Facebook recently introduced the option to use a more secure HTTPS login when accessing the social networking service, but it's not switched on by default. AusCERT threat researcher Kathryn Kerr says that Facebook's approach underscores how it isn't seriously committed to security.
Speaking at the Kickstart IT media forum in Queensland, Kerr was scathing about Facebook's approach to security for user data:
Why for goodness sake does Facebook have all these privacy settings but then will pass the data over HTTP? Basically it is giving it away. They should understand the basic principles of the technlogy and implement HTTPS as a basic standard, not as an optional extra you have to log in and which can be disabled.
Lax security isn't a unique problem for Facebook, of course, but it can't use the excuse of not having sufficient resources to address the problem, Kerr said:
This is a billion dollar company and they can't get basic SSL right. They can afford proper security training and the staff to do it so what the hell's going on?
The other issue with Facebook making HTTPS login an option rather than the standard is that it doesn't encourage users to think actively about their security settings or to have higher expectations from providers, Kerr said: "It trains people not to expect security as well."
If you are a regular Facebook user, then it is definitely worth going to the effort of setting up secure browsing, even though this can occasionally play havoc with some apps. Unfortunately, I suspect it will take a major leakage of data that impacts Facebook itself -- not just the personal life or employment prospects for an individual user -- before we see more radical change and better security options from the social networking giant.