Facebook Launches Social Login and HTTPS

dkd903 writes "Facebook has introduced two new features. First is a really innovative way to verify real users rather than using CAPTCHAS. Using the Social Login feature (or Social Authentication as Facebook calls it), users will be shown a few pictures of their friends and then they will be asked to name the person in those photos. They've also launched HTTPS. The company says: 'Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.'"

Facebook discovers HTTPS

[nospam007]

News at 11.

Re:

[creativeHavoc]

HTTPS at facebook's scale is not insignificant.

Re:Facebook discovers HTTPS

[Enry]

Wait, what?

All you're talking about is scale. Instead of having a regular HTTP site, you now have HTTPS sites, and perhaps a few more to handle the load. HTTPS is not the CPU hog it was 10 years ago, and HTTPS is not some obscure technology noone uses. Wikipedia offers HTTPS, Google offers HTTPS. What makes it so difficult for Facebook to do the same?

Re:Facebook discovers HTTPS

[severoon]

Of course, social login won't last long when they realize most of their users can't ID most of the people in their "friend" list.

Re:

[igreaterthanu]

Go to Account, Account settings, Download your information.

It's multi choice, and as far as I can tell does not have a time limit and has unlimited retries. Not the most secure really.

This method of verifying users are who they say they are has been there at least for a few weeks. It is very annoying, I ended up deleting all my mafia wars friends =(. Good riddance I guess.

Re:

[Belial6]

It is likely more for the puropose of verify that people are not putting in fake data. Let your 'friends' identify you for Facebook.

Re:Facebook discovers HTTPS

[SuperQ]

Again, what scale? Enabling https is only a few % different in CPU time for handling the crypto overhead. I've done the math. Based on any reasonably modern server machine (say a 1U dual socket quad-core) and facebook's quoted query rate it would only require an extra half rack of CPUs to turn on https for all facebook pages, including images.

Re:

[poetmatt]

HTTPS is the modern equivalent of an on/off switch. It doesn't matter if it's for the country of USA or a single company, it is still insignificant beyond "they turned on HTTPS".

It's an authentication thing, not a total revamp of a website.

So scale doesn't mean shit, jackass.

Re:

[mini me]

There was an article recently posted here talking about Facebook deployment methods. One of the points was that they rolled out features to small subsets of their users. Given that it only launched today, if you were using it before, it means you were part of a select group.

Though I do agree that SSL is not a big news story.

Re:

[dreamchaser]

Https adds very little overhead. Scale in this case is meaningless compared to the rest of Facebook's operations. You are either trolling, an idiot, or both. Or you were just trying to be funny and failed.

Re:

[jvp]

For what little it may be worth, I've been using HTTPS w/Facebook for *months*. It's been available for general use for quite some time, it's just that no one bothered trying it. And as you pointed out, the only thing that didn't work (and still doesn't) is chat.

This isn't really news at all. It's just "news" because of what happened to Zuckerberg.

Re:Facebook discovers HTTPS

[icebike]

One thing FaceBook has going for it is that Https impact is far less significant as a percentage of time and actual server loading on sites where content can't be (or isn't typically) cached, and delivery is more than a few words.

Setup is expensive, but once negotiated data transmission is not that bad.

Fetching a tweet would really hurt under ssl, but a facebook page is usually fairly significant in size. Making lots of short requests over HTTPS will be quite a bit slower than HTTP, but if you transfer a lot of data in a single request, the difference will be insignificant. If Facebook implements http keep-alive oh https connections you should be able to reuse the the connection.

Yes the handshake is longer (usually 5 traverses vs 2). We are talking about 200ms vs 500ms for the first connection. But during that time the web server isn't having to pound content down the pipe so it might not be as bad as it sounds.

Re:

[afidel]

Twitter would only have a significant issue for those clients with a broken stack, HTTP1.1 means they can open the connection once and leave it open for the AJAX piece polling in the background.

Re:

[nospam007]

On a sidenote as I just notice when reading your post:
HTTPS seems to be working on /. again with the new 'design'.

