Facebook offering site-wide 'HTTPS' security
Facebook will allow its users to encrypt their use of the site, an overdue move that would stop eavesdroppers from picking up any information sent to and from the social network.
This may come too late to protect founder Mark Zuckerberg's recently-hacked public page, but the rest of us can benefit from it.
The Palo Alto, Calif., company announced the news on its blog. Instead of scrambling only your login -- something that its design obscures by not showing the usual lock icon and "https" address prefix in a browser that you see in the image above -- it will allow users to encrypt their entire session on the site.
Facebook's blog post warns that enabling this measure once it's available in your account (which may take a few weeks) will have some side effects:
Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues.
Turn it on anyway when you can, even if that means dumping an incompatible Facebook application.
The post goes on to note that Facebook hopes to make this a default setting -- a good idea that Google adopted for Gmail last year.
The post does not, however, note another security upgrade Facebook seems to have planned. A screen shot on it, showing a green highlight in a browser address bar labeled "Facebook, Inc. (US)," indicates that it will use "extended validation" security, an extra measure of defense against site-impersonation attempts.
(Post Co. chairman Donald E. Graham sits on Facebook's board of directors. I hope he enables the new HTTPS option, too.)
A lot of Web sites remain behind the curve in terms of using security options that have long been available. While it's rare to see a site not require an encrypted "SSL" login, many fumble their implementation of it and few bother setting up "EV" security as Facebook seems to be doing.
You can work around these issues by tinkering with your browser or adding third-party extensions to force an encrypted connection. But it's simpler if the site allows you to full-session encryption -- and, better yet, takes the decision out of a user's hands by making that a default setting.
Facebook's post also notes an account-validation technique I've seen one or two readers describe in e-mails: When the site suspects an account has been compromised, it will require its user to identify pictures of their current Facebook friends to prove that he or she is the rightful account holder.
Those are good steps for the world's biggest social network. Your privacy relative to other Facebook users, however, remains a lot more complicated.
Posted by: MrWillie | January 26, 2011 1:38 PM | Report abuse
Posted by: jojoranting | January 26, 2011 6:51 PM | Report abuse
Posted by: davidwg46 | January 26, 2011 9:57 PM | Report abuse
Posted by: courry | January 26, 2011 10:38 PM | Report abuse
Posted by: DaveL60 | January 27, 2011 8:01 AM | Report abuse
Posted by: hollylarocco | January 27, 2011 4:11 PM | Report abuse