.

      • Since FB is so heavily load balanced I would expect that they're using SSL dedicaetd modules on their load balancing solution and still running their servers HTTP. Since they didn't care about privacy enough to use SSL until it became a PR issure, I doubt they care too much about encryption on their internal network.

        • Their internal network is an insignificant threat. It's internal and they probably have access to everything anyway.

          HTTPS will help with what's going over the wire. And even more with the wireless. A ton of options for filtering, eavesdropping, snooping and altering have just vanished from the bad guys menu. It's not going to help with keyloggers or webcams pointed on keyboards on cybercafes, but other than that, it's fine.

          Introduce the general population to the concept of "encrypt everything, just because

    • by Aerorae (1941752) on Wednesday January 26, 2011 @05:02PM (#35013274)

      Breaking Development! Facebook introduces HTTPS after CEO Mark Zuckerbergs' facebook account is hacked!!!

      • HTTPS has been available for longer than this, just not as an option in the FB Account settings.

        The "HTTPS-Everywhere" extension for Firefox (by the EFF), has had Facebook in it since the initial release, if I remember properly.

  • by XanC (644172) on Wednesday January 26, 2011 @05:00PM (#35013240)

    I'm able to change the protocol to https for any page, successfully. But all the links on that page point back to http. So... That's pretty limited https support.

    • Re:Links wrong (Score:5, Informative)

      by Jugalator (259273) on Wednesday January 26, 2011 @05:06PM (#35013352) Journal

      For "persistent https", I think you have to enable the new option in Account Settings -> Account Security.

      I saw that one in a screenshot, but that option doesn't seem to be rolled out here yet, although I am able to manually type in "https://" in front of URL's. However, as you say, that only leads to using https temporarily.

      • I don't have that option yet, must be rolling it out I guess.

        • by Tynin (634655)
          Just had my wife check her account (she does enough FB'ing for the both of us) and she doesn't have the option yet either.
      • I noticed that if you are using Firefox 4 betas/Minefield nightly builds, they use HTTP Strict Transport Security to good effect. Facebook is always HTTPS, including its sub-domains. Other browsers tend to go back to HTTP once you navigate away from the home page, or load unencrypted images and videos while the code is encrypted.

  • Problem (Score:5, Interesting)

    by girlintraining (1395911) on Wednesday January 26, 2011 @05:00PM (#35013248)
    Problem: A lot of what people tag as me is to get my attention, not because it IS me. I got locked out of my account for about a week because of this mis-feature, and when I did get back in, I had to spend about three hours removing tags of things like trees, the sun, burgers, and lots of other stuff.... now it works. But the solution fails because it makes an assumption that isn't always true.
    • by Nadaka (224565)

      Doesn't removing a photo tag on facebook make it so that the friend that tagged you can never tag you in a phota again? or am I misremembering that feature?

      • by Jesse_vd (821123)
        I believe it just prohibits anyone from re-tagging you in that particular picture .....where is my submit button?
      • by vlueboy (1799360)

        I think that's right. The problem is that normally pictures come in groups, and they can just as easily tag you in the next photo from that shoot.

        My mother learned the value of not discouraging ( funny | political | informational purposes ) tagging when the profile changed recently, and there were "troublesome" randomly selected pictures in her top 5 preview*.

        To fix it, she showed me her "others tagged me" list and there were 90 pictures that she then choose to not bother fixing --typical of non-geeks who b

    • by Bigbutt (65939)

      I just started having this happen to me. One of the idiot meme things (the wikipedia random page title + google random image for an album cover). Someone tagged me in it which took a couple of views to figure out what was going on. I immediately hid their status'.

      Since I have a "Local Business" (forum status page), I have almost 60 "friends" who I wouldn't recognize if they came up and said "hey".

      This will work well. I'll get locked out and never be tempted to log in again.

      [John]

  • Today, history has been made. A social networking site actually listened to its users and implemented a bit of security. *astonished*

  • by davidwr (791652) on Wednesday January 26, 2011 @05:01PM (#35013270) Homepage Journal

    All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."

    I may trust McStarCoffeeInn not to snoop my traffic but I do NOT trust the guy in the next booth or room much less the guy in the parking lot.

    The traveling public needs to pressure these companies - especially those that charge for it like some hotels - to switch to encrypted WiFi.

    • All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."