Re:

[HJED]

Not for me

Re:

[InlawBiker]

Since FB is so heavily load balanced I would expect that they're using SSL dedicaetd modules on their load balancing solution and still running their servers HTTP. Since they didn't care about privacy enough to use SSL until it became a PR issure, I doubt they care too much about encryption on their internal network.

Re:

[phoenix321]

Their internal network is an insignificant threat. It's internal and they probably have access to everything anyway.

HTTPS will help with what's going over the wire. And even more with the wireless. A ton of options for filtering, eavesdropping, snooping and altering have just vanished from the bad guys menu. It's not going to help with keyloggers or webcams pointed on keyboards on cybercafes, but other than that, it's fine.

Introduce the general population to the concept of "encrypt everything, just because

Re:Facebook discovers HTTPS

[Aerorae]

Breaking Development! Facebook introduces HTTPS after CEO Mark Zuckerbergs' facebook account is hacked!!!

Re:

[RollingThunder]

HTTPS has been available for longer than this, just not as an option in the FB Account settings.

The "HTTPS-Everywhere" extension for Firefox (by the EFF), has had Facebook in it since the initial release, if I remember properly.

Re:Facebook discovers HTTPS

[MysteriousPreacher]

Yeah, the photo ID thing is iffy. If photos are to believed, quite a few of my friends appear to be very young babies. Another bunch are cartoon characters.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[shadowrat]

I live in Wisconsin. Just recently i noticed that almost ALL my local friends bear an uncanny resemblance to Aaron Rodgers.

Re:

[Angostura]

Even if it's a real photo, surely that is susceptible to attack through something like TinEye?

Links wrong

[XanC]

I'm able to change the protocol to https for any page, successfully. But all the links on that page point back to http. So... That's pretty limited https support.

Re:Links wrong

[Jugalator]

For "persistent https", I think you have to enable the new option in Account Settings -> Account Security.

I saw that one in a screenshot, but that option doesn't seem to be rolled out here yet, although I am able to manually type in "https://" in front of URL's. However, as you say, that only leads to using https temporarily.

Re:

[stoolpigeon]

I don't have that option yet, must be rolling it out I guess.

Re:

[Tynin]

Just had my wife check her account (she does enough FB'ing for the both of us) and she doesn't have the option yet either.

Re:

[SimonTheSoundMan]

I noticed that if you are using Firefox 4 betas/Minefield nightly builds, they use HTTP Strict Transport Security to good effect. Facebook is always HTTPS, including its sub-domains. Other browsers tend to go back to HTTP once you navigate away from the home page, or load unencrypted images and videos while the code is encrypted.

Problem

[girlintraining]

Problem: A lot of what people tag as me is to get my attention, not because it IS me. I got locked out of my account for about a week because of this mis-feature, and when I did get back in, I had to spend about three hours removing tags of things like trees, the sun, burgers, and lots of other stuff.... now it works. But the solution fails because it makes an assumption that isn't always true.

Re:

[Nadaka]

Doesn't removing a photo tag on facebook make it so that the friend that tagged you can never tag you in a phota again? or am I misremembering that feature?

Re:

[Jesse_vd]

I believe it just prohibits anyone from re-tagging you in that particular picture .....where is my submit button?

Re:

[vlueboy]

I think that's right. The problem is that normally pictures come in groups, and they can just as easily tag you in the next photo from that shoot.

My mother learned the value of not discouraging ( funny | political | informational purposes ) tagging when the profile changed recently, and there were "troublesome" randomly selected pictures in her top 5 preview*.

To fix it, she showed me her "others tagged me" list and there were 90 pictures that she then choose to not bother fixing --typical of non-geeks who b

Re:

[Bigbutt]

I just started having this happen to me. One of the idiot meme things (the wikipedia random page title + google random image for an album cover). Someone tagged me in it which took a couple of views to figure out what was going on. I immediately hid their status'.

Since I have a "Local Business" (forum status page), I have almost 60 "friends" who I wouldn't recognize if they came up and said "hey".

