Facebook Launches Social Login and HTTPS 273
dkd903 writes "Facebook has introduced two new features. First is a really innovative way to verify real users rather than using CAPTCHAS. Using the Social Login feature (or Social Authentication as Facebook calls it), users will be shown a few pictures of their friends and then they will be asked to name the person in those photos. They've also launched HTTPS. The company says: 'Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.'"
Facebook discovers HTTPS (Score:3, Insightful)
News at 11.
Re: (Score:3, Informative)
Re:Facebook discovers HTTPS (Score:4, Interesting)
Wait, what?
All you're talking about is scale. Instead of having a regular HTTP site, you now have HTTPS sites, and perhaps a few more to handle the load. HTTPS is not the CPU hog it was 10 years ago, and HTTPS is not some obscure technology noone uses. Wikipedia offers HTTPS, Google offers HTTPS. What makes it so difficult for Facebook to do the same?
Re:Facebook discovers HTTPS (Score:4, Insightful)
Re: (Score:2)
Go to Account, Account settings, Download your information.
It's multi choice, and as far as I can tell does not have a time limit and has unlimited retries. Not the most secure really.
This method of verifying users are who they say they are has been there at least for a few weeks. It is very annoying, I ended up deleting all my mafia wars friends =(. Good riddance I guess.
Re: (Score:3)
Re:Facebook discovers HTTPS (Score:5, Interesting)
Again, what scale? Enabling https is only a few % different in CPU time for handling the crypto overhead. I've done the math. Based on any reasonably modern server machine (say a 1U dual socket quad-core) and facebook's quoted query rate it would only require an extra half rack of CPUs to turn on https for all facebook pages, including images.
Re: (Score:2)
HTTPS is the modern equivalent of an on/off switch. It doesn't matter if it's for the country of USA or a single company, it is still insignificant beyond "they turned on HTTPS".
It's an authentication thing, not a total revamp of a website.
So scale doesn't mean shit, jackass.
Re: (Score:3)
There was an article recently posted here talking about Facebook deployment methods. One of the points was that they rolled out features to small subsets of their users. Given that it only launched today, if you were using it before, it means you were part of a select group.
Though I do agree that SSL is not a big news story.
Re: (Score:3)
Https adds very little overhead. Scale in this case is meaningless compared to the rest of Facebook's operations. You are either trolling, an idiot, or both. Or you were just trying to be funny and failed.
Re: (Score:3, Informative)
For what little it may be worth, I've been using HTTPS w/Facebook for *months*. It's been available for general use for quite some time, it's just that no one bothered trying it. And as you pointed out, the only thing that didn't work (and still doesn't) is chat.
This isn't really news at all. It's just "news" because of what happened to Zuckerberg.
Re:Facebook discovers HTTPS (Score:5, Informative)
One thing FaceBook has going for it is that Https impact is far less significant as a percentage of time and actual server loading on sites where content can't be (or isn't typically) cached, and delivery is more than a few words.
Setup is expensive, but once negotiated data transmission is not that bad.
Fetching a tweet would really hurt under ssl, but a facebook page is usually fairly significant in size. Making lots of short requests over HTTPS will be quite a bit slower than HTTP, but if you transfer a lot of data in a single request, the difference will be insignificant. If Facebook implements http keep-alive oh https connections you should be able to reuse the the connection.
Yes the handshake is longer (usually 5 traverses vs 2). We are talking about 200ms vs 500ms for the first connection. But during that time the web server isn't having to pound content down the pipe so it might not be as bad as it sounds.
Re: (Score:2)
Re: (Score:2)
On a sidenote as I just notice when reading your post: /. again with the new 'design'.
HTTPS seems to be working on
Re: (Score:3)
Re: (Score:2)
Since FB is so heavily load balanced I would expect that they're using SSL dedicaetd modules on their load balancing solution and still running their servers HTTP. Since they didn't care about privacy enough to use SSL until it became a PR issure, I doubt they care too much about encryption on their internal network.
Re: (Score:3)
Their internal network is an insignificant threat. It's internal and they probably have access to everything anyway.
HTTPS will help with what's going over the wire. And even more with the wireless. A ton of options for filtering, eavesdropping, snooping and altering have just vanished from the bad guys menu. It's not going to help with keyloggers or webcams pointed on keyboards on cybercafes, but other than that, it's fine.