      No, all websites that allow logins should require at least HTTPS (and preferably HTTPS with certificate verification in both directions rather than just one, though getting to the point where that is practical is still a ways off) from any logon not on the servers local network. Otherwise, credentials are travelling unencrypted over the public internet -- which means a bunch of computers that aren't controlled by either the owner of the account or the owner of the system they are logging in to, any of whom

    • by vlueboy (1799360)

      I see the value of this, but doubt that anyone but the RIAA and advertisers really go through the trouble of making IP databases. Furthermore, our currently poor geolocation means that if your local mom-pops coffeeshop has WIFI, they'll be using DSL or cable dynamic IP's. Geolocation services in big cities like New York give you nothing more than a city address faaar from your real place. I would imagine that Starbucks internet nats wifi users behind some concentrator's address, and generates a similar trac

    • Sniffers work on wired networks as well.

      Really, it's as simple as this: if your website has a login form, it should be served over HTTPS, period.

  • Who are you? (Score:3, Insightful)

    by Anonymous Coward on Wednesday January 26, 2011 @05:02PM (#35013278)

    The "social login" is going to cause issues for people who have no idea what their "friends" look like. Or with friends with other subjects in their pictures.

  • Picture thing (Score:5, Insightful)

    by stoolpigeon (454276) * <bittercode@gmail> on Wednesday January 26, 2011 @05:02PM (#35013282) Homepage Journal

    The photo thing has been around for a long time and it sucks. I travel and have wanted to connect to facebook when in a different country, and it decides I need to prove who I am. So I have to match a certain number of pictures with the right person. The summary makes it sound clever and good, it is anything but.
     
    It's been a few months since last time I did it, so I don't remember exact numbers but I had to get something like 4 out of 5 right. Then they start showing photos, and there is a list of 4 or 5 friend names below. It is up to you to pick the right friend to go with the photo.
     
    What's the biggest problem? Well, you don't get pictures of the persons face as the summary says. What you get are pictures tagged with that persons name. The first one I did was their face, and I thought, "o.k. - no problem.".
     
      The next one was some kid. A relative of one of my friends? A neigbor of one of my friends? Shoot could have even be one of my friends as a kid, I have no idea. All I know is I've got a 1 in 4 chance of guessing who this belongs to and if I'm wrong I've just used up my one wrong answer.
     
    Next photo is an inanimate object. I don't know remember what it was any more. A pie or some food of some kind I think. Which friend is this?! I don't know. Best guess it is something one of my friends ate once. Who does it belong to? Once again, I haven't the slightest, but as you can guess, I wasn't allowed to log in.
     
    A smaller problem is that I am not super close friends with every one of my friends on facebook. My barrier to entry on the friendship front is pretty low. I'm friends with people I knew in jr. high, highschool, worked with once, went to church with them years ago, etc. I know them but am not intimately close with them. Facebook is a good way to keep in touch while maintaining a comfortable distance. But will I be able to identify them in every pic of themselves they've uploaded to facebook? I doubt it. Not to mention the fad a bit back to change your profile pic to a cartoon character. I'll bet dollars to donuts those go into the rotation. Which of your friends was underdog and which was optimus prime? I don't remember.
     
    It's a horrid system. A co-worker of mine on the same trip ran into it too. He mocked me for not knowing my friends well enough and then almost put his laptop through a window when he couldn't log into facebook. He had almost an identical experience, a picture of some 6 or 7 year old kid he didn't know and a bike or something.

    • Haven't actually seen this system in action myself, but you've mentioned a lot of the issues I first thought about - pets, kids, inanimate objects for pictures and whatnot. Group pictures seem like they could be a problem, too. With two friends getting married last year, a lot of pictures they or I are tagged in are from weddings, and some of these pictures might have five people who I'm friends with on Facebook in them. I'm guessing if Alice and Bob are both tagged in a picture, either would be a correc
    • As soon as I read the summary I thought about this. People do weird stuff with tagging, I know some people that will tag someone not in the picture as a way of telling that person that they should look at it and like you pointed out people will tag pictures without people even in it.

      That kind of renders the feature less than optimal. They are trying to rely data that by its very nature is unreliable.

      Isn't there some way to put your friends into groups on FB? If so, if you could set the feature to only draw

      • by vlueboy (1799360)

        I know some people that will tag someone not in the picture as a way of telling that person that they should look at it and like you pointed out people will tag pictures without people even in it.

