Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Launches Social Login and HTTPS

Posted by samzenpus on from the secure-friend-request dept.

dkd903 writes "Facebook has introduced two new features. First is a really innovative way to verify real users rather than using CAPTCHAS. Using the Social Login feature (or Social Authentication as Facebook calls it), users will be shown a few pictures of their friends and then they will be asked to name the person in those photos. They've also launched HTTPS. The company says: 'Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.'"

42 of 273 comments (clear)

  1. Facebook discovers HTTPS by nospam007 · · Score: 2, Insightful

    News at 11.

    1. Re:Facebook discovers HTTPS by creativeHavoc · · Score: 2, Informative

      HTTPS at facebook's scale is not insignificant.

      --
      insight through the mind
    2. Re:Facebook discovers HTTPS by Enry · · Score: 3, Interesting

      Wait, what?

      All you're talking about is scale. Instead of having a regular HTTP site, you now have HTTPS sites, and perhaps a few more to handle the load. HTTPS is not the CPU hog it was 10 years ago, and HTTPS is not some obscure technology noone uses. Wikipedia offers HTTPS, Google offers HTTPS. What makes it so difficult for Facebook to do the same?

    3. Re:Facebook discovers HTTPS by Aerorae · · Score: 5, Funny

      Breaking Development! Facebook introduces HTTPS after CEO Mark Zuckerbergs' facebook account is hacked!!!

    4. Re:Facebook discovers HTTPS by MysteriousPreacher · · Score: 5, Insightful

      Yeah, the photo ID thing is iffy. If photos are to believed, quite a few of my friends appear to be very young babies. Another bunch are cartoon characters.

      --
      -- Using the preview button since 2005
    5. Re:Facebook discovers HTTPS by icebike · · Score: 4, Informative

      One thing FaceBook has going for it is that Https impact is far less significant as a percentage of time and actual server loading on sites where content can't be (or isn't typically) cached, and delivery is more than a few words.

      Setup is expensive, but once negotiated data transmission is not that bad.

      Fetching a tweet would really hurt under ssl, but a facebook page is usually fairly significant in size. Making lots of short requests over HTTPS will be quite a bit slower than HTTP, but if you transfer a lot of data in a single request, the difference will be insignificant. If Facebook implements http keep-alive oh https connections you should be able to reuse the the connection.

      Yes the handshake is longer (usually 5 traverses vs 2). We are talking about 200ms vs 500ms for the first connection. But during that time the web server isn't having to pound content down the pipe so it might not be as bad as it sounds.

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:Facebook discovers HTTPS by SuperQ · · Score: 5, Interesting

      Again, what scale? Enabling https is only a few % different in CPU time for handling the crypto overhead. I've done the math. Based on any reasonably modern server machine (say a 1U dual socket quad-core) and facebook's quoted query rate it would only require an extra half rack of CPUs to turn on https for all facebook pages, including images.

    7. Re:Facebook discovers HTTPS by jvp · · Score: 3, Informative

      For what little it may be worth, I've been using HTTPS w/Facebook for *months*. It's been available for general use for quite some time, it's just that no one bothered trying it. And as you pointed out, the only thing that didn't work (and still doesn't) is chat.

      This isn't really news at all. It's just "news" because of what happened to Zuckerberg.

      --
      Jason Van Patten
    8. Re:Facebook discovers HTTPS by mini+me · · Score: 2

      There was an article recently posted here talking about Facebook deployment methods. One of the points was that they rolled out features to small subsets of their users. Given that it only launched today, if you were using it before, it means you were part of a select group.

      Though I do agree that SSL is not a big news story.

    9. Re:Facebook discovers HTTPS by severoon · · Score: 3, Insightful

      Of course, social login won't last long when they realize most of their users can't ID most of the people in their "friend" list.

      --
      but have you considered the following argument: shut up.
    10. Re:Facebook discovers HTTPS by Angostura · · Score: 2

      Even if it's a real photo, surely that is susceptible to attack through something like TinEye?

