First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would have expected them to move faster, especially after the Firesheep controversies back in October.
Then to the most controversial change — the social authentication — which raises a few questions about both the security it is supposed to add and the possible effects on Facebook users' privacy.
The security failure
Consider some malicious Trojan-writer on the other side of the earth, trying to log into your Facebook account with your newly stolen password. Matching the pictures and the names presented in the social authentication should constitute a real challenge. It doesn't! Launching a google search for the suggested names, narrowed down to the Facebook site will reveal..... You guessed it! A picture of the person!
 |
| Social authentication illustrated |
If you look at the pictures and names used as an example in the Facebook blog, you'll see that you could probably narrow down the candidates to two names pretty quick. A google search will likely reveal which one is correct, just click on the link. I place my bets on Alok.
http://www.google.no/search?q=site%3Afacebook.com+%22alok+menghrajani%22You'll find the public profile in Google for everyone who has enabled "Public search" in their Facebook privacy settings. For the record, there's also a privacy bug I recently blogged about that makes matters worse — anyone who has commented on or liked a public page can also be found in Google.
That was the scenario of the "hacker on the other side of the planet" attempting to log in to your account. The other scenario is that someone close to you — familiy or friends — attempts to steal your profile. They can also google. In addition they probably know who most of your friends and colleagues are, and what they look like. So, in my opinion there's not much security added by the social authentication scheme.
The privacy failure
Many Facebook users set the visibility of their profile, pictures, and so on to "Friends of Friends" or even tighter with "Friends only". The assumption here is that the people you have narrowed this down to have to log in to Facebook to see your pictures. This gives you some assurance that your content is not made available to strangers. At the first glance, the social authentication is aligned just fine with the privacy settings used by most Facebook users. But if you start thinking about it, you'll realize that there are subtle problems.
When Facebook finds it questionable whether one of your friends is actually signing in herself, they might show a picture of you to be coupled with your name, in order to achieve some extra assurance that everything's in order. In other words: If Facebook is unsure whether it's your friend logging in or a complete stranger who knows your friends password, the'll show a photo of you just to make sure. You didn't intend Facebook to show your photos to strangers, did you. Well, they do — because they're afraid it's a stranger.
To make matters worse, it seems that Facebook selects a random photo you've been tagged in, either by yourself or by other users. One of my colleagues brought this to my attention, as he was confronted with the new social authentication procedure. One of his friends was shown in a picture, taken from a night on the town when the hour was getting late. Nuff said. Maybe not the picture you'd want to show to people when they log in. I won't post the screenshot here for obvious reasons.
Finally, a brief speculation. There's probably a good chance that someone can tag you in a photo, and it'll be used for social authentication irrespective of whether you've seen the photo or not. Speculation ended.
So to summarize, I don't believe that the social authentication adds much (any) security to your Facebook account. On the contrary, it introduces yet another privacy issue for Facebook users.
If you want better security, you should have a look at the one time passwords instead, they were a much better addition. That's what Facebook should use instead of social authentication when they're unsure if it's the correct user they're signing in.
true religion outlet
ReplyDeleteray ban sunglasses
polo ralph lauren outlet online
adidas outlet store
ray ban
nike shoes for men
nike shoes
polo outlet
cheap ray ban sunglasses
prada outlet store
chenlili20170324
20170518 leilei3915
ReplyDeleteadidas outlet store
polo ralph lauren
mulberry uk
hermes belts outlet
kate spade handbags
kate spade outlet online
nike shoes on sale
oakley sunglasses wholesale
cheap oakley sunglasses
christian louboutin shoes
Involved in education? Struggling with the legal aspects? Want some help? Find out more about Education Law, and what you need to know.http://www.thesisexample.info/
ReplyDelete20170929 leilei3915
ReplyDeletepolo ralph lauren
polo ralph lauren
coach factory outlet
pandora charms
cheap uggs
canada goose outlet store
pandora jewelry
moncler outlet
canada goose
kate spade handbags
Maybe you should check out this article for some information about phone spy apps and phone tracking apps. It could be very interesting
ReplyDeleteThanks for sharing amazing information !!!!!!
ReplyDeletePlease keep up sharing.
Very interesting blog. Thanks for sharing.
ReplyDeleteNO.1 API DEVELOPMENT SERVICES | MASSIL TECHNOLOGIES
wow...nice blog, very help full information. Thanks for sharing.
ReplyDeleteBest Digital Transformation Services | DM Services | Austere Technologies
You did really good work. I really appreciate your new and different post. Please guys keep it up and share with us some unique post in the futureMenmyshopCar StereoDouble Din Android PlayerHyepersonic Double Din PlayerHyundai Creta Double Din Player
ReplyDeleteCBSE open schoolcbse privatebanzaraonjourneyAdj online
Excellent informative blog, keep for sharing.
ReplyDeleteBest System Integration services | Massil Technologies
surveillancekart security system
ReplyDeletesurveillancekart cctv installation services
cp plus
Pestveda pest control services
dezigly
The feedgasm Latest News And Breaking News
quicksodes
latest news in hindi
Are you struggling for a better future for your kids? Read this article and you will know what to do!
ReplyDeleteNetwork Security Final Year Project Ideas
ReplyDeleteProject Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
You can leave all the stressful work to us so that we handle it for you and assure you of delivering excellent online Affordable Writing Services to you all the time in our research papers 247 company.
ReplyDeleteAlthough the shipping company relocates from Jeddah to Syria depends on a large number of packaging materials that the company can pack the luggage and can through it move them from one place to another with the highest potential that they can packaging the luggage properly until it is transported
ReplyDeleteشركة نقل عفش
ReplyDeleteGreat Article
Network Security Projects for CSE
JavaScript Training in Chennai
Project Centers in Chennai
JavaScript Training in Chennai
There are academic nursing writing help companies whose ultimate goal is to provide Help with Nursing Writing Services since they are aware most nursing essay writing service part-time students lack enough time to complete their college custom nursing assignments.
ReplyDeleteAccounting paper writing services are essential and they have become very popular for those seeking accounting coursework writing services since most of them seek Accounting Writing Services.
ReplyDelete