Introduce the general population to the concept of "encrypt everything, just because
Re:Facebook discovers HTTPS (Score:5, Funny)
Breaking Development! Facebook introduces HTTPS after CEO Mark Zuckerbergs' facebook account is hacked!!!
Re: (Score:2)
HTTPS has been available for longer than this, just not as an option in the FB Account settings.
The "HTTPS-Everywhere" extension for Firefox (by the EFF), has had Facebook in it since the initial release, if I remember properly.
Re:Facebook discovers HTTPS (Score:5, Insightful)
Yeah, the photo ID thing is iffy. If photos are to believed, quite a few of my friends appear to be very young babies. Another bunch are cartoon characters.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Even if it's a real photo, surely that is susceptible to attack through something like TinEye?
Links wrong (Score:3)
I'm able to change the protocol to https for any page, successfully. But all the links on that page point back to http. So... That's pretty limited https support.
Re:Links wrong (Score:5, Informative)
For "persistent https", I think you have to enable the new option in Account Settings -> Account Security.
I saw that one in a screenshot, but that option doesn't seem to be rolled out here yet, although I am able to manually type in "https://" in front of URL's. However, as you say, that only leads to using https temporarily.
Re: (Score:2)
I don't have that option yet, must be rolling it out I guess.
Re: (Score:2)
Re: (Score:2)
I noticed that if you are using Firefox 4 betas/Minefield nightly builds, they use HTTP Strict Transport Security to good effect. Facebook is always HTTPS, including its sub-domains. Other browsers tend to go back to HTTP once you navigate away from the home page, or load unencrypted images and videos while the code is encrypted.
Problem (Score:5, Interesting)
Re: (Score:2)
Doesn't removing a photo tag on facebook make it so that the friend that tagged you can never tag you in a phota again? or am I misremembering that feature?
Re: (Score:2)
Re: (Score:2)
I think that's right. The problem is that normally pictures come in groups, and they can just as easily tag you in the next photo from that shoot.
My mother learned the value of not discouraging ( funny | political | informational purposes ) tagging when the profile changed recently, and there were "troublesome" randomly selected pictures in her top 5 preview*.
To fix it, she showed me her "others tagged me" list and there were 90 pictures that she then choose to not bother fixing --typical of non-geeks who b
Re: (Score:2)
I just started having this happen to me. One of the idiot meme things (the wikipedia random page title + google random image for an album cover). Someone tagged me in it which took a couple of views to figure out what was going on. I immediately hid their status'.
Since I have a "Local Business" (forum status page), I have almost 60 "friends" who I wouldn't recognize if they came up and said "hey".
This will work well. I'll get locked out and never be tempted to log in again.
[John]
this will never work (Score:2)
jackass
stoned
douchebag
bitch
slut
dick
asshole
drunk
party
Re: (Score:3)
Your friends with somebody who you don't really know (like an ex-classmate) and therefore forget their name when the photo is shown to you.
I'm sure they could show pictures based on activity. Do you write on this person's wall often? Do you comment on their photos, etc.? If so, then there's a reasonable chance that you know what the person looks like.
Re: (Score:2)
They won't keep your wife from guessing and breaking into your account. There's an equally reasonable chance that besides her, our "friends" trying to log in as us notice our public "wall" activity with that person enough to have seen their name exploiting the "allow anyone in the world to see their full name... and friends-of-friends to even hear their interactions" defaults.
That's as "obscure" as organizations "protecting" our credit card from dedicated scammers behind "secure" questions regarding public
Re: (Score:2)
Re: (Score:2)
It's a good thing(tm)! (Score:2)
Today, history has been made. A social networking site actually listened to its users and implemented a bit of security. *astonished*
Re:It's a good thing(tm)! (Score:4, Informative)
They can hardly sell your personal information if a guy at starbucks can sniff it from you can they?
Stop information piracy! Buy facebook!
All but mandatory for "free" wifi (Score:3, Interesting)
All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."
I may trust McStarCoffeeInn not to snoop my traffic but I do NOT trust the guy in the next booth or room much less the guy in the parking lot.
The traveling public needs to pressure these companies - especially those that charge for it like some hotels - to switch to encrypted WiFi.
Should be true everywhere, not just free WiFi (Score:2)
All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."