    11. Re:Facebook discovers HTTPS by dreamchaser · · Score: 2

      Https adds very little overhead. Scale in this case is meaningless compared to the rest of Facebook's operations. You are either trolling, an idiot, or both. Or you were just trying to be funny and failed.

    12. Re:Facebook discovers HTTPS by phoenix321 · · Score: 2

      Their internal network is an insignificant threat. It's internal and they probably have access to everything anyway.

      HTTPS will help with what's going over the wire. And even more with the wireless. A ton of options for filtering, eavesdropping, snooping and altering have just vanished from the bad guys menu. It's not going to help with keyloggers or webcams pointed on keyboards on cybercafes, but other than that, it's fine.

      Introduce the general population to the concept of "encrypt everything, just because you can and it has not a one downside but many upsides for me as a client". Score 1 for security. And then convince a literal convention center full of old network geezers that encrypting everything is perfectly feasible even for free-as-in-beer projects on a planetwide scale like Facebook. For these old-timers, a ton of options for excusing, avoiding, stonewalling and complaining about HTTPS will simply vanish within a few months.

      And that is what counts.

      If everyone encrypts everything, privacy will be much better. Protection from illegal searches is much better. Protection against eavesdroppers is much better. If the added cost for HTTPS is negligible, regular HTTP becomes useless. And rightly so. No one should be sending open postcards when they can have privacy-protected letters.

      We as clients cannot advance general HTTPS-for-everything by much. It is the admins and people responsible for all those websites that can. And largely they didn't, until today. Please let me be the first to say: plaintext is dead. Facebook confirms it.

    13. Re:Facebook discovers HTTPS by Belial6 · · Score: 2

      It is likely more for the puropose of verify that people are not putting in fake data. Let your 'friends' identify you for Facebook.

    14. Re:Facebook discovers HTTPS by HJED · · Score: 2

      Not for me

      --
      null
  2. Links wrong by XanC · · Score: 2

    I'm able to change the protocol to https for any page, successfully. But all the links on that page point back to http. So... That's pretty limited https support.

    1. Re:Links wrong by Jugalator · · Score: 5, Informative

      For "persistent https", I think you have to enable the new option in Account Settings -> Account Security.

      I saw that one in a screenshot, but that option doesn't seem to be rolled out here yet, although I am able to manually type in "https://" in front of URL's. However, as you say, that only leads to using https temporarily.

      --
      Beware: In C++, your friends can see your privates!
  3. Problem by girlintraining · · Score: 5, Interesting

    Problem: A lot of what people tag as me is to get my attention, not because it IS me. I got locked out of my account for about a week because of this mis-feature, and when I did get back in, I had to spend about three hours removing tags of things like trees, the sun, burgers, and lots of other stuff.... now it works. But the solution fails because it makes an assumption that isn't always true.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Problem by by+(1706743) · · Score: 2

      Your friends with somebody who you don't really know (like an ex-classmate) and therefore forget their name when the photo is shown to you.

      I'm sure they could show pictures based on activity. Do you write on this person's wall often? Do you comment on their photos, etc.? If so, then there's a reasonable chance that you know what the person looks like.

    2. Re:Problem by Jesse_vd · · Score: 2

      I believe it just prohibits anyone from re-tagging you in that particular picture .....where is my submit button?

  4. All but mandatory for "free" wifi by davidwr · · Score: 3, Interesting

    All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."

    I may trust McStarCoffeeInn not to snoop my traffic but I do NOT trust the guy in the next booth or room much less the guy in the parking lot.

    The traveling public needs to pressure these companies - especially those that charge for it like some hotels - to switch to encrypted WiFi.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Who are you? by Anonymous Coward · · Score: 3, Insightful

    The "social login" is going to cause issues for people who have no idea what their "friends" look like. Or with friends with other subjects in their pictures.

  6. Picture thing by stoolpigeon · · Score: 4, Insightful

    The photo thing has been around for a long time and it sucks. I travel and have wanted to connect to facebook when in a different country, and it decides I need to prove who I am. So I have to match a certain number of pictures with the right person. The summary makes it sound clever and good, it is anything but.
     