This will work well. I'll get locked out and never be tempted to log in again.

[John]

this will never work

[Thud457]

easy first-guess mismatches for every picture:

jackass
stoned
douchebag
bitch
slut
dick
asshole
drunk
party

Re:

[by (1706743)]

Your friends with somebody who you don't really know (like an ex-classmate) and therefore forget their name when the photo is shown to you.

I'm sure they could show pictures based on activity. Do you write on this person's wall often? Do you comment on their photos, etc.? If so, then there's a reasonable chance that you know what the person looks like.

Re:

[vlueboy]

They won't keep your wife from guessing and breaking into your account. There's an equally reasonable chance that besides her, our "friends" trying to log in as us notice our public "wall" activity with that person enough to have seen their name exploiting the "allow anyone in the world to see their full name... and friends-of-friends to even hear their interactions" defaults.

That's as "obscure" as organizations "protecting" our credit card from dedicated scammers behind "secure" questions regarding public

Re:

[Tynin]

I know that this authentication feature was implemented due in part to the government scale phishing scheme in Tunisia, however I've been thinking perhaps it is also a clever way to weed out all of the duplicate accounts people use to play those games on FB that give you some modicum of extra... stuff, for the number of "friends" you have. I broke free from the time vampire that is FB games over a year ago, so I'm not sure if it is still an issue. However at the time it wasn't that hard to script your way t

Re:

[Stregano]

Oh man will there be alot of people locked out of their account who are friend's with me. I dumped my entire FB profile last night and put in information about a video game character that had a live action movie. So if you were not logged into FB last night to witness me changing it, you have a picture of some pretty unknown actor in a suit and have to guess what his name was in the movie/video game. Awesome.

It's a good thing(tm)!

[TheDarkener]

Today, history has been made. A social networking site actually listened to its users and implemented a bit of security. *astonished*

Re:It's a good thing(tm)!

[Haedrian]

They can hardly sell your personal information if a guy at starbucks can sniff it from you can they?

Stop information piracy! Buy facebook!

All but mandatory for "free" wifi

[davidwr]

All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."

I may trust McStarCoffeeInn not to snoop my traffic but I do NOT trust the guy in the next booth or room much less the guy in the parking lot.

The traveling public needs to pressure these companies - especially those that charge for it like some hotels - to switch to encrypted WiFi.

Should be true everywhere, not just free WiFi

[DragonWriter]

All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."

No, all websites that allow logins should require at least HTTPS (and preferably HTTPS with certificate verification in both directions rather than just one, though getting to the point where that is practical is still a ways off) from any logon not on the servers local network. Otherwise, credentials are travelling unencrypted over the public internet -- which means a bunch of computers that aren't controlled by either the owner of the account or the owner of the system they are logging in to, any of whom

Re:

[vlueboy]

I see the value of this, but doubt that anyone but the RIAA and advertisers really go through the trouble of making IP databases. Furthermore, our currently poor geolocation means that if your local mom-pops coffeeshop has WIFI, they'll be using DSL or cable dynamic IP's. Geolocation services in big cities like New York give you nothing more than a city address faaar from your real place. I would imagine that Starbucks internet nats wifi users behind some concentrator's address, and generates a similar trac

Re:

[shutdown -p now]

Sniffers work on wired networks as well.

Really, it's as simple as this: if your website has a login form, it should be served over HTTPS, period.

Who are you?

[Anonymous Coward]

The "social login" is going to cause issues for people who have no idea what their "friends" look like. Or with friends with other subjects in their pictures.

Re:

[MrEricSir]

Not to mention visually impaired users.

Or me, when I can't find my glasses.

Picture thing

[stoolpigeon]

The photo thing has been around for a long time and it sucks. I travel and have wanted to connect to facebook when in a different country, and it decides I need to prove who I am. So I have to match a certain number of pictures with the right person. The summary makes it sound clever and good, it is anything but.
 
It's been a few months since last time I did it, so I don't remember exact numbers but I had to get something like 4 out of 5 right. Then they start showing photos, and there is a list of 4 or 5 friend names below. It is up to you to pick the right friend to go with the photo.
 