No, all websites that allow logins should require at least HTTPS (and preferably HTTPS with certificate verification in both directions rather than just one, though getting to the point where that is practical is still a ways off) from any logon not on the servers local network. Otherwise, credentials are travelling unencrypted over the public internet -- which means a bunch of computers that aren't controlled by either the owner of the account or the owner of the system they are logging in to, any of whom
Re: (Score:2)
I see the value of this, but doubt that anyone but the RIAA and advertisers really go through the trouble of making IP databases. Furthermore, our currently poor geolocation means that if your local mom-pops coffeeshop has WIFI, they'll be using DSL or cable dynamic IP's. Geolocation services in big cities like New York give you nothing more than a city address faaar from your real place. I would imagine that Starbucks internet nats wifi users behind some concentrator's address, and generates a similar trac
Re: (Score:2)
Sniffers work on wired networks as well.
Really, it's as simple as this: if your website has a login form, it should be served over HTTPS, period.
Who are you? (Score:3, Insightful)
The "social login" is going to cause issues for people who have no idea what their "friends" look like. Or with friends with other subjects in their pictures.
Re: (Score:2)
Not to mention visually impaired users.
Or me, when I can't find my glasses.
Picture thing (Score:5, Insightful)
The photo thing has been around for a long time and it sucks. I travel and have wanted to connect to facebook when in a different country, and it decides I need to prove who I am. So I have to match a certain number of pictures with the right person. The summary makes it sound clever and good, it is anything but.
It's been a few months since last time I did it, so I don't remember exact numbers but I had to get something like 4 out of 5 right. Then they start showing photos, and there is a list of 4 or 5 friend names below. It is up to you to pick the right friend to go with the photo.
What's the biggest problem? Well, you don't get pictures of the persons face as the summary says. What you get are pictures tagged with that persons name. The first one I did was their face, and I thought, "o.k. - no problem.".
The next one was some kid. A relative of one of my friends? A neigbor of one of my friends? Shoot could have even be one of my friends as a kid, I have no idea. All I know is I've got a 1 in 4 chance of guessing who this belongs to and if I'm wrong I've just used up my one wrong answer.
Next photo is an inanimate object. I don't know remember what it was any more. A pie or some food of some kind I think. Which friend is this?! I don't know. Best guess it is something one of my friends ate once. Who does it belong to? Once again, I haven't the slightest, but as you can guess, I wasn't allowed to log in.
A smaller problem is that I am not super close friends with every one of my friends on facebook. My barrier to entry on the friendship front is pretty low. I'm friends with people I knew in jr. high, highschool, worked with once, went to church with them years ago, etc. I know them but am not intimately close with them. Facebook is a good way to keep in touch while maintaining a comfortable distance. But will I be able to identify them in every pic of themselves they've uploaded to facebook? I doubt it. Not to mention the fad a bit back to change your profile pic to a cartoon character. I'll bet dollars to donuts those go into the rotation. Which of your friends was underdog and which was optimus prime? I don't remember.
It's a horrid system. A co-worker of mine on the same trip ran into it too. He mocked me for not knowing my friends well enough and then almost put his laptop through a window when he couldn't log into facebook. He had almost an identical experience, a picture of some 6 or 7 year old kid he didn't know and a bike or something.
Re: (Score:2)
Re: (Score:2)
As soon as I read the summary I thought about this. People do weird stuff with tagging, I know some people that will tag someone not in the picture as a way of telling that person that they should look at it and like you pointed out people will tag pictures without people even in it.
That kind of renders the feature less than optimal. They are trying to rely data that by its very nature is unreliable.
Isn't there some way to put your friends into groups on FB? If so, if you could set the feature to only draw
Re: (Score:2)
I know some people that will tag someone not in the picture as a way of telling that person that they should look at it and like you pointed out people will tag pictures without people even in it.
FB should completely throw out, or weigh significantly fewer pictures that their database is fully aware are "tagged by your friends." Obviously YOU have better pictures of yourself tagged by you. Perhaps FB's own research revealed a lot of lurkers and dangerously favors the potential of truth in their "crowdsourcing" the work of authenticating those faceless lurkers. But even that can be corrected by analyzing the special cases and reducing the problem to just those who hide their personal face. So... why
Re: (Score:3)
Re: (Score:2)
Next photo is an inanimate object
That is a Facebook coder crime: they have code that detects human faces that is not being used nearly enough. ;)
That code even nags when too many of your pictures remain untagged. It's silly that they don't use it in this important security check, since all your FB friends must have human faces... unless they used said cartoon profiles or you've friended someone's pet
Re: (Score:3)
Re: (Score:2)
Interesting Idea. I'll give it some thought, though I'm one of those 'douches' so it might be a touch hypocritical.