    It's been a few months since last time I did it, so I don't remember exact numbers but I had to get something like 4 out of 5 right. Then they start showing photos, and there is a list of 4 or 5 friend names below. It is up to you to pick the right friend to go with the photo.
     
    What's the biggest problem? Well, you don't get pictures of the persons face as the summary says. What you get are pictures tagged with that persons name. The first one I did was their face, and I thought, "o.k. - no problem.".
     
      The next one was some kid. A relative of one of my friends? A neigbor of one of my friends? Shoot could have even be one of my friends as a kid, I have no idea. All I know is I've got a 1 in 4 chance of guessing who this belongs to and if I'm wrong I've just used up my one wrong answer.
     
    Next photo is an inanimate object. I don't know remember what it was any more. A pie or some food of some kind I think. Which friend is this?! I don't know. Best guess it is something one of my friends ate once. Who does it belong to? Once again, I haven't the slightest, but as you can guess, I wasn't allowed to log in.
     
    A smaller problem is that I am not super close friends with every one of my friends on facebook. My barrier to entry on the friendship front is pretty low. I'm friends with people I knew in jr. high, highschool, worked with once, went to church with them years ago, etc. I know them but am not intimately close with them. Facebook is a good way to keep in touch while maintaining a comfortable distance. But will I be able to identify them in every pic of themselves they've uploaded to facebook? I doubt it. Not to mention the fad a bit back to change your profile pic to a cartoon character. I'll bet dollars to donuts those go into the rotation. Which of your friends was underdog and which was optimus prime? I don't remember.
     
    It's a horrid system. A co-worker of mine on the same trip ran into it too. He mocked me for not knowing my friends well enough and then almost put his laptop through a window when he couldn't log into facebook. He had almost an identical experience, a picture of some 6 or 7 year old kid he didn't know and a bike or something.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    1. Re:Picture thing by ctd600ftlb · · Score: 2

      Haven't actually seen this system in action myself, but you've mentioned a lot of the issues I first thought about - pets, kids, inanimate objects for pictures and whatnot. Group pictures seem like they could be a problem, too. With two friends getting married last year, a lot of pictures they or I are tagged in are from weddings, and some of these pictures might have five people who I'm friends with on Facebook in them. I'm guessing if Alice and Bob are both tagged in a picture, either would be a correct answer, but what if Bob is in the picture but not tagged? Just seems like a system with a lot of potential problems.

    2. Re:Picture thing by metamatic · · Score: 2

      It's going to ruin the Facebook experience for people like Oliver Sacks who suffer from face blindness.

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    3. Re:Picture thing by AmberBlackCat · · Score: 2

      My first thought was how often people on my list change their names. I could be "Amber J" this morning and be "Badasx Ambie" later tonight when you try to log on. Sometimes I have to click on people's picture just to know who they are because their new name has nothing to do with their real name anymore.

  7. Am I missing something? by hellkyng · · Score: 5, Insightful

    This social login is supposed to increase security? What about privacy. It seems like this feature can be leveraged to harvest pics from facebook, not that they weren't already available to the highest bidder anyway. Hopefully they have something in place to prevent harvesting...

  8. Anyone else sense ulterior motives? by Anonymous Coward · · Score: 3, Interesting

    As a coincidental bonus of this new CAPTCHA, Facebook has nearly every photo stored in their library face-tagged for them, using the most powerful and accurate computers in existence - us.

  9. Unknown "friends" by Esospopenon · · Score: 2

    I'm curious about how the "Social Authentication" feature will play out, especially for the facebook users eighter view the friendslist as a sort of competition or who play games that reward users who have many friends playing the game and therefore add friends by the truckload without having any real idea of who they are. There's probably a lot of people playing the latest Zynga game or whatever is popular these days, with an extremely large list of "friend" who they don't know and don't want to know, other that they share the same game interest and it's a win-win in relation to that game. If facebook starts asking questions about these 'friends' then I fear many users will fail the social authentication and then what?