What's the biggest problem? Well, you don't get pictures of the persons face as the summary says. What you get are pictures tagged with that persons name. The first one I did was their face, and I thought, "o.k. - no problem.".
 
  The next one was some kid. A relative of one of my friends? A neigbor of one of my friends? Shoot could have even be one of my friends as a kid, I have no idea. All I know is I've got a 1 in 4 chance of guessing who this belongs to and if I'm wrong I've just used up my one wrong answer.
 
Next photo is an inanimate object. I don't know remember what it was any more. A pie or some food of some kind I think. Which friend is this?! I don't know. Best guess it is something one of my friends ate once. Who does it belong to? Once again, I haven't the slightest, but as you can guess, I wasn't allowed to log in.
 
A smaller problem is that I am not super close friends with every one of my friends on facebook. My barrier to entry on the friendship front is pretty low. I'm friends with people I knew in jr. high, highschool, worked with once, went to church with them years ago, etc. I know them but am not intimately close with them. Facebook is a good way to keep in touch while maintaining a comfortable distance. But will I be able to identify them in every pic of themselves they've uploaded to facebook? I doubt it. Not to mention the fad a bit back to change your profile pic to a cartoon character. I'll bet dollars to donuts those go into the rotation. Which of your friends was underdog and which was optimus prime? I don't remember.
 
It's a horrid system. A co-worker of mine on the same trip ran into it too. He mocked me for not knowing my friends well enough and then almost put his laptop through a window when he couldn't log into facebook. He had almost an identical experience, a picture of some 6 or 7 year old kid he didn't know and a bike or something.

Re:

[ctd600ftlb]

Haven't actually seen this system in action myself, but you've mentioned a lot of the issues I first thought about - pets, kids, inanimate objects for pictures and whatnot. Group pictures seem like they could be a problem, too. With two friends getting married last year, a lot of pictures they or I are tagged in are from weddings, and some of these pictures might have five people who I'm friends with on Facebook in them. I'm guessing if Alice and Bob are both tagged in a picture, either would be a correc

Re:

[oracleguy01]

As soon as I read the summary I thought about this. People do weird stuff with tagging, I know some people that will tag someone not in the picture as a way of telling that person that they should look at it and like you pointed out people will tag pictures without people even in it.

That kind of renders the feature less than optimal. They are trying to rely data that by its very nature is unreliable.

Isn't there some way to put your friends into groups on FB? If so, if you could set the feature to only draw

Re:

[vlueboy]

I know some people that will tag someone not in the picture as a way of telling that person that they should look at it and like you pointed out people will tag pictures without people even in it.

FB should completely throw out, or weigh significantly fewer pictures that their database is fully aware are "tagged by your friends." Obviously YOU have better pictures of yourself tagged by you. Perhaps FB's own research revealed a lot of lurkers and dangerously favors the potential of truth in their "crowdsourcing" the work of authenticating those faceless lurkers. But even that can be corrected by analyzing the special cases and reducing the problem to just those who hide their personal face. So... why

Re:

[metamatic]

It's going to ruin the Facebook experience for people like Oliver Sacks [oliversacks.com] who suffer from face blindness [cbsnews.com].

Re:

[vlueboy]

Next photo is an inanimate object

That is a Facebook coder crime: they have code that detects human faces that is not being used nearly enough.
That code even nags when too many of your pictures remain untagged. It's silly that they don't use it in this important security check, since all your FB friends must have human faces... unless they used said cartoon profiles or you've friended someone's pet ;)

Re:

[AmberBlackCat]

My first thought was how often people on my list change their names. I could be "Amber J" this morning and be "Badasx Ambie" later tonight when you try to log on. Sometimes I have to click on people's picture just to know who they are because their new name has nothing to do with their real name anymore.

Re:

[stoolpigeon]

Interesting Idea. I'll give it some thought, though I'm one of those 'douches' so it might be a touch hypocritical.

