Facebook (yes, again)

Facebook has announced security changes at its site. First, it is enabling secure browsing over https for its site, including a setting in your account settings to make this your Facebook default. According to the Facebook blog post:

Facebook currently uses HTTPS whenever your password is sent to us, but today we’re expanding its usage in order to help keep your data even more secure.

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS.

This is generally a good thing; secure browsing really should be the default in more cases than it already is. But, this announcement still raises issues: first, as I posted yesterday, Facebook is quite ready to share your personal information with advertisers as they see fit (and as will make them money). For me, steps like these and the way they are presented smack of underhandedness: “Look at us, helping you to protect your personal data, isn’t that great?” But that is followed by: “We still give all our ‘partners’ access to your data, but we trust them, so you should, too.” The disconnect between rhetoric and action is simply too big for me to buy.

Separately, but perhaps just as importantly, Facebook announced changes in how it will authenticate users when there may be a security issue with their account (Facebook’s example is a logon from California and then one a few hours later from Australia). According to Facebook:

Many sites around the web use a type of challenge-response test called a captcha in their registration or purchasing flows. The purpose of this test is to verify that you are a human being and not a computer trying to game the system. Traditional captchas have a number of limitations including being (at times) incredibly hard to decipher and, since they are only meant to defend against attacks by computers, vulnerable to human hackers.

Traditional captcha

Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are.

Social authentication

We will continue to test social authentication and gather feedback from you and the security community on how to make this and other social features safe and useful.

The Washington Post calls this “better authentication.” The difficulty with this is that many people keep their friends list public. Whether publication of a user’s friend list is intentional or inadvertent, in cases where the list is public, using “friend identification” as authentication would pose no greater obstacle to a semi-skilled hacker than no authentication at all (one browser window open to the friends list, second one open to the authentication page). It is the use, in many cases, of publicly available information to authenticate the person to whom the publicly available information pertains (not to mention how it would function for more public personas with thousands of friends).

I’m not sure why this is supposedly good (and definitely not sure why it’s “better”), but hopefully Facebook will think twice about using information it encourages users to keep public to authenticate users when authentication is needed.