Facebook today announced two changes to the popular social networking site that aim to improve the security of site visitors.
Secure Browsing is a new opt-in option to configure Facebook to always use https connections. While Facebook is already making use of a secure connection when the user logs into the network, it is not making use of the secure connection during the entire session.
Update: Facebook has enabled https by default and does not switch back to http anywhere on the site. This means that the secure browsing feature has been removed as it is no longer required. Update End
Enabling secure browsing for an account ensures that data cannot be monitored by other users of the network or the ISP. That's especially useful when public computers or networks are used to connect to Facebook.
The new option is gradually rolled out in the coming weeks. Users find it under Account Settings > Account Security. They need to check "Browse Facebook on a secure connection (https) whenever possible" under Secure Browsing (HTTPS).
Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the "Account Security" section of the Account Settings page.
There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.
Social Authentication is currently tested on Facebook. Facebook sometimes displays captchas when account irregularities are detected. Text captchas are highly problematic for a number of reasons. They are at times hard to decipher and only protect against some computer based attacks. Human attackers on the other hand are not kept away, as they can solve the captcha as easily as the account holder.
Social Authentication changes the captchas. Instead of displaying random hard to read text, they show friends of the user and options to identify those friends. While that is still not impossible to answer by attackers, it does pose a greater challenge than text captchas.
Many sites around the web use a type of challenge-response test called a captcha in their registration or purchasing flows. The purpose of this test is to verify that you are a human being and not a computer trying to game the system. Traditional captchas have a number of limitations including being (at times) incredibly hard to decipher and, since they are only meant to defend against attacks by computers, vulnerable to human hackers.
Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are.
We will continue to test social authentication and gather feedback from you and the security community on how to make this and other social features safe and useful.
What's your take on the new security improvements? (via)