More

Facebook Gets An 'F' From Online Services Security Report Card (CHART)

The Huffington Post    
First Posted: 11/04/10 11:21 AM ET Updated: 05/25/11 07:10 PM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy
Facebook

Facebook and Twitter have received failing grades from Digital Society, a "digital think tank," that created an "Online Services Security Report Card" ranking "which websites protect your account and which don't."

The report card examines how vulnerable services such as eBay, Flickr, Amazon, and Facebook, are to a security breaches and provides each a grade. The ranking is particularly timely in light of concerns around Firesheep, a Firefox plugin that enables users to obtain the login information of others who may be browsing non-secure websites on unencrypted WiFi networks.

Facebook received an 'F,' as did Twitter and WordPress (no SSL). Hotmail and Flickr fared only slightly better, earning a 'D-' each. Digital Society's George Ou writes, "Permanent fixes from the likes of Facebook, Twitter, and Microsoft are long overdue."

See the report card below.

FOLLOW HUFFPOST TECH

Facebook and Twitter have received failing grades from Digital Society, a "digital think tank," that created an "Online Services Security Report Card" ranking "which websites protect your account and ...
Facebook and Twitter have received failing grades from Digital Society, a "digital think tank," that created an "Online Services Security Report Card" ranking "which websites protect your account and ...
Related News On Huffington Post:
 

More in Technology...


 
 
  • Comments
  • 52
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
photo
HUFFPOST SUPER USER
cabrobst
Return the top rate to 90%.
419 Fans
 
09:04 AM on 11/07/2010
Home > SideJacking

* E-mail this
* Bookmark and Share

SideJacking

Term used to describe the malicious act of hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server. Typically, SideJacking is most common on sites that require authentication through a username and password, such as online Web mail accounts as well as social networking sites. SideJacking works only if the site catches a non-SSL cookie, so any Web site that uses SSL exclusively would be safe from SideJackers. SideJacking was first demonstrated by Robert Graham, CEO of Errata Security at Black Hat in 2007.
I also learned this about SSL:
http://www.verisign.com/ssl/ssl-information-center/index.html
Permalink  |
photo
HUFFPOST SUPER USER
realitytrumpsbull
two 'alves of coconut!
1091 Fans
 
11:10 AM on 11/07/2010
Well, come right down to it, how much trust or faith are we supposed to have in the people that run the 'security' companies, or make the antivirus programs, and all the rest of the software, and for that matter, hardware that comprises the online-osphere? If a man can make it, a man can break it, and white hat, black hat, you're talking about people that have college-grade skills with which to peek, poke, tweak, and trash the entire apparatus, if they really put their minds to it, it's like a little digital mafia, there.

I say if you don't trust facebook, you might think about whether or not you want to use the internet at all. Of course, in this day and age, when everyone else uses the internet, you're kind of stuck using it. Or, ARE you? Of course, if everyone went 'offline', then the hackers and tweakers and spies would just go right back to being phone phreaks as in days of old, not that they don't already eavesdrop on people over cellphones. I just think web security is a misnomer, there's no such thing. If you have private stuff on your computer, don't connect it to the internet, or the hackers will have their way with your store-bought system regardless of what website you're navigating to. Companies like Microsoft spend Big Bucks trying to make it better, does it do any good? Well.....probably not.
Permalink  |
richardjones81
0 Fans
06:04 AM on 11/07/2010
its actually quite hilarious that users continue to publish their content on facebook despite knowing about its privacy issues. Grade 'F' really sums up how insecure facebook really is and how we need to move on to something more secure, and fast. websites such as Diaspora and MyCube are about to be launched soon and we should switch to them. these sites promise complete user privacy and complete control of our content.
Permalink  |
photo
bradwestley
3 Fans
12:38 AM on 11/06/2010
Don't join!
If you join, stop complaining , idiots!
Permalink  |
photo
Imzadi
Proud Progressive for decades
3441 Fans
10:52 AM on 11/06/2010
CO-SIGN!
Permalink  |
Andi Suroso
0 Fans
12:11 AM on 11/06/2010
I further awry when using social networking sites.Any idea?
Permalink  |
nina rr
55 Fans
 
06:11 PM on 11/05/2010
So what should we do? I'm using my Twitter account to write this comment! Lol. Should we stop using these services? It's clear that we have no leverage over these companies.
Permalink  |
photo
WebSuccessCoach
0 Fans
04:14 PM on 11/05/2010
It's a little (okay, a lot) scary to see how that the most common social media platforms being used are unsecure in so many ways. It makes it just a bit harder for those of us who make a living teaching others to use social media for their businesses. Seems that along with a social media policy, companies would fare well to have their IT security team working in conjunction with social media consultants.
Permalink  |
photo
HUFFPOST SUPER USER
Max Shaw
My micro-bio is no longer empty.
319 Fans
03:33 PM on 11/05/2010
I would really like to know the deal with wireless service providers and said technology...Ever since my brother hijacked my phone using bluetooth just to prove he could, I have become weary of public wifi networks...wouldnt dare use my computer in one.
Permalink  |
photo
larmarch5
2673 Fans
02:21 PM on 11/05/2010
HuffPo
If I wanted to post on Facebook or Twitter, I would get accounts with them and post there. Please stop with their annoying popups.
Permalink  |
photo
Imzadi
Proud Progressive for decades
3441 Fans
10:52 AM on 11/06/2010
YES, YES, a thousand times, YES!!
Permalink  |
This user has chosen to opt out of the Badges program
photo
DawnLilypond
2 Fans
01:36 PM on 11/05/2010
I Know What You Ate Last Summer...
Permalink  |
delsop
12 Fans
01:33 PM on 11/05/2010
It would certainly have helped for the author to explain what all the headings mean. Sidejack, etc. are greek to me. Why bother to write something that includes references that are unknown to many.
Permalink  |
Renshai
35 Fans
02:16 PM on 11/05/2010
Sidejacking, from what I gather, happens while you are in the session. Meaning.. you logged into the server... and once you are in the hacker gets enough info to assume your identity. The login part might be secure, but while you are using your account the actual session is not. (Typically this happens with unsecured wifi)
Permalink  |
photo
mooph
In my haste, I was a dyslexic typist
57 Fans
02:38 PM on 11/05/2010
Think of it this way:

Big sister and her boyfriend are talking on the phone. Little sister picks up a second phone in the house to eavesdrop on the conversation -- the little sister is sidejacking their conversation.
Permalink  |
photo
Reginald Brown
36 Fans
09:01 PM on 11/06/2010
Yes, a lexicon would have been a big help.
Permalink  |
photo
Walter H
Thou shalt not coerce. One and done.
547 Fans
12:57 PM on 11/05/2010
The smart money is to simply accept that thingsput up on social networking sites could end up in the general public domain. How hard is that?
Permalink  |
photo
mooph
In my haste, I was a dyslexic typist
57 Fans
02:15 PM on 11/05/2010
It's not just about ending up in the public domain, it's about someone else having access to your accounts. Beyond a person claiming your data, they could potentially pose as you in an online context. Simple example, if someone did this to your HP account, they could post comments as Walter H.
Permalink  |
photo
Walter H
Thou shalt not coerce. One and done.
547 Fans
04:18 PM on 11/05/2010
Hopefully they would improve on my spelling.
Permalink  |
photo
HUFFPOST SUPER USER
felkakarp
1670 Fans
 
12:48 PM on 11/05/2010
Sharing on Facebook and Twitter
Permalink  |
archiej2
2 Fans
12:48 PM on 11/05/2010
Hard to believe that Face Book corporation does not provide any legitimate support help to it's users who are experiencing problems. A corporation making a Gagillion dollars a year can't afford a staff to assist it's users in remedial issues. What a joke. And everyone worships Founder, CEO and moron Mark Zuckerberg along with his chronies Christopher Cox, David Ebersman,David Fischer, Lori Goler, Jonathon Helliger, Sheryl Sandberg, Elliot Schrage, Mike Schroepfer, Bret Taylor and especially Ted Ullyot (General Counsel). How would a law firm even serve this Ted individual legal papers? This firm is invisible to it's users. No support staff & contact numbers that are a sham.
Permalink  |
photo
NVEd
I love mountains.
1137 Fans
12:13 PM on 11/05/2010
I gave up on Facebook sometime ago.
Permalink  |
photo
Sue Clavey
0 Fans
02:44 PM on 11/05/2010
I did too - and somehow my commenting on this site reactivated the account. I'm on my way to kill it again.
Permalink  |
photo
Imzadi
Proud Progressive for decades
3441 Fans
10:53 AM on 11/06/2010
good luck.
Permalink  |
This user has chosen to opt out of the Badges program
agxphoto
115 Fans
08:36 AM on 11/05/2010
SSL is the way to go. It's the answer to a lot of problems, particularly when combined with other security techniques. Yet, I doubt it'll gain much of an online following commercially, without erosion.

We've already seen the beginnings of attempts to get non-SSL data into an SSL stream. Google advises one such technique so that its Google Analytics tracking cookies can be used without as much of an obvious loss of SSL in some browsers. Corporations will probably continue to attempt to erode what SSL means so long as there is a profit motive for them to do so. One similar example, in the area of code validation, would be Adobe's "own" forms of validation; this means that a code that wouldn't pass W3C standards gets marketed to people as valid under a proprietary label. I imagine something similar will happen to SSL in the future.

The leading component for SSL is not just the encryption: it's the content. SSL content needs to be stored on the same server (within the same scope) as the security certificate authenticating its transmission. SSL certificates are like the license plate on your car.

This is its commercial weakness: it doesn't sit well with fictions in the liabilities column for businesses. To use SSL right, you have to have the equity to own and broadcast the information. If you can't lie about assets and liabilities, then you can't use Wall Street techniques.

SSL is the way to go. Original content rocks.
Permalink  |
photo
mooph
In my haste, I was a dyslexic typist
57 Fans
02:08 PM on 11/05/2010
Aside from ownership of content, another major factor is ad serving. Most sites make money through ads, which are nearly always sideloaded, thus prohibiting true SSL serving of a page. It's interesting that this issue has been discussed for quite a number of years, yet no one has come up with a simple solution like encrypted identity tokens (or the whole session cookie) transfer. Of course, that would entail reworking the protocol and language, but it's been years that this has been one of the easiest snarfs.
Permalink  |
Page: 1 2  Next ›  Last »  (2 total)