I don't tag them as me though. Maybe people who post photos of kids and tag them as someone else are the real problem here. Then again, any of their friends can tag the photo in most cases. So it's tough to nail down the perpetrator.

Maybe you could mull it over and give me better criteria on who to unfriend?

Name my friends?

[snspdaarf]

Well, there's Stinky, "Horse", Knocks, Poker-Face, and Weed. How does that help me log in?

Am I missing something?

[hellkyng]

This social login is supposed to increase security? What about privacy. It seems like this feature can be leveraged to harvest pics from facebook, not that they weren't already available to the highest bidder anyway. Hopefully they have something in place to prevent harvesting...

Anyone else sense ulterior motives?

[Anonymous Coward]

As a coincidental bonus of this new CAPTCHA, Facebook has nearly every photo stored in their library face-tagged for them, using the most powerful and accurate computers in existence - us.

Unknown "friends"

[Esospopenon]

I'm curious about how the "Social Authentication" feature will play out, especially for the facebook users eighter view the friendslist as a sort of competition or who play games that reward users who have many friends playing the game and therefore add friends by the truckload without having any real idea of who they are. There's probably a lot of people playing the latest Zynga game or whatever is popular these days, with an extremely large list of "friend" who they don't know and don't want to know, othe

Won't work for me

[denshao2]

More than half my friend list consists of people that I don't really know. Some are gamers who help me with social games that offer benefits to players that have a lot of friends who play the same game. Also, it seems to have become a fad to use weird aliases instead of real names.

Tagged pictures

[Mentally_Overclocked]

I thought it was just a clever way for us to do work training their facial recognition algorithm ... Maybe a huge conspiracy to create a government identification database!

Who says hackers are bad...

[Kildjean]

It took a hacker, to force facebook into being more secure yet. Maybe someone sniffed the ports earlier today and that is how they got into Zuckerboy's account or fansite or whatever...

that's genius

[digitalsushi]

i cant share my wife's account anymore. i gotta make my own now.

well, i needed to make one for myself just to untag my name from my ugly mug anyways. either way the machine is going to eat me. *splat* i give up. there's no way to avoid them. people i see can take photos of me and label me. i cant undo it without logging in. if i log in, it is still stored.

it's a new world i guess.

There's a problem with this.

[thisisauniqueid]

I had to name friends one time for some stupid facebook game that I installed. I couldn't name more than half of them from photos. Probably 1/3rd were people I didn't know that well who friended me ("sure, whatever -- click") and 1/3rd were people I knew but whom I couldn't identify based on their profile photos. => All in all, a novel but (in practice) rather stupid idea.

Re:

[Tukz]

I keep a strict policy of only having people I actually know, and interact with on a regular basis, on my friends list.
The entire "I got a gazillion friends!" craze completely eludes me.

Remember when...

[Haedrian]

Someone had the 'brilliant' idea of everyone replacing their face with cartoon images from their childhood?

They pull that sort of thing now, and most people won't be able to log in...

Re:

[Nimey]

My photo's still Pedobear.

Yet another image-based CAPCHA scheme

[Animats]

The good news is that this will provide an incentive for producing low-cost high-quality face recognition software. There will also be face recognition outsourcing services.

And, if the Facebook account is entirely fake (created, perhaps, by Facebook Demon), this won't slow down login, since the program has already seen its own pictures.

Re:

[omnichad]

Furthermore, if those pictures are already public - as they'd better be if they're going to be shared by someone who only knows a username, they're being indexed by search engines. Just match up the photo with a search for similar images.

From the horse's mouth...

[l00sr]

http://blog.facebook.com/blog.php?post=486790652130&ref=mf [facebook.com]

entice people to put names on the faces

[ciaran_o_riordan]

> asked to name the person in those photos

It's also a good way to entice people to put names on the faces in their photos.

Other security suggestions include verification via mobile phone.... which just so happens to be a good way to entice people to put their mobile phone number into their profile.

Why does every feature sold as a security enhancement involve increasing the amount of personal info you hand over?

