Facebook Enables HTTPS

I’ve done a lot of thinking, writing, and well, complaining about Facebook during the past year, mostly on behalf of the many activists I’ve met who’ve had troubles with the site. I’ve also seen, for the past year, small steps in the right direction from the social media giant.  And yesterday, Facebook made an announcement that I’m very pleased with: They’re rolling out HTTPS to users across the site. (ed note: apparently they’ll be doing this slowly over the next few weeks; don’t get discouraged if you don’t see the option yet).

As Danny O’Brien of CPJ explains:

Flipping the switch won’t change much about how you use Facebook, but you’ll see Facebook web addresses will always start with “https”: and no-one between Facebook’s servers and your own computer will be able to see what you say and do on the service.

In light of recent developments, from the Tunisian government phishing of accounts to the availability of Firesheep, this is a major step in the right direction for protecting Facebook users.

The second announcement in Facebook’s post is the introduction of “social authentication”; I actually had a chance to experience this feature last autumn when I arrived in Budapest and attempted to log in to my account – after submitting my password and selecting the “social authentication” option (you have another choice, though I don’t recall what it is), I was shown a series of photos (3 at a time) of my friends, with multiple names below each photo, and asked to identify each friend.

Though I imagine this feature will work well for the vast majority of users, I foresee a few potential problems.

"Hackers halfway across the world might know your password, but they don't know who your friends are."

The first is a concern that developed after I tested the feature; I was shown a photo of a female Muslim friend of mine who wears hijab.  Below her photo were four names: her real name, plus three very, well, “Anglo” names.  Anyone attempting to access my account would have a pretty good chance of guessing who’s in the photo. Ironically, in Facebook’s own example (see photo above), the photo is of an Indian-looking man; of the six names below, only 2 are potentially Indian in origin.  Pretty good odds, I’d say.

Another foreseeable problem is that of Facebook users who don’t use their real image.  A great number of my friends have image libraries full of cats, flags, and cute images, but no photos of themselves.  Sure, the probability of five such friends showing up is low, but if it were to happen, I’d theoretically be locked out of my account.

The third problem, oddly enough, didn’t even occur to me, but was noted in the comments section of Facebook’s announcement: “what happens to the people that have 500+ gaming neighbors that they don’t know at all? People that “collect friends” by the thousands.”  I imagine Facebook’s response to that might be “that’s not how our site was intended,” but it’s nevertheless how it’s sometimes used.

Facebook did note that there’s a path of recourse for users who complete the social authentication process erroneously, but I nevertheless remain wary of the feature.

Regardless, I think Facebook should be applauded for listening to its users and enabling HTTPS.  It’s not foolproof, and users still must turn on the feature to get the benefit (go to “account settings” then “account security” and enable “secure browsing”), but it’s still a big step.  Facebook notes that it will eventually be rolling out HTTPS by default as well, something that Google did with Gmail a couple of years back.

Hopefully, other social sites–Danny O’Brien points out Yahoo!’s mail features, for one–will take a cue from Facebook and enable HTTPS to ensure user security.

5 replies on “Facebook Enables HTTPS”

I follow the steps but in Account Security, there is not “Secured browsing” yet. I am in Canada, does it matter?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.