Riding off of the coattails of the FireSheep Firefox exploit, Digital Society has studied the basic security functions of 11 popular websites and given them grades. The results are not stellar for most, especially social networking sites Twitter and Facebook, which both received failing grades.
The reasons why they failed get quite technical, but center around the lack of full SSL (Secure Sockets Layer) protection on the sites. One easy way to know if you are on an SSL protected site is if your browser bar says “https://” instead of the standard “http://.” If you are not, then it is possible that your information could be stolen because it is not encrypted. Facebook and Twitter do not encrypt data all the time, a feature that they should implement.
There are four basic ways to get hacked (studied here)
If a site doesn’t have SSL browsing support, anyone can see what you’re browsing at any time, but only what you’re browsing currently.
In a partial sidejacking, an attacker gets a hold of a users authentication cookies and gains partial access to their account. An authentication cookie is a small file that sites on your computer, allowing you to revisit a website without re-logging in every time. It tells Facebook: “hey, I’m still the same computer; let me in.” In a partial sidejacking, some of your information is visible to the attacker, but he/she can’t entirely breach your account.
In a full sidejacking, the attacker gets full control over your account, but can’t get your username or password. Usually he/she can do everything except change the password because most sites request that you re-type the old password first. Full sidejacking is scary. In Hotmail, for example, an attacker would be able to read all of your emails.
Finally, in a full hijacking, the attacker gains control over everything in your account and can change anything, including your password. Sites that do not have SSL authentication leave you vulnerable to a full hijacking.
Be careful
Our best advice: be careful where you browse Facebook, Twitter, and other sites with logins. If you’re on public Wi-Fi spot, make sure that it is password protected. This should encrypt your information, making it more difficult for others to hack you.
Well, come right down to it, how much trust or faith are we supposed to have in the people that run the 'security' companies, or make the antivirus programs, and all the rest of the software, and for that matter, hardware that comprises the online-osphere? If a man can make it, a man can break it, and white hat, black hat, you're talking about people that have college-grade skills with which to peek, poke, tweak, and trash the entire apparatus, if they really put their minds to it, it's like a little digital mafia, there.
I say if you don't trust facebook, you might think about whether or not you want to use the internet at all. Of course, in this day and age, when everyone else uses the internet, you're kind of stuck using it. Or, ARE you? Of course, if everyone went 'offline', then the hackers and tweakers and spies would just go right back to being phone phreaks as in days of old, not that they don't already eavesdrop on people over cellphones. I just think web security is a misnomer, there's no such thing. If you have private stuff on your computer, don't connect it to the internet, or the hackers will have their way with your store-bought system regardless of what website you're navigating to. Companies like Microsoft spend Big Bucks trying to make it better, does it do any good? Well…..probably not.
OK Sir or Madam, I see your point and respect it. However, you're not even safe walking out your front door everyday either. You could get shot or hit by a car. Does that mean everyone should be a hermit? Internet safety is all about being careful, paying attention to what pops up on the screen, and making it harder for the information to get gathered. This done through having a firewall, having an anti-virus software, doing the security updates, etc. There is not one way to be completely protected, but it has to start somewhere.
Yup not much surprise here, unfortunately.
There are no "reasons why," (third paragraph) only reasons.
I don't really get why this is such a big controversy, anyone who accesses any sites on an open network takes a risk that their web movements will be tracked and open for pillaging….simply do not access open wi-fi networks, and your ID and info is a little bit safer
Most idevices, androids and win 7 mobiles have built in 3G access, it may cost a few cents to use, but at least it's encrypted.
Users should stop cheapening out om devices by getting wi-fi only versions if the risk is so great.
Your only at risk if walk on the wild side of free wi-fi
Its actually quite hilarious that users continue to publish their content on facebook despite knowing about its privacy issues. Grade 'F' really sums up how insecure facebook really is and how we need to move on to something more secure, and fast. websites such as Diaspora and MyCube are about to be launched soon and we should switch to them. these sites promise complete user privacy and complete control of our content.
Hotmail has had full SSL for a week or two now, could the tests be updated to reflect this?
SFTP is not "FTP over SSH". SFTP is its own protocol, and unlike FTP and FTP over SSL / TLS, is not an IETF RFC standard.
It's funny, since my anti-virus is expiringin 20 days, It' found several threats and viruses that needed to be stopped, but this only started when I had 30 days left, before that, I rarely has one a month… go figure.
Facebook and twitter encrypt the auth process. it may not be https:// in the bar but it does a POST to a https:// address.
I agree, this article is not accurate… FB and twitter have secured auth in the form submit.
It is no surprise that facebook and twitter both failed the privacy risk report. Facebook and twitter are both extremely unsafe. All user content on facebook is sold to advertisers or 3rd parties. This is clear proof that facebook is totally unsafe. I have personally left facebook and twitter and am waiting for MyCube and Diaspora to release as they seem much safer.
You appear to know nothing about security.
What you’re talking about are privacy concerns. This article is speaking about ways to gain access to your information which are NOT intended by the site creators.
I hope you are ready to wait a long time andthen be VERY lonely (something tht I am sure that you are familiar with) I LOVE outcasts like you who think you re ahead of hte curve waiting for diaspora, and that reveal HOW out of touch you actually are by thinking tht Diaspora will ever catch on.