Slashdot Mirror
Facebook Launches Social Login and HTTPS
dkd903 writes "Facebook has introduced two new features. First is a really innovative way to verify real users rather than using CAPTCHAS. Using the Social Login feature (or Social Authentication as Facebook calls it), users will be shown a few pictures of their friends and then they will be asked to name the person in those photos. They've also launched HTTPS. The company says: 'Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.'"
Problem: A lot of what people tag as me is to get my attention, not because it IS me. I got locked out of my account for about a week because of this mis-feature, and when I did get back in, I had to spend about three hours removing tags of things like trees, the sun, burgers, and lots of other stuff.... now it works. But the solution fails because it makes an assumption that isn't always true.
#fuckbeta #iamslashdot #dicemustdie
All web sites that allow logins should REQUIRE or at least STRONGLY ENCOURGE HTTPS from unencrypted WiFi hotspots such as those "found at coffee shops, airports, libraries or schools."
I may trust McStarCoffeeInn not to snoop my traffic but I do NOT trust the guy in the next booth or room much less the guy in the parking lot.
The traveling public needs to pressure these companies - especially those that charge for it like some hotels - to switch to encrypted WiFi.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Wait, what?
All you're talking about is scale. Instead of having a regular HTTP site, you now have HTTPS sites, and perhaps a few more to handle the load. HTTPS is not the CPU hog it was 10 years ago, and HTTPS is not some obscure technology noone uses. Wikipedia offers HTTPS, Google offers HTTPS. What makes it so difficult for Facebook to do the same?
Breaking Development! Facebook introduces HTTPS after CEO Mark Zuckerbergs' facebook account is hacked!!!
The "social login" is going to cause issues for people who have no idea what their "friends" look like. Or with friends with other subjects in their pictures.
The photo thing has been around for a long time and it sucks. I travel and have wanted to connect to facebook when in a different country, and it decides I need to prove who I am. So I have to match a certain number of pictures with the right person. The summary makes it sound clever and good, it is anything but.
It's been a few months since last time I did it, so I don't remember exact numbers but I had to get something like 4 out of 5 right. Then they start showing photos, and there is a list of 4 or 5 friend names below. It is up to you to pick the right friend to go with the photo.
What's the biggest problem? Well, you don't get pictures of the persons face as the summary says. What you get are pictures tagged with that persons name. The first one I did was their face, and I thought, "o.k. - no problem.".
The next one was some kid. A relative of one of my friends? A neigbor of one of my friends? Shoot could have even be one of my friends as a kid, I have no idea. All I know is I've got a 1 in 4 chance of guessing who this belongs to and if I'm wrong I've just used up my one wrong answer.
Next photo is an inanimate object. I don't know remember what it was any more. A pie or some food of some kind I think. Which friend is this?! I don't know. Best guess it is something one of my friends ate once. Who does it belong to? Once again, I haven't the slightest, but as you can guess, I wasn't allowed to log in.
A smaller problem is that I am not super close friends with every one of my friends on facebook. My barrier to entry on the friendship front is pretty low. I'm friends with people I knew in jr. high, highschool, worked with once, went to church with them years ago, etc. I know them but am not intimately close with them. Facebook is a good way to keep in touch while maintaining a comfortable distance. But will I be able to identify them in every pic of themselves they've uploaded to facebook? I doubt it. Not to mention the fad a bit back to change your profile pic to a cartoon character. I'll bet dollars to donuts those go into the rotation. Which of your friends was underdog and which was optimus prime? I don't remember.
It's a horrid system. A co-worker of mine on the same trip ran into it too. He mocked me for not knowing my friends well enough and then almost put his laptop through a window when he couldn't log into facebook. He had almost an identical experience, a picture of some 6 or 7 year old kid he didn't know and a bike or something.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
This social login is supposed to increase security? What about privacy. It seems like this feature can be leveraged to harvest pics from facebook, not that they weren't already available to the highest bidder anyway. Hopefully they have something in place to prevent harvesting...
As a coincidental bonus of this new CAPTCHA, Facebook has nearly every photo stored in their library face-tagged for them, using the most powerful and accurate computers in existence - us.
Yeah, the photo ID thing is iffy. If photos are to believed, quite a few of my friends appear to be very young babies. Another bunch are cartoon characters.
-- Using the preview button since 2005
For "persistent https", I think you have to enable the new option in Account Settings -> Account Security.
I saw that one in a screenshot, but that option doesn't seem to be rolled out here yet, although I am able to manually type in "https://" in front of URL's. However, as you say, that only leads to using https temporarily.
Beware: In C++, your friends can see your privates!
The evidence that accounts were being hacked remained anecdotal. Facebook's security team couldn't prove something was wrong in the data. It wasn't until after the new year that the shocking truth emerged: Ammar was in the process of stealing an entire country's worth of passwords. [...] Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. [...] The second technical solution they implemented was a "roadblock" for anyone who had logged out and then back in during the time when the malicious code was running. Like Facebook's version of a "mother's maiden name" question to get access to your old password, it asks you to identify your friends in photos to complete an account login.
insight through the mind
They can hardly sell your personal information if a guy at starbucks can sniff it from you can they?
Stop information piracy! Buy facebook!
Someone had the 'brilliant' idea of everyone replacing their face with cartoon images from their childhood?
They pull that sort of thing now, and most people won't be able to log in...
One thing FaceBook has going for it is that Https impact is far less significant as a percentage of time and actual server loading on sites where content can't be (or isn't typically) cached, and delivery is more than a few words.
Setup is expensive, but once negotiated data transmission is not that bad.
Fetching a tweet would really hurt under ssl, but a facebook page is usually fairly significant in size. Making lots of short requests over HTTPS will be quite a bit slower than HTTP, but if you transfer a lot of data in a single request, the difference will be insignificant. If Facebook implements http keep-alive oh https connections you should be able to reuse the the connection.
Yes the handshake is longer (usually 5 traverses vs 2). We are talking about 200ms vs 500ms for the first connection. But during that time the web server isn't having to pound content down the pipe so it might not be as bad as it sounds.
Sig Battery depleted. Reverting to safe mode.
My congratulations to the Facebook developers. They've made a website that faceblind people like me cannot use -- I didn't think that was possible.
I wonder if I can sue them under the Americans with Disabilities act...
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Again, what scale? Enabling https is only a few % different in CPU time for handling the crypto overhead. I've done the math. Based on any reasonably modern server machine (say a 1U dual socket quad-core) and facebook's quoted query rate it would only require an extra half rack of CPUs to turn on https for all facebook pages, including images.
For what little it may be worth, I've been using HTTPS w/Facebook for *months*. It's been available for general use for quite some time, it's just that no one bothered trying it. And as you pointed out, the only thing that didn't work (and still doesn't) is chat.
This isn't really news at all. It's just "news" because of what happened to Zuckerberg.
Jason Van Patten
I've been using HTTPS for Facebook for quite a while (when accessing over wireless, or from work,) and they've slowly been making it less obnoxious. The certificate errors disappeared a few weeks ago, but there is still no IM via HTTPS. And if you are logged out and visit their site via HTTPS, if punts you back to the regular HTTP when you log in, so you have to go manually re-S the connection.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Of course, social login won't last long when they realize most of their users can't ID most of the people in their "friend" list.
but have you considered the following argument: shut up.