I don't tag them as me though. Maybe people who post photos of kids and tag them as someone else are the real problem here. Then again, any of their friends can tag the photo in most cases. So it's tough to nail down the perpetrator.
Maybe you could mull it over and give me better criteria on who to unfriend?
Name my friends? (Score:2)
Am I missing something? (Score:5, Insightful)
This social login is supposed to increase security? What about privacy. It seems like this feature can be leveraged to harvest pics from facebook, not that they weren't already available to the highest bidder anyway. Hopefully they have something in place to prevent harvesting...
Anyone else sense ulterior motives? (Score:3, Interesting)
As a coincidental bonus of this new CAPTCHA, Facebook has nearly every photo stored in their library face-tagged for them, using the most powerful and accurate computers in existence - us.
Unknown "friends" (Score:2)
Won't work for me (Score:2)
Tagged pictures (Score:2)
I thought it was just a clever way for us to do work training their facial recognition algorithm ... Maybe a huge conspiracy to create a government identification database!
Who says hackers are bad... (Score:2)
It took a hacker, to force facebook into being more secure yet. Maybe someone sniffed the ports earlier today and that is how they got into Zuckerboy's account or fansite or whatever...
that's genius (Score:3)
i cant share my wife's account anymore. i gotta make my own now.
well, i needed to make one for myself just to untag my name from my ugly mug anyways. either way the machine is going to eat me. *splat* i give up. there's no way to avoid them. people i see can take photos of me and label me. i cant undo it without logging in. if i log in, it is still stored.
it's a new world i guess.
There's a problem with this. (Score:2)
Re: (Score:2)
I keep a strict policy of only having people I actually know, and interact with on a regular basis, on my friends list.
The entire "I got a gazillion friends!" craze completely eludes me.
Remember when... (Score:5, Insightful)
Someone had the 'brilliant' idea of everyone replacing their face with cartoon images from their childhood?
They pull that sort of thing now, and most people won't be able to log in...
Re: (Score:2)
My photo's still Pedobear.
Yet another image-based CAPCHA scheme (Score:2)
The good news is that this will provide an incentive for producing low-cost high-quality face recognition software. There will also be face recognition outsourcing services.
And, if the Facebook account is entirely fake (created, perhaps, by Facebook Demon), this won't slow down login, since the program has already seen its own pictures.
Re: (Score:2)
Furthermore, if those pictures are already public - as they'd better be if they're going to be shared by someone who only knows a username, they're being indexed by search engines. Just match up the photo with a search for similar images.
From the horse's mouth... (Score:3)
http://blog.facebook.com/blog.php?post=486790652130&ref=mf [facebook.com]
entice people to put names on the faces (Score:2)
> asked to name the person in those photos
It's also a good way to entice people to put names on the faces in their photos.
Other security suggestions include verification via mobile phone.... which just so happens to be a good way to entice people to put their mobile phone number into their profile.
Why does every feature sold as a security enhancement involve increasing the amount of personal info you hand over?
Re: (Score:2)
My congratulations (Score:5, Insightful)
My congratulations to the Facebook developers. They've made a website that faceblind [wikipedia.org] people like me cannot use -- I didn't think that was possible.
I wonder if I can sue them under the Americans with Disabilities act...
Re: (Score:2)
I wonder if I can sue them under the Americans with Disabilities act...
Not any more than a transgender person could sue Microsoft for enforcing apparent birth sex for avatar gender on XBox Live.
Re: (Score:2)
I like it. (Score:2)
Re: (Score:2)
Fuckerburg, is that you? If so, sorry about your myspace login being hacked by Sarah Palin, or whatever.
Friends? (Score:2)
Which kind? Close ones? The old schoolmates that look totally different now? Some people that you only know thru internet, never saw in real life? The anonymous faces that some collect as "friends" just to make numbers? Any of the variations of the word used in the South Park episode about facebook?
The problem with facebook is that everyone of them are just friends, not a lot of deepness there, basically all in the same bag no matter what they are, And add to that that their identifying picture could be a
Teens will hate this (Score:2)
Re: (Score:2)
Terrible idea... (Score:2)
Re: (Score:2)
so, if I know the person I'm trying to hack (Score:2)
like, you know, all the little teeny boppers that hack their 'friends' facebook pages?
what if the hacker is known to me/knows the same people I do?
