Thursday, January 27, 2011

New Facebook with SECURODYNE!

Although it is a well known adage that "noone has ever lost money by underestimating the intelligence of the average american" people have lost more then money by making their disdain for their customers' intelligence apparent.

Today, Facebook released a press release that reeks of such disdain. Facebook PR has been plagued with security issues, both real and imaginary. Their answer? To quote today's announcement:

If you’ve ever done your shopping or banking online, you may have noticed a small “lock” icon appear in your address bar, or that the address bar has turned green. This indicates that your browser is using a secure connection (”HTTPS”) to communicate with the website and ensure that the information you send remains private. Facebook currently uses HTTPS whenever your password is sent to us, but today we’re expanding its usage in order to help keep your data even more secure.

Translation: Either we don't know what HTTPS actually does, or we are hoping desperately that you don't!

HTTPS does not somehow make your account magically secure. It is a very specific remedy to one very specific kind of attack. It prevents third party "man in the middle" attacks. What are these? These are where someone in between you and facebook is snooping the packets of information sent between you and Facebook, and digging information out of them. This has to be either someone on your local network or someone with access to your ISP's routers. It does nothing to prevent programs running on YOUR computer (viruses, key loggers and so on) from extracting such information. It also does nothing to prevent the myriad of other ways people can get your information, including breaking into Facebook's computers themselves.

To my knowledge, although many people have had their facebook accounts hacked and IDs stolen, none have been through such man in the middle attacks. Finally, as they say, they already DO use https for the critical transfer of name and password.

So, today Facebook proudly did nothing of note to make you any more secure.

But they are hoping you don't know enough to know that.