Online services security report card
Update 2/4/2011 – Updated report card chart in Figure 1
Update 11/9/2010 - Microsoft ‘fixes’ Hotmail with an unusable fix. That means I’m boosting Hotmail’s grade from a “D-” to a “D+” which is still a failure until they come out with a better fix.
Update 11/4/2010 – Microsoft promises fix to Hotmail security this month
A lot of website security awareness has been raised over the last week since the release of a simple-to-use website user account hijacking tool called FireSheep. The tool gives attackers temporary full access to your web accounts like Facebook, Twitter, and Microsoft Hotmail. Many sites have been offering incorrect advice to just use force the website to run SSL, but my testing shows that sidejacking is still possible even when the site runs SSL. Some people have suggested tools that go as far as rewriting the website’s javascript but we’re getting into deep water on complexity and the user shouldn’t have to re-engineer the websites they visit to protect their own user accounts. Permanent fixes from the likes of Facebook, Twitter, and Microsoft are long overdue.
Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years. Now that the problem can no longer be ignored because anyone can use the attack to steal other people’s account, I’m going to create an online services report card that will be updated over time. Look below Figure 1 to see basic definitions of the various types of security breaches.
Figure 1 – Online services security report card
Note that “WordPress” refers to all the independent implementations of WordPress, but the WordPress.com free hosting site does implement SSL. The bottom portion of the table refers to generic protocols that are commonly used by computers and smartphones, the vast majority of which use the unsafe versions.
What are authentication cookies?
To save you the trouble of having to sign in with username and password every time you visit a website, websites use temporary (typically expires in days) authentication cookies that are automatically pulled from your cookie database and set to the server. When the cookies expire, the user is prompted to type in their username and password which is often saved by the web browser.
SSL authentication
When you sign in with your username and password, the secure way to do this is when there is an “HTTPS” in front of the website and the certificate is verified by authorities like Verisign. Your browser and operating system will keep a list of trusted Certificate Authorities (CA) and it will warn you when you visit a site that is signed by an untrusted CA. Some sites still use SSL encryption to transmit authentication data but don’t bother to use HTTPS and they are of the false conception that this is safe, but that’s not good enough because the user has no way of knowing if they’re visiting the wrong site or not.
Many websites don’t bother doing this and it makes it easy for someone to steal your username and password by putting up a fake hotspot and fake website. This type of attack is very dangerous to consumers but it requires the attacker to perform an active attack which carries some small risk of being caught if authorities triangulate their wireless signal. But in reality, there aren’t many resources allocated to tracking down this kind of attack, and the attack can be launched from a self contained box which vastly reduces risk for the attacker.
I and many other security experts have been hammering the U.S. banking industry since 2006 for failure to use SSL authentication and they finally fixed the problem years later. Unfortunately, websites like Twitter and Facebook still haven’t learned.
SSL browsing support
When you’re browsing a website without SSL (when the address bar reads HTTP and not HTTPS), anyone can see what you’re browsing. If this is Yahoo mail for example, people can read the messages you have loaded on the screen but they can’t go in and read other messages you’re not reading and they can’t send mail as you.
A website that does not support SSL browsing will not necessarily leak user authentication cookies since that’s a function of how careful the website developers are about their javascripts. Ebay is a good example of this where no cookies are leaked even though Ebay users browse without SSL.
Partial sidejacking
A partial sidejacking is where an attacker can get authentication cookies that allow them limited access to a user’s account. For example, Google.com allows an attacker to browse the websites as the victim and attackers can see on Google maps saved addresses (including home address). The same problem affects Yahoo but the attacker can’t access things like email.
Full sidejacking
A full sidejacking happens when the attacker can gain access to everything short of the username and password. On Facebook, they can log in to Facebook as the victim and see all private data and even send or post messages on behalf of the victim. The attacker usually can’t reset the password because sites like Facebook will ask for the old password to reset to a new password.
On Microsoft Hotmail, the attacker can see every email received and sent and send messages on behalf of the victim. This potentially allows the attacker to reset other user accounts that are registered to a hotmail account. Full sidejacking on an email account is very dangerous and it is surprising that Microsoft hasn’t fixed this yet. Even if they only encrypted the authentication cookies using javascript and didn’t support full SSL mode, that would vastly improve security. Google dragged their feet on Gmail for a year after sidejacking was widely reported in 2007 but they deserve credit for being one of the first to fix this problem and they’ve recently defaulted everyone to full SSL for Gmail.
