In the wake of the October 2010 release of Firesheep many social media websites are stepping up their security. Firesheep is a simple-to-use user account hijacking tool that can give attackers temporary full access to accounts from many of the most popular social media websites. Social media sites like Facebook (FB), Twitter, Gmail, Hotmail, Flickr, and WordPress, have begun to add full end-to-end encryption.
George Ou at Digital Society tracks SSL implementations on websites and has created an online services report card. The report card grades the way that social media sites implement full end-to-end encryption, and what generic protocols are deemed safe. The latest report card looks like this:
The table from Digital Society indicated that only Gmail.com and WordPress free hosting site get an “A” and are fully impervious to partial and full sidejacking and full hijacking of HTTP sessions. The report card gives Facebook, Twitter, and Microsoft’s (MSFT) Hotmail failing grades. The bottom part of the table refers to generic protocols that are commonly used by computers and smartphones. The majority of devices use unsafe versions of protocols according to Digital Society.
Microsoft has announced the general availability of the full-session SSL (HTTPS). The security upgrade has also been applied to other Live services, including SkyDrive, Photos, and Devices. MSFT says to activate full session SSL (I recommend you do, especially if you ever access these services on public or shared computers), head on over to account.live.com/ManageSSL. After completing their form SSL is activated and all future Web connections will be protected. It’s important to note, however, that flipping the SSL switch means you won’t be able to reach your Hotmail via Windows Live Mail (desktop), the Outlook Hotmail connector, or the Windows Live app for Windows Mobile 6.5 and Symbian.
The latest Google site to support SSL-encrypted connections is Google’s Picasa Web. As with many other sites, though, not everything displayed on Picasa Web is encrypted. While the home page and upload form are fully encrypted, gallery pages report as being only partly encrypted. The Google Operating System blog says that many Google services now support HTTPS connections: Gmail (enabled by default), Google Reader, Google Groups, Picasa Web Albums, Google Search, Google Finance, YouTube (partly encrypted). Other services only support encrypted connections: Google Calendar, Google Docs, Google Sites, Google Health, Google Analytics, Google AdSense and AdWords, Google Web History, Google Bookmarks, Google Voice, Google Latitude, Google Checkout.
rb-
Even average users are a bit more in-tune when it comes to security and privacy on the Web today (thanks in part to the recent Firesheep threats). There’s a simple solution: browse using HTTPS when possible. The easiest way to do that is to use Mozilla Firefox and the HTTPS Everywhere from the EFF, which I use and wrote about here.
Related articles
- Google to enforce SSL encryption on developer APIs (go.theregister.com)
- What is HTTPS and Advantages of it (mstechexplore.wordpress.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Web servers, FTP servers, and even SSL servers are becoming prime targets for botnets. They are targets, not as command and control servers says Mikko Hypponen, chief research officer at 
“FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Hypponen. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for 
Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.