Ya, real good solution-- Since before the internet was widely in use~ with my very first bank account where I could call in and ID myself to the bank for account changes, ~ my 'mothers maiden name' has ALWAYS been something my irresponsible brother does not happen to know.
Does "turn on https" break third-party clients? (Score:2)
I'm curious: does turning on "do everything over https" end up breaking third-party clients, like some of the iPad clients or like the Facebook upload plugins for some photo software?
Also, how does it interact with the ajaxy "like" buttons on third-party web sites?
(The option hasn't been rolled out to me yet, so I can't check on the answers myself yet.)
HTTPS has been there for a long time, still no IM (Score:5, Interesting)
I've been using HTTPS for Facebook for quite a while (when accessing over wireless, or from work,) and they've slowly been making it less obnoxious. The certificate errors disappeared a few weeks ago, but there is still no IM via HTTPS. And if you are logged out and visit their site via HTTPS, if punts you back to the regular HTTP when you log in, so you have to go manually re-S the connection.
Re: (Score:2)
I would assume that this announcement means that Facebook will now be fully compatible in HTTPS mode.
If not, nothing really changed, as you said yourself, it's been possible to use Facebook in HTTPS for quite some time now.
Just IM isn't working in HTTPS.
stupid idea (Score:2)
Half of my "friends" have a picture of their child instead of themselves for their profile picture. One couple, I kid you not, both have the exact same picture of their baby in their profile. If it gets around to pictures where someone's been tagged, God forbid, it'll be idiots who tagged me so that I'll see the picture because they're too stupid to hit "share", or the cartoon panels with "the babe, the ditz, the idiot, etc." where all their friends are tagged.
Holy shit, facebook makes people mouth-breath
Re: (Score:2)
Serenity now! SERENITY NOW! [wikipedia.org]
Re:Security, Now? (Score:5, Informative)
The evidence that accounts were being hacked remained anecdotal. Facebook's security team couldn't prove something was wrong in the data. It wasn't until after the new year that the shocking truth emerged: Ammar was in the process of stealing an entire country's worth of passwords. [...] Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. [...] The second technical solution they implemented was a "roadblock" for anyone who had logged out and then back in during the time when the malicious code was running. Like Facebook's version of a "mother's maiden name" question to get access to your old password, it asks you to identify your friends in photos to complete an account login.
Re: (Score:2)
Yeah, they decided, the day after Zuckerberg's page was hacked, to turn on HTTPS across their entire server farm for all users.
Just like that - no planning, no analysis, no coordination, just a knee-jerk response.
Re: (Score:2)
Something is better than nothing. I assume you also need your username and password. My thing is that very few of my friends use actual pictures of themselves as avatars. More than half use a favorite TV character, movie screen shot, comic frame or other mostly unidentifiable image.
Re: (Score:2)
That was my first thought as well.
Your stalkers probably know your friends faces and names too. And with facial recognition tools [avinashtech.com] becoming mainstream it seems this is a pretty lame time to start this approach. Yet another juvenile approach to security by a company that just would rather not be bothered with the entire concept.
Re: (Score:2)
My first thought was that you can now brute-force a list of someone's friends with publically-viewable profiles, using a simple script and TinEye/GIS. If I do it first I'll get my name on all the security/tech news sites!
Re: (Score:2)
Your stalkers probably know your friends faces and names too.
This isn't meant to replace the password, just the Captcha.
Re: (Score:2)
Re: (Score:2)
This will be suck after I switch my profile pic to The Stig to avoid being in an inadvertent advertisement.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
While I am skeptical that anyone needs Facebook chat, given that it provides an XMPP interface [facebook.com], couldn't she use Facebook over HTTPS and chat over XMPP?
Re: (Score:2)
Apparently they've added 'font-style: inherit' to * in the CSS file, which disables italics, although the tag is still there. I wonder why?
Re: (Score:3)
No. The photos they use are, by definition, tagged already. They already have the information. They are just asking you to confirm it.
They already have "information".
They may not have "good information".
Images with a statistically high "miss rate" can be rated "poor representations" of so-and-so. Images with a statistically low "miss rate" can be rated "good representations" of so-and-so.
As usual with facebook you are feeding them more information than you think.