Blog de Matias Katz Hablamos un poco de seguridad?

So? Where’s my Facebook security?

As we all know, Facebook has committed to increase the security level of their portal and has achieved it, although partially.

For a while now you are able to track the places and moments in which your account has been logged in, allowing us to know if somebody else has been entering with our account.

Recently, a new identity validation method has been added for password recovery, in which the user has to identify his/her friends in random pictures that are presented on screen.

But the newest news is the one published in Facebook official blog on January 26th, 2011: Persistent HTTPS connections during the navigation inside the web portal.

Just as Gmail had already enabled it, for a long time now, you will be able to navigate through Facebook via secure HTTPS channels, something that has been asked for by many users, for a long time.

Now, having done the issue introduction, I'd like to clarify some things:

1. For those of you who emailed me asking why the option to enable HTTPS hasn't appeared in their profiles, you should know that the implementation rollout will be slow and gradual, so you must be patient.
2. Session cookies are still sent in plaintext, so any attack over them will still be successful.
   
3. An attack with the tool SSLSTRIP will also be successful, since this tool eliminates the protection layer provided by SSL, leaving the site in plaintext.

In spite of the negative points I've just mentioned, these are very good news for the computer world since it covers (better late than never) with a highly important demand from users, globally.