The Null Device


Beware: leading social network websites like LiveJournal, and LinkedIn, are dangerously insecure; said sites don't bother with using SSL, sending cleartext passwords across where they may be intercepted:

Paul Martino, CTO of Tribe, chuckled at the idea that his site might use SSL for member logins. "We don't need high industrial strength encryption for that," he said. "We use standard security techniques like unique session IDs."

Some attacks rely on technological vulnerabilities, and others rely on human gullibility and badly-designed user interfaces (i.e., the old spoofed-email-pointing-to-fake-login-page trick). And there's more at risk than adolescent social dramas.

A top-ranked member of a network like eBay might be able to sell more items than her peers. A high-karma user on a site devoted to legal issues could have a tremendous influence over public policy. According to social networks analyst Clay Shirky, identity spoofing is possibly the greatest threat to social discovery networks. "When your reputation is valuable, it becomes worth exploiting. It makes a stolen identity a more valuable commodity."
By impersonating a highly-reputable person, an attacker might gain access to that person's social network, business contacts and private life. Spammers might launch highly personalized campaigns. And sexual predators could use their victims' friend lists to find more people to harass.

Update: Apparently LiveJournal now no longer uses cleartext passwords for login, instead using a challenge/response scheme using JavaScript, with SSL logins for the non-JavaScript-enabled. (I wonder how much a risk login cookies sent in the clear are, though.)

security ssl web 6

There's hope for you yet, Graham...