Re:

[crush]

Even better, it creates an evolutionary pressure for spammers to invest in databases of peoples faces linked to names and associated face-recognition technology. Brilliant. Something else for which to thank the Facebook tards.

My congratulations

[Carnildo]

My congratulations to the Facebook developers. They've made a website that faceblind [wikipedia.org] people like me cannot use -- I didn't think that was possible.

I wonder if I can sue them under the Americans with Disabilities act...

Re:

[Velex]

I wonder if I can sue them under the Americans with Disabilities act...

Not any more than a transgender person could sue Microsoft for enforcing apparent birth sex for avatar gender on XBox Live.

Re:

[stevie.f]

When logging in from a different location (im my case I was on holiday, so I was on a different continent) I had to do this to verify that I was the account owner. I can understand why, but it was extremely frustrating and if I had been traveling without my partner then I would have been unable to use facebook for the duration of the trip. This was the only way possible to regain access to the account.

I like it.

[Limburgher]

I was traveling recently and it had me do the social login thing because I was outside the usual range of IPs. I actually liked it. It was a no-brainer for me to do, and very few people that weren't me could have done it correctly, since the pictures of people were from all over my social map. +1 to Facebook for this one.

Re:

[countSudoku()]

Fuckerburg, is that you? If so, sorry about your myspace login being hacked by Sarah Palin, or whatever.

Friends?

[gmuslera]

Which kind? Close ones? The old schoolmates that look totally different now? Some people that you only know thru internet, never saw in real life? The anonymous faces that some collect as "friends" just to make numbers? Any of the variations of the word used in the South Park episode about facebook?

The problem with facebook is that everyone of them are just friends, not a lot of deepness there, basically all in the same bag no matter what they are, And add to that that their identifying picture could be a

Teens will hate this

[Stenchwarrior]

My 15 year old daughter, and probably all other other teens/tweens out there, likes to "collect" friends, whether she really knows them or not. having tons of contacts on FB affords her bragging rights in her circle of real friends. So, if she has to name some of them before being allowed to access her home page, then I guess I can remove the time restriction to that domain from my firewall, cause she'll never get in again.

Re:

[fermion]

They will may hate having to name 'friends' but they will love having the ability to spend the day on facebook at school. I suspect the real reason the HTTPS was implemented was to keep kids off facebook at school. I have no problem with kids spending some time in school on social networks, but if we are honest we will admit that most kids, even teens, do not have maturity to make a choice between immediate gratification and hard work. Even adults have this problem, which is why saw that Facebook was oft

Terrible idea...

[Darkness404]

This is a terrible idea for a number of reasons. First of all, how many people's friends actually simply tag themselves in photos of themselves. People tag themselves in all sorts of things, many of which are not themselves. Someone might tag themselves as George Washington, or the Mona Lisa or even just random things like a corner of a photo of a concert they attended. Secondly even if that was 100% perfect the fact still remains that the greatest threat to the average person's privacy isn't the guy who pr

Re:

[danwesnor]

It's very common among my friends to use a parent's name when tagging children. Am I to be expected to be able to ID all of my friends' kids? Mark needs to come out of Zuckerland an see how people actually use his product.

so, if I know the person I'm trying to hack

[way2trivial]

like, you know, all the little teeny boppers that hack their 'friends' facebook pages?

what if the hacker is known to me/knows the same people I do?

Ya, real good solution-- Since before the internet was widely in use~ with my very first bank account where I could call in and ID myself to the bank for account changes, ~ my 'mothers maiden name' has ALWAYS been something my irresponsible brother does not happen to know.

Does "turn on https" break third-party clients?

[DdJ]

I'm curious: does turning on "do everything over https" end up breaking third-party clients, like some of the iPad clients or like the Facebook upload plugins for some photo software?

Also, how does it interact with the ajaxy "like" buttons on third-party web sites?

(The option hasn't been rolled out to me yet, so I can't check on the answers myself yet.)

