Facebook plumps security features with HTTPS, CAPTCHA solution
New enhancements will protect users from Firesheep attacks, fraudulent use of accounts
By Joan Goodchild , Senior Editor
January 26, 2011 — CSO —
One day after news broke that Facebook founder Mark Zuckerberg's Facebook page was hacked, the social network announced it is adding more security features to user accounts. In a blog post Wednesday, Facebook security engineer Alex Rice said Facebook will be adding HTTPS (Hypertext Transfer Protocol Secure) and CAPTCHA technologies to enhance user security and privacy.
"Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS," Rice said in the post. "You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools."
Also see: 10 security reasons to quit Facebook and 4 tips for Facebook from security and privacy experts
Facebook was already using HTTPS for password exchanges, but now the feature can be enabled and used for an entire session, which addresses the issue of a wireless network attack using Firesheep, a Firefox plugin that makes it possible to log into a Facebook or Twitter account when the user is on an unencrypted Wi-fi connection.
The option will exist as part of Facebook's advanced security features, which are found in the "Account Security" section of the Account Settings page, said Rice. The move is a great step, according to researchers with security firm Sophos, with the one exception of the opt-in nature of the feature. Sophos' Chester Wisniewski noted in a blog post that making the feature opt-out, as it is with Google's Gmail, would make more sense if security is the top priority.
"In Alex's post he only suggests enabling this feature if you frequently access Facebook from insecure locations," said Wisniewski. "While to a degree this is true, I wouldn't want to count on having to remember to fiddle with my settings when I am out and about on my iPad/netbook/laptop/smart phone."
The second security enhancement is what Facebook is calling "social authentication" and is more commonly known as CAPTCHA technology. Typically CAPTCHAs require users to entire a series of letters and/or numbers to verify they are an actual human. Facebook is putting a spin on this.
"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication,' said Rice. "We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."