Facebook Security

I was happy to read last week that Facebook will be rolling out transport encryption as an option for your entire session, not just during the password exchange (ref: https://blog.facebook.com/blog.php?post=486790652130).

I certainly recommend that if you use Facebook you follow the instructions in the blog referenced above to set the option to enable this “end-to-end encryption: when it becomes available to you. Once again, security researchers (in this case Eric Butler and Ian Gallagher who created the Firesheep tool) played a part in hepling a large entity change their security posture. Firesheep got a lot of attention, rightly so, and was one of the reasons the project got the attention it deserved at Facebook, according to a recent article in SC Magazine.

This was exactly why Firesheep was created — to bring attention to an issue that was well known by security professionals, but not more generally known by consumers of web commerce and social media content. We should not forget, many other sites still have the same problem. In fact, Firesheep was configured for 26 sites – Facebook being just one of them.  Before you use a site or application that contains personal information, be sure your entire session is encrypted if the option exists.

What is particularly illustrative about this case is the amount of time it took for Facebook to get to the point of announcing it, and it is still not rolled out. Firesheep was made available over four months ago, and Facebook said at the time they were already aware of and looking at the session hijacking issue Firesheep exposed. If a company with the resources and visibility of Facebook can have its most high profile page hacked and not deal with one of the most basic of security issues for months, what chance does everybody else have?

With some education, improvements in application development lifecycle processes, and the right informational tools, you can improve those chances greatly.

The cool hacks and attack techniques might get the attention, but it’s the detailed technical work that needs to be done by application developers as part of their day by day responsibilities that is where the real improvements in security are going to come from.

By working with experts in the field and using the learning and tools that are available, this work does not have to increase the cost or time it takes to develop applications. Fixing problems after the fact will definitely cost. The team at Facebook just incurred some of that cost and unplanned work. If you don’t have the development resources of Facebook (and who does?), get ahead of the curve and engage with some experts in the field… or simply get started by referencing some of the links above in this blog.