        FB should completely throw out, or weigh significantly fewer pictures that their database is fully aware are "tagged by your friends." Obviously YOU have better pictures of yourself tagged by you. Perhaps FB's own research revealed a lot of lurkers and dangerously favors the potential of truth in their "crowdsourcing" the work of authenticating those faceless lurkers. But even that can be corrected by analyzing the special cases and reducing the problem to just those who hide their personal face. So... why

    • by metamatic (202216)
      It's going to ruin the Facebook experience for people like Oliver Sacks [oliversacks.com] who suffer from face blindness [cbsnews.com].
    • by vlueboy (1799360)

      Next photo is an inanimate object

      That is a Facebook coder crime: they have code that detects human faces that is not being used nearly enough.
      That code even nags when too many of your pictures remain untagged. It's silly that they don't use it in this important security check, since all your FB friends must have human faces... unless they used said cartoon profiles or you've friended someone's pet ;)

    • My first thought was how often people on my list change their names. I could be "Amber J" this morning and be "Badasx Ambie" later tonight when you try to log on. Sometimes I have to click on people's picture just to know who they are because their new name has nothing to do with their real name anymore.
  • Well, there's Stinky, "Horse", Knocks, Poker-Face, and Weed. How does that help me log in?
  • by hellkyng (1920978) on Wednesday January 26, 2011 @05:03PM (#35013306)

    This social login is supposed to increase security? What about privacy. It seems like this feature can be leveraged to harvest pics from facebook, not that they weren't already available to the highest bidder anyway. Hopefully they have something in place to prevent harvesting...

  • by Anonymous Coward on Wednesday January 26, 2011 @05:04PM (#35013318)

    As a coincidental bonus of this new CAPTCHA, Facebook has nearly every photo stored in their library face-tagged for them, using the most powerful and accurate computers in existence - us.

  • I'm curious about how the "Social Authentication" feature will play out, especially for the facebook users eighter view the friendslist as a sort of competition or who play games that reward users who have many friends playing the game and therefore add friends by the truckload without having any real idea of who they are. There's probably a lot of people playing the latest Zynga game or whatever is popular these days, with an extremely large list of "friend" who they don't know and don't want to know, othe
  • More than half my friend list consists of people that I don't really know. Some are gamers who help me with social games that offer benefits to players that have a lot of friends who play the same game. Also, it seems to have become a fad to use weird aliases instead of real names.
  • I thought it was just a clever way for us to do work training their facial recognition algorithm ... Maybe a huge conspiracy to create a government identification database!

  • It took a hacker, to force facebook into being more secure yet. Maybe someone sniffed the ports earlier today and that is how they got into Zuckerboy's account or fansite or whatever...

  • by digitalsushi (137809) <slashdot@digitalsushi.com> on Wednesday January 26, 2011 @05:12PM (#35013436) Journal

    i cant share my wife's account anymore. i gotta make my own now.

    well, i needed to make one for myself just to untag my name from my ugly mug anyways. either way the machine is going to eat me. *splat* i give up. there's no way to avoid them. people i see can take photos of me and label me. i cant undo it without logging in. if i log in, it is still stored.

    it's a new world i guess.

  • I had to name friends one time for some stupid facebook game that I installed. I couldn't name more than half of them from photos. Probably 1/3rd were people I didn't know that well who friended me ("sure, whatever -- click") and 1/3rd were people I knew but whom I couldn't identify based on their profile photos. => All in all, a novel but (in practice) rather stupid idea.
    • by Tukz (664339)

      I keep a strict policy of only having people I actually know, and interact with on a regular basis, on my friends list.
      The entire "I got a gazillion friends!" craze completely eludes me.

  • Remember when... (Score:5, Insightful)

    by Haedrian (1676506) on Wednesday January 26, 2011 @05:15PM (#35013486)

    Someone had the 'brilliant' idea of everyone replacing their face with cartoon images from their childhood?

    They pull that sort of thing now, and most people won't be able to log in...

  • The good news is that this will provide an incentive for producing low-cost high-quality face recognition software. There will also be face recognition outsourcing services.

    And, if the Facebook account is entirely fake (created, perhaps, by Facebook Demon), this won't slow down login, since the program has already seen its own pictures.

    • by omnichad (1198475)

      Furthermore, if those pictures are already public - as they'd better be if they're going to be shared by someone who only knows a username, they're being indexed by search engines. Just match up the photo with a search for similar images.

  • > asked to name the person in those photos

    It's also a good way to entice people to put names on the faces in their photos.

    Other security suggestions include verification via mobile phone.... which just so happens to be a good way to entice people to put their mobile phone number into their profile.

    Why does every feature sold as a security enhancement involve increasing the amount of personal info you hand over?