Full hijacking
This is where an attacker gains access to the user’s username and password. At this point, the attacker can do anything they want with the user’s data and account. It is notable that attacking non-SSL protected protocols like POP3, SMTP, IMAP, and FTP are even easier because they can be done passively which is completely undetectable. The attack is so simple that security conferences like DEFCON has an annual “Wall of Sheep“. Attacking websites that fail to employ SSL authentication requires an active attack where the attacker has to set up a fake but realistic looking login page.
SFTP isn’t FTP-over-TLS/SSL. It’s a component of SSH2:
http://en.wikipedia.org/wiki/SSH_file_transfer_protocol
You’re right Jack, that was a typo on my part. I actually use SFTP here. I initially tried to use FTP over SSL which is FTPS, but the firewall port management issue was a nightmare so I gave up FTPS and switched to SFTP.
I’m surprised there was any trouble with FTPS, there should be a single port which you specify, no?
The SSL option on Facebook is really a joke. It seems to me there is plenty on the site which can’t handle it. There is no chat, for example.
But the real surprise of this to me is that anyone thinks there is security in an open wifi connection. The news on that is even older than 2007.
BTW, if my ISP (Verizon, but whoever) offered a simple VPN service, probably an SSL VPN would be great, and priced it reasonably, I would buy it. There are plenty of anonymous surfing sites that encrypt, but I’d prefer something from a company with whom I had a relationship.
Google supports SSL search today (https://www.google.com), although it is manual. Any reason why “(soon)” is listed?
This isn’t completely accurate- Twitter uses SSL authentication, although SSL browsing must still be done manually.
Both Twitter and Facebook point to SSL form processing pages on their default login. Are you doing something extra to force a non-SSL login for them?
There is a Firefox extension offered free by the EFF. It encrypts your communications with a number of major websites.
See here: https://www.eff.org/https-everywhere
What about Wikipedia? The stuff I read on there is more private and personal than any of those other sites listed except for Facebook.
No SSL authentication for Facebook? what?
https://login.facebook.com/login.php
Larry, FTP over TLS/SSL or FTP is horrible about ports. The payload port is dynamic and the NAT router or Firewall has to look inside one of initial signaling packets to determine the port number on the payload. If that signaling packet is encrypted, the firewall cannot determine the port. The way around this is to open up a range of a few hundred ports but that’s horrible.
@Patrick Ewing
I’m not talking about SSL encryption on the authentication session; I’m talking about SSL authentication. Just because the javascript in the background sends credentials in encrypted by SSL doesn’t mean that the user knows they’re on Twitter. The user has no way to know if they’re on Twitter if the authentication page they’re visiting is HTTP. That’s the secure authentication (where the site identifies to the user) that is missing. Reading the banking post I linked to for more.
@Christopher J. Pilkington
I’ll update that, thanks. For some strange reason when I tried HTTPS://www.google.com, it automatically redirected to HTTP. It works today though.
@John,
I’m talking about the default action John which is what is relevant to 99% of the population. Facebook defaults to HTTP for the login page and that is extremely dangerous. We cannot expect the user to manually use the SSL authentication page or install some kind of plugin.
Thanks for the report, I been searching the net to see which sites were vulnerable. Another question though, is igoogle or http://www.google.com/ig vulnerable? If so, how much because I use Igoogle a lot and despairing at the thought of not being able to use it. Thanks
[...] Online services security report card Now that the problem of user account “sidejacking” can no longer be ignored, I’ve created an online services report card that highlights which websites protect your account and which don’t. [...]
[...] Graham of Errata Security takes a look at the recent “Web 2.0″ report card compiled by Digital Society, and remarks: Of the major webmail providers in the U.S., only Gmail is [...]
Paypal?
Paypal is personally what’s important to me – that’s where (some of) my money is…
Also, a couple of years ago Paypal supported the FOB (the 6 digit rolling code you must enter with your password)
The biggest source of this whole matter of sidejacking is the insistence of web developers on re-inventing the wheel every time authentication is a requirement.
So, they twist session variables and cookies into some semblance of a answer.
The answer is in http authentication, and in particular digest authentication. It has a few very minor problems, but it is a http standard, supported by every web server, lightweight, and far superior to what some developer grafting on a quick fix onto a site as an afterthought will accomplish in 4 hours of whiz bangery at the keyboard.
@lefid3
Google IG is partially sidejackable. Attacker