// Home / News / Security

Facebook lets users opt-in to security

By Nicole Kobie

Posted on 27 Jan 2011 at 09:41

Facebook has unveiled a pair of new security features, a day after its founder's profile page was apparently hacked.

Yesterday, Mark Zuckerberg's account appeared to be taken over, although Facebook has since suggested it was a bug affecting more than just its CEO.

Today, Facebook answered critics accusing it of lax security by rolling out secure connections across the site as well as a new user authentication system.

Facebook has previously used HTTPS for passwords, but now users can flip it on to protect their activity across the entire site. Alex Rice, security engineer for Facebook, suggested users turn it on only if they frequently access the site from public locations.

Facebook has decided that when it comes to protecting your privacy you must choose to opt-out of sharing, but when it comes to enhancing your privacy you must opt-in

Rice noted not everyone will want the added security, as it may hurt the site's performance.

"Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS," he said in a post on the Facebook blog. "In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues."

While Facebook is normally criticised for making its changes opt-out, this time it's taking flak for leaving it opt-in, with critics saying the social network should follow the lead of sites such as Gmail and use secure connections all the time.

"Facebook has decided that when it comes to protecting your privacy you must choose to opt-out of sharing, but when it comes to enhancing your privacy you must opt-in," said security analyst Chester Wisniewski on the Sophos blog, admitting it was a "minor quibble".

The system is being rolled out over the next few weeks, and can be turned on in Account Settings.

Photo security

Facebook also said it was continuing to look at using friends' photos for authenticating accounts.

Instead of asking for a password, the system asks a user to name their friends in photos.

"We will show you a few pictures of your friends and ask you to name the person in those photos," said Rice. "Hackers halfway across the world might know your password, but they don't know who your friends are."

When the system was first put into limited use last year, people were locked out of their profiles when shown pictures that were tagged as their friends, but were actually objects or something else unidentifiable.

"We will continue to test social authentication and gather feedback from you and the security community on how to make this and other social features safe and useful," Rice said, but didn't say when the system might be ready for wider use across the site.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here

From around the web

User comments

Don't Get Rid of Passwords!

"Hackers halfway across the world might know your password, but they don't know who your friends are."

What about when the hacker isn't halfway across the world, when it's someone you know who also happens to know these same friends. My profile's private but it still shows who my friends are, so what's to stop the hacker quickly browsing through them and identifying the friends in the photo?
I suppose having the photo identification as well as the password should increase security but I'm sure the people who can work out a user's password can also work out how to egt past the photo. Facebook always seem to think up the silliest things, without actually thinking about them!

By lolalou_xxx on 27 Jan 2011

Facebook lets users opt-in to security?

I totally agree with the critics. In this instance it should be opt-out. So what if the third party apps don't support https. Surely this is a golden opportunity to lock down the apps apple style as well.

By mr_chips on 27 Jan 2011

Mark Simpson

Given that facebook's default security is no security, this is laughable.

And Chester Wisniewski is wrong about the opt-in/opt out differences being a "minor quibble". It's at the heart of the way Facebook is designed and run.

Giving an app access to my data is an all or nothing choice. I don't get specific information about what data the app actually uses. Given facebook can't be bothered to vet apps, I've got no idea what may be passed on at an time. I should be able to choose by getting a box telling me exactly what data the app wants to access. I then decide whether to allow it to or not. If I allow it to , and it asks for other data in future, it should require a re-authentication.

Given how much data Facebook holds in terms of wall posts, photos, videos etc, any extra data stored about each app you're using would be trivial.

Another point in fact is "instant personalisation". This first cropped up months ago. At the time, I switched it off. As I don't want websites doing what is effectively drive-by data theft without me knowing about it and controlling it.

I now find, after some dubious "redesign", instant personalisation is back. And is ticked again, despite me explicitly saying not to months ago.

So Facebook are not only defaulting risky behaviour, it has totally ignored my explicit previous wishes on the matter.

This is the kind thing the UK ICO should be stamping down on. But, being a seemingly toothless watchdog, it seems content as long as companies like Google or Facebook tickle its tummy occasionally.

I would almost say that we need something at EU level, big enough to take on the global big boys. But given the recent clearing of the Intel acquisition of McAffee, and the ham-fisted way they forced the browser ballot on EU Windows users, I doubt an EU body would be any more effective.

I personally thought it was a good idea to make users aware of other browser options. In fact, I've used Firefox for years. So just resented the fact I was forced to choose a browser in the ballot regardless of my pre-registered preference.