Thursday, January 27, 2011

New Facebook with SECURODYNE!

Although it is a well known adage that "noone has ever lost money by underestimating the intelligence of the average american" people have lost more then money by making their disdain for their customers' intelligence apparent.

Today, Facebook released a press release that reeks of such disdain. Facebook PR has been plagued with security issues, both real and imaginary. Their answer? To quote today's announcement:

If you’ve ever done your shopping or banking online, you may have noticed a small “lock” icon appear in your address bar, or that the address bar has turned green. This indicates that your browser is using a secure connection (”HTTPS”) to communicate with the website and ensure that the information you send remains private. Facebook currently uses HTTPS whenever your password is sent to us, but today we’re expanding its usage in order to help keep your data even more secure.

Translation: Either we don't know what HTTPS actually does, or we are hoping desperately that you don't!

HTTPS does not somehow make your account magically secure. It is a very specific remedy to one very specific kind of attack. It prevents third party "man in the middle" attacks. What are these? These are where someone in between you and facebook is snooping the packets of information sent between you and Facebook, and digging information out of them. This has to be either someone on your local network or someone with access to your ISP's routers. It does nothing to prevent programs running on YOUR computer (viruses, key loggers and so on) from extracting such information. It also does nothing to prevent the myriad of other ways people can get your information, including breaking into Facebook's computers themselves.

To my knowledge, although many people have had their facebook accounts hacked and IDs stolen, none have been through such man in the middle attacks. Finally, as they say, they already DO use https for the critical transfer of name and password.

So, today Facebook proudly did nothing of note to make you any more secure.

But they are hoping you don't know enough to know that.




8 comments:

mdouglass said...

Actuality, according to this article at the Atlantic Montbly, http://m.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/. Facebook just finished dealing with a large-scale man-in-the-middle attack. The govt of Tunisia was forcing ISPs to snoop passwords and turn over data from Fcebook accounts

There is also a Firefox extension called, http://codebutler.com/firesheep, which recently made news headlines because it makes it trivially easy in public wifi scenarios to steal Facebook (among other services) login cookies and then hijack the session.

Man-in-the-middle attacks are a very serious and a very real problem. You should not be denying that or faulting Facebook for dealing with it. And while their explanation wasn't great you have to remember who their audience is.

CyberQat said...

SSL will do nothing to stop an attack thats based on your computer or in your browser.

I already explained that above.

As for governments, you aren't going to stop them anyway. There is no security mechanism in use in the USA that the NSA doesn't have a crack for, and our govt has been snooping traffic for a long time.

And their explanation was not one. It was a claim that "this makes your facebook account informations secure!" Which is a bald-faced lie.

CyberQat said...

Wearing a tinfoil hat on your head will protect you from alien mind reading rays, too.

But it won't make you any more secure. Protection form the wrong thing is worse then no protection at llas it makes you think you are safer then you are.

Tim said...

My understanding is that Facebook is going to provide the option of performing all communication over HTTPS, not just logins.

See:

Protect Your Facebook Account

I didn't see this setting in my account yet, though.

- Tim

Tim said...

My understanding is that Facebook is going to provide the option of performing all communication over HTTPS, not just logins.

See:

Protect Your Facebook Account

I didn't see this setting in my account yet, though.

Justin Wick said...
This comment has been removed by the author.
Justin Wick said...

While I will never accuse Facebook of being good at engineering or security, this is a huge step in the right direction. Have you seen Firesheep?

It uses a cookie hijack attack. Full HTTPS can block the main vector of that attack - namely packet sniffing. It won't stop browser exploits, trojans, etc, but considering how many people use facebook on free wifi, this is a very serious vector.

Perhaps they should have been more clear that this added security doesn't stop other vectors, but it definitely stops one of the easiest.

(previous post removed due to lack of proper formatting, please delete).

Keshlam said...

Quick plug for the "https everywhere" plugin for Firefox, which will attempt any http: URI first over https:. Many services support https: even if they don't announce it.