  10. Won't work for me by denshao2 · · Score: 2

    More than half my friend list consists of people that I don't really know. Some are gamers who help me with social games that offer benefits to players that have a lot of friends who play the same game. Also, it seems to have become a fad to use weird aliases instead of real names.

  11. Re:Security, Now? by creativeHavoc · · Score: 4, Informative
    Really it has more to do with the fact that they did it for Tungsnia, so they have now just implemented it for other countries

    The evidence that accounts were being hacked remained anecdotal. Facebook's security team couldn't prove something was wrong in the data. It wasn't until after the new year that the shocking truth emerged: Ammar was in the process of stealing an entire country's worth of passwords. [...] Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. [...] The second technical solution they implemented was a "roadblock" for anyone who had logged out and then back in during the time when the malicious code was running. Like Facebook's version of a "mother's maiden name" question to get access to your old password, it asks you to identify your friends in photos to complete an account login.

    --
    insight through the mind
  12. Tagged pictures by Mentally_Overclocked · · Score: 2

    I thought it was just a clever way for us to do work training their facial recognition algorithm ... Maybe a huge conspiracy to create a government identification database!

    --

    Mathematician, n.:
    Someone who believes imaginary things appear right before your i's.
  13. that's genius by digitalsushi · · Score: 2

    i cant share my wife's account anymore. i gotta make my own now.

    well, i needed to make one for myself just to untag my name from my ugly mug anyways. either way the machine is going to eat me. *splat* i give up. there's no way to avoid them. people i see can take photos of me and label me. i cant undo it without logging in. if i log in, it is still stored.

    it's a new world i guess.

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  14. Re:It's a good thing(tm)! by Haedrian · · Score: 3, Informative

    They can hardly sell your personal information if a guy at starbucks can sniff it from you can they?

    Stop information piracy! Buy facebook!

  15. Remember when... by Haedrian · · Score: 4, Insightful

    Someone had the 'brilliant' idea of everyone replacing their face with cartoon images from their childhood?

    They pull that sort of thing now, and most people won't be able to log in...

  16. From the horse's mouth... by l00sr · · Score: 2

    http://blog.facebook.com/blog.php?post=486790652130&ref=mf

  17. My congratulations by Carnildo · · Score: 5, Insightful

    My congratulations to the Facebook developers. They've made a website that faceblind people like me cannot use -- I didn't think that was possible.

    I wonder if I can sue them under the Americans with Disabilities act...

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    1. Re:My congratulations by stevie.f · · Score: 2

      When logging in from a different location (im my case I was on holiday, so I was on a different continent) I had to do this to verify that I was the account owner. I can understand why, but it was extremely frustrating and if I had been traveling without my partner then I would have been unable to use facebook for the duration of the trip. This was the only way possible to regain access to the account.

  18. Re:HTTPS on Facebook is still not 100% working by mini+me · · Score: 2

    While I am skeptical that anyone needs Facebook chat, given that it provides an XMPP interface, couldn't she use Facebook over HTTPS and chat over XMPP?

  19. HTTPS has been there for a long time, still no IM by Anonymous+Freak · · Score: 4, Interesting

    I've been using HTTPS for Facebook for quite a while (when accessing over wireless, or from work,) and they've slowly been making it less obnoxious. The certificate errors disappeared a few weeks ago, but there is still no IM via HTTPS. And if you are logged out and visit their site via HTTPS, if punts you back to the regular HTTP when you log in, so you have to go manually re-S the connection.

    --
    Another non-functioning site was "uncertainty.microsoft.com."
    The purpose of that site was not known.
  20. Re:Security? More Like Giving Up Your Friends by vux984 · · Score: 2

    No. The photos they use are, by definition, tagged already. They already have the information. They are just asking you to confirm it.

    They already have "information".
    They may not have "good information".

    Images with a statistically high "miss rate" can be rated "poor representations" of so-and-so. Images with a statistically low "miss rate" can be rated "good representations" of so-and-so.

    As usual with facebook you are feeding them more information than you think.

  21. Re:Social Login: by 91degrees · · Score: 2

    Just because there's a situation where it doesn't work doesn't make it useless. And I don't know about you, but none of my friends know all of my friends.