Facebook plumps security features with HTTPS, CAPTCHA solution

New enhancements will protect users from Firesheep attacks, fraudulent use of accounts

One day after news broke that Facebook founder Mark Zuckerberg's Facebook page was hacked, the social network announced it is adding more security features to user accounts. In a blog post Wednesday, Facebook security engineer Alex Rice said Facebook will be adding HTTPS (Hypertext Transfer Protocol Secure) and CAPTCHA technologies to enhance user security and privacy.

"Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS," Rice said in the post. "You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools."

Also see: 10 security reasons to quit Facebook and 4 tips for Facebook from security and privacy experts

Facebook was already using HTTPS for password exchanges, but now the feature can be enabled and used for an entire session, which addresses the issue of a wireless network attack using Firesheep, a Firefox plugin that makes it possible to log into a Facebook or Twitter account when the user is on an unencrypted Wi-fi connection.

The option will exist as part of Facebook's advanced security features, which are found in the "Account Security" section of the Account Settings page, said Rice. The move is a great step, according to researchers with security firm Sophos, with the one exception of the opt-in nature of the feature. Sophos' Chester Wisniewski noted in a blog post that making the feature opt-out, as it is with Google's Gmail, would make more sense if security is the top priority.

"In Alex's post he only suggests enabling this feature if you frequently access Facebook from insecure locations," said Wisniewski. "While to a degree this is true, I wouldn't want to count on having to remember to fiddle with my settings when I am out and about on my iPad/netbook/laptop/smart phone."

The second security enhancement is what Facebook is calling "social authentication" and is more commonly known as CAPTCHA technology. Typically CAPTCHAs require users to entire a series of letters and/or numbers to verify they are an actual human. Facebook is putting a spin on this.

"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication,' said Rice. "We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."

"This is a clever approach to a difficult problem and will hopefully be a significant speed bump for all of the phishers and scammers who have been targeting Facebook users," said Wisniewski. "Until Facebook begins using this technique it is difficult to say how well it will work, but it is easier and more intuitive than traditional CAPTCHA solutions."

Wisniewski also noted the social authentication feature only targets bots, and won't address security issues that arise if a user is hacked by a friend or acquaintance that can actually identitify the parties in the pictures. Several Facebook members posted comments about Rice's announcement. One noted social authentication was a bad idea.

"What happens to the people that have 500+ gaming neighbors that they don't know at all? " the user asks. "People that "collect friends" by the thousands?... you'd have tons of people locked out of their accounts!"

Copyright © 2011 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.