HTTPS has been there for a long time, still no IM

[Anonymous Freak]

I've been using HTTPS for Facebook for quite a while (when accessing over wireless, or from work,) and they've slowly been making it less obnoxious. The certificate errors disappeared a few weeks ago, but there is still no IM via HTTPS. And if you are logged out and visit their site via HTTPS, if punts you back to the regular HTTP when you log in, so you have to go manually re-S the connection.

Re:

[Tukz]

I would assume that this announcement means that Facebook will now be fully compatible in HTTPS mode.
If not, nothing really changed, as you said yourself, it's been possible to use Facebook in HTTPS for quite some time now.
Just IM isn't working in HTTPS.

stupid idea

[Trailer Trash]

Half of my "friends" have a picture of their child instead of themselves for their profile picture. One couple, I kid you not, both have the exact same picture of their baby in their profile. If it gets around to pictures where someone's been tagged, God forbid, it'll be idiots who tagged me so that I'll see the picture because they're too stupid to hit "share", or the cartoon panels with "the babe, the ditz, the idiot, etc." where all their friends are tagged.

Holy shit, facebook makes people mouth-breath

Re:

[Yvan256]

Serenity now! SERENITY NOW! [wikipedia.org]

Re:Security, Now?

[creativeHavoc]

Really it has more to do with the fact that they did it for Tungsnia [theatlantic.com], so they have now just implemented it for other countries

The evidence that accounts were being hacked remained anecdotal. Facebook's security team couldn't prove something was wrong in the data. It wasn't until after the new year that the shocking truth emerged: Ammar was in the process of stealing an entire country's worth of passwords. [...] Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. [...] The second technical solution they implemented was a "roadblock" for anyone who had logged out and then back in during the time when the malicious code was running. Like Facebook's version of a "mother's maiden name" question to get access to your old password, it asks you to identify your friends in photos to complete an account login.

Re:

[Americano]

Yeah, they decided, the day after Zuckerberg's page was hacked, to turn on HTTPS across their entire server farm for all users.

Just like that - no planning, no analysis, no coordination, just a knee-jerk response.

Re:

[DrgnDancer]

Something is better than nothing. I assume you also need your username and password. My thing is that very few of my friends use actual pictures of themselves as avatars. More than half use a favorite TV character, movie screen shot, comic frame or other mostly unidentifiable image.

Re:

[icebike]

That was my first thought as well.

Your stalkers probably know your friends faces and names too. And with facial recognition tools [avinashtech.com] becoming mainstream it seems this is a pretty lame time to start this approach. Yet another juvenile approach to security by a company that just would rather not be bothered with the entire concept.

Re:

[GameboyRMH]

My first thought was that you can now brute-force a list of someone's friends with publically-viewable profiles, using a simple script and TinEye/GIS. If I do it first I'll get my name on all the security/tech news sites!

Re:

[icebraining]

Your stalkers probably know your friends faces and names too.

This isn't meant to replace the password, just the Captcha.

Re:

[digitig]

And everybody on Facebook knows all of their "friends" by sight, don't they? And all photos on Facebook are correctly tagged...

Re:

[countSudoku()]

This will be suck after I switch my profile pic to The Stig to avoid being in an inadvertent advertisement.

Re:

[igreaterthanu]

It's not your profile picture, it's photos that are tagged of you. (and cropped to just have you in the photo)

Re:

[91degrees]

Just because there's a situation where it doesn't work doesn't make it useless. And I don't know about you, but none of my friends know all of my friends.

Re:

[mini me]

While I am skeptical that anyone needs Facebook chat, given that it provides an XMPP interface [facebook.com], couldn't she use Facebook over HTTPS and chat over XMPP?

Re:

[icebraining]

Apparently they've added 'font-style: inherit' to * in the CSS file, which disables italics, although the tag is still there. I wonder why?

Re:

[vux984]

No. The photos they use are, by definition, tagged already. They already have the information. They are just asking you to confirm it.

They already have "information".
They may not have "good information".

Images with a statistically high "miss rate" can be rated "poor representations" of so-and-so. Images with a statistically low "miss rate" can be rated "good representations" of so-and-so.

As usual with facebook you are feeding them more information than you think.