SSL

2 results arranged by date

Blog

Facebook enables encryption: a first step on the right road

Facebook is rolling out a a new feature starting today: its users now have an option in their account settings that will protectively encrypt all their Facebook activity as it travels over the Internet. Flipping the switch won't change much about how you use Facebook, but you'll see Facebook web addresses will always start with "https": and no-one between Facebook's servers and your own computer will be able to see what you say and do on the service.

This is a significant step for protecting journalists who use the social networking site for communication or publishing. We've had reports on attacks on journalists, notably in Iran, that depended on intercepting communications on Facebook. Turning on https will make such surveillance - by rogue governments, ISPs or common criminals - far harder. Additionally, censorship that attempts to block individual Facebook pages (rather than Facebook as a whole) will be difficult to implement.

The system behind https encryption isn't perfect. The recent password-stealing attack on Facebook and Gmail in Tunisia was designed to beat encrypted communications. Many states, include those with poor track records in protecting Internet users' security, could use their access to "certificate authorities" to intercept encrypted communications without that attack being obvious. But these attacks require far more technical complexity than current strategies, and there are solutions already being worked on by browser manufacturers.

You do still have to turn the feature on to get the benefit. (It's listed as "Secure browsing" under "Account security".) An important next step for Facebook would be to do as Google did with Gmail, and enable encryption for everybody, by default. That's a big step, however, and one that could take some time.

Hopefully, Facebook will continue down the secure path, and that other companies like Yahoo!, whose unencrypted email and messaging services are still woefully vulnerable to spying, follow their lead.

January 26, 2011 12:56 PM ET

Tags:

Blog

More on certificate authority proliferation

Cryptographer Bruce Schneier linked to my Slate piece on rogue certificate authorities (CAs), which could allow governments like the UAE to monitor even the supposedly secure communications of journalists and others.

The smart comments include a link to this fascinating discussion at Mozilla that shows the procedures that browser-makers use when deciding which certificates to include in their root store (the list of certificates that the browser will assume are trustable). It looks like the root certificates are supposed to comply with a policy that subordinate CAs must only be used for internal purposes, but there's no way to enforce that.

One solution is to restrict subordinate CAs for use only in a selected set of domain names. That would mean that Etisalat or the Department of Homeland Security or Ford Motors could only use the power of their CA for their own use (and not maliciously to pretend to be Gmail or your bank) - but might be difficult to impose that retrospectively on the unknown number of universal CAs that are now out there.

2 results