Why Facebook's Secure Login Option Is A Joke

Facebook recently introduced the option to use a more secure HTTPS login when accessing the social networking service, but it's not switched on by default. AusCERT threat researcher Kathryn Kerr says that Facebook's approach underscores how it isn't seriously committed to security.

Speaking at the Kickstart IT media forum in Queensland, Kerr was scathing about Facebook's approach to security for user data:

Why for goodness sake does Facebook have all these privacy settings but then will pass the data over HTTP? Basically it is giving it away. They should understand the basic principles of the technlogy and implement HTTPS as a basic standard, not as an optional extra you have to log in and which can be disabled.

Lax security isn't a unique problem for Facebook, of course, but it can't use the excuse of not having sufficient resources to address the problem, Kerr said:

This is a billion dollar company and they can't get basic SSL right. They can afford proper security training and the staff to do it so what the hell's going on?

The other issue with Facebook making HTTPS login an option rather than the standard is that it doesn't encourage users to think actively about their security settings or to have higher expectations from providers, Kerr said: "It trains people not to expect security as well."

If you are a regular Facebook user, then it is definitely worth going to the effort of setting up secure browsing, even though this can occasionally play havoc with some apps. Unfortunately, I suspect it will take a major leakage of data that impacts Facebook itself — not just the personal life or employment prospects for an individual user — before we see more radical change and better security options from the social networking giant.


Comments

    It's worse than that.

    If you use Facebook Mobile, it doesn't work unless you use workarounds, even then there's no guarantee.

    This is with the secure option selected.

    Pathetic effort.

    Interesting read about how Facebook login is insecure by not forcing https, then on the same page there is the option to login to Facebook to make a comment, yet the page has no https??

    Plain and simply, Facebook are not committed to providing a secure service, and people need to be mindful of the relaxed approach taken on the topic for a long time - what else could you really expect from a company ran by a man who has acknowledged he was quoted saying "They Trust Me. Dumb Fucks."

    And still worse than that...

    FB requiring all developers to use IFRAMES by 3/11 and there is a bug that prevents users browsing "securely" to see any TAB using IFRAME:

    http://bugs.developers.facebook.net/show_bug.cgi?id=15200

    I thought there had been major leakages already. Wasn't there a huge database created recently of users addresses, phone numbers and other personal details?

    Isn't an SSL connection to Facebook like sending your bank account details to a Nigerian scammer via registered mail? Sure you know they're the only ones getting the message but isn't what they do with that information at the other end a bigger concern?

    Facebook don't care about security, because people being insecure about their information is Facebook's product.

    I think Google is passing up a golden opportunity if it thinks "Google Me" will be useful as a tiny box in the corner of the Google homepage (if that's still their current plan for it).

    I never use any apps (I have plenty of games on my PC to keep me entertained) so breaking stuff isn't a problem for me.

    My guess is the overhead. Facebook has publicly done so much regarding making every page load as fast as possible. It comes down to money as usual.
    Sure, secure every connection - but that's going to add more overhead on what they do. Facebook being an on-line service only has to keep it's public opinion up. It's got to be easy, it's got to be fast. People were complaining about the few hour outage they had last year. Now that articles such as this one are coming out of course they'll make the change with time - but only because they're forced into it.

    Replace "users" with "marketable products" and you might start to understand why facebook doesn't give a flying fuck about its products' privacy. It's not as though facebook's customers (the advertisers) are demanding that facebook treat its products with respect.

    Cheers,
    -Hugh

    Pretty sure that login has always been HTTPS.

    Does it matter?

    Don't like the way they do things? there is plenty of other alternatives..

    You can go on any site, large or small population and pick at it.

    I heard that Facebook was trialing the HTTPS so rather than switching it on for everyone, they let some try so it doesn't break things as much. They have done this in the past with other opt in features like the new profiles. I am sure more than half its users don't know what HTTPS is and would rather Facebook work than not work because Facebook turns on HTTPS by default.
    Just a thought...

    My Problem with the Https is that if you don't turn the setting ON in your profile, that it drops you to http on ANY next page in Facebook you browse to.

    The setting should be there to say when you try to log in via http (while there is this "optional use") that it asks if you wish to continue in https mode. Otherwise it should stay in the protocol you chose.

    I use Chrome for my browser and use an extension the forces HTTPS everywhere its available...but since this update on Facebook I'm getting errors saying I cant use HTTPS on certain areas of Facebook and it makes me click a HTTP link...which of course my browser changes to a HTTPS link, and I get stuck in a loop. Pretty lame when you cant even choose to be secure on a site holding so much personal data.

    I just wanna use facebook n this keeps comin up.... :blink:

    I have been hacked twice this year, my passwords have been strong but still they get hacked. I just read on a facebook additional ap. Knowledge of how to hack. So what are we to do when people can do this with an email. That is all they need with a software they can download from that site. Facebook needs to work out how to stop them from doing it, as we all have to have an email. With the billions of dollars facebook have, how about using some and find someone who can do the job.

    This comment has been deemed inappropriate and has been deleted

    It's refreshing to view store bought brand names -- whether comprehend it or otherwise not -- consider vintage video game mechanics and inject this in to a advertising stunt. Even though all too often this kind of makes a below average advergame that you just perform for a second and tend to forget quickly after, Louis Vuitton offers rolled out a new video clip advert campaign that will commandeers the years previous 'spot your difference' online game experience and also turns the idea in to one thing worthy of gabbing with regards to at the water cooler, espresso machine, kombucha growler or what ever offices possess today.

    The modern marketing campaign characteristics a couple of 60-second ads with style blogger Bip Ling, that's on the point of, possibly, strike town in LV Kusama premium (LV combined together with polka-dot preoccupied designer Yayoi Kusama for its newest series). The game entails seeing the two video tutorials and also mentioning the particular variances.

    British isles inhabitants could publish the actual variations for you to www.chanelbagsoutletwebsite.com while using hashtag #LVKusama the chance for you to acquire a replica of Lewis Carroll's Alice in Wonderland, created by Kusama. We all suppose that can will include a polka-dot frocked Alice chasing any bright bunny down the polka-dotted bunnie pit something like that.

    If you're not in the UK, you simply can't type in the tournament, however it is even now funny to discover the mistakes between the 2 video clips. Here are the 2 almost the exact same adverts; check if you have what it takes to identify the actual differences.

    Eventually night's Lemon English Academia Motion picture Honours, also called your BAFTAs, Pass up Piggy took the red-colored rug in a very gorgeous custom-made Louis Vuitton outfit, constructed by simply the girl dear friend (as well as www.chanelbagsoutletwebsite.com developer) Marc Jacobs. The particular superstar Muppet, that literally part of job interviewer in the BAFTAs pre-show, played out homage towards the ??50s Parisian appear, with a complete, vintage figure, affectionate tulle dress, tiered strapless, embellished sequin ribbon and bow and even ladylike safety gloves.

    ouis Vuitton Chief executive officer Yves Carcelle, going to the actual AC Globe Series, said he expected a lot more challengers but the worldwide financial crisis got in the way. Nevertheless, he explained, We be aware of amount of racing will be really excellent. At the end of the day, it will be better to have less competitors yet better made.?±

    Before, he explained, there has been adversary string the location where the distance between the best as well as the weakest teams was huge. Nevertheless in which doesn't get worried him or her.certain well come with an extraordinary spectacle the coming year,Carcelle said.

Join the discussion!

Trending Stories Right Now