    • by crush (19364)
      Even better, it creates an evolutionary pressure for spammers to invest in databases of peoples faces linked to names and associated face-recognition technology. Brilliant. Something else for which to thank the Facebook tards.
  • My congratulations (Score:5, Insightful)

    by Carnildo (712617) on Wednesday January 26, 2011 @05:24PM (#35013614) Homepage Journal

    My congratulations to the Facebook developers. They've made a website that faceblind [wikipedia.org] people like me cannot use -- I didn't think that was possible.

    I wonder if I can sue them under the Americans with Disabilities act...

    • by Velex (120469)

      I wonder if I can sue them under the Americans with Disabilities act...

      Not any more than a transgender person could sue Microsoft for enforcing apparent birth sex for avatar gender on XBox Live.

  • I was traveling recently and it had me do the social login thing because I was outside the usual range of IPs. I actually liked it. It was a no-brainer for me to do, and very few people that weren't me could have done it correctly, since the pictures of people were from all over my social map. +1 to Facebook for this one.
  • Which kind? Close ones? The old schoolmates that look totally different now? Some people that you only know thru internet, never saw in real life? The anonymous faces that some collect as "friends" just to make numbers? Any of the variations of the word used in the South Park episode about facebook?

    The problem with facebook is that everyone of them are just friends, not a lot of deepness there, basically all in the same bag no matter what they are, And add to that that their identifying picture could be a

  • My 15 year old daughter, and probably all other other teens/tweens out there, likes to "collect" friends, whether she really knows them or not. having tons of contacts on FB affords her bragging rights in her circle of real friends. So, if she has to name some of them before being allowed to access her home page, then I guess I can remove the time restriction to that domain from my firewall, cause she'll never get in again.
    • by fermion (181285)
      They will may hate having to name 'friends' but they will love having the ability to spend the day on facebook at school. I suspect the real reason the HTTPS was implemented was to keep kids off facebook at school. I have no problem with kids spending some time in school on social networks, but if we are honest we will admit that most kids, even teens, do not have maturity to make a choice between immediate gratification and hard work. Even adults have this problem, which is why saw that Facebook was oft
  • This is a terrible idea for a number of reasons. First of all, how many people's friends actually simply tag themselves in photos of themselves. People tag themselves in all sorts of things, many of which are not themselves. Someone might tag themselves as George Washington, or the Mona Lisa or even just random things like a corner of a photo of a concert they attended. Secondly even if that was 100% perfect the fact still remains that the greatest threat to the average person's privacy isn't the guy who pr
    • by danwesnor (896499)
      It's very common among my friends to use a parent's name when tagging children. Am I to be expected to be able to ID all of my friends' kids? Mark needs to come out of Zuckerland an see how people actually use his product.
  • like, you know, all the little teeny boppers that hack their 'friends' facebook pages?

    what if the hacker is known to me/knows the same people I do?

    Ya, real good solution-- Since before the internet was widely in use~ with my very first bank account where I could call in and ID myself to the bank for account changes, ~ my 'mothers maiden name' has ALWAYS been something my irresponsible brother does not happen to know.

  • I'm curious: does turning on "do everything over https" end up breaking third-party clients, like some of the iPad clients or like the Facebook upload plugins for some photo software?

    Also, how does it interact with the ajaxy "like" buttons on third-party web sites?

    (The option hasn't been rolled out to me yet, so I can't check on the answers myself yet.)

  • I've been using HTTPS for Facebook for quite a while (when accessing over wireless, or from work,) and they've slowly been making it less obnoxious. The certificate errors disappeared a few weeks ago, but there is still no IM via HTTPS. And if you are logged out and visit their site via HTTPS, if punts you back to the regular HTTP when you log in, so you have to go manually re-S the connection.

    • by Tukz (664339)

      I would assume that this announcement means that Facebook will now be fully compatible in HTTPS mode.
      If not, nothing really changed, as you said yourself, it's been possible to use Facebook in HTTPS for quite some time now.
      Just IM isn't working in HTTPS.

  • Half of my "friends" have a picture of their child instead of themselves for their profile picture. One couple, I kid you not, both have the exact same picture of their baby in their profile. If it gets around to pictures where someone's been tagged, God forbid, it'll be idiots who tagged me so that I'll see the picture because they're too stupid to hit "share", or the cartoon panels with "the babe, the ditz, the idiot, etc." where all their friends are tagged.

    Holy shit, facebook makes people mouth-breath

Whoever dies with the most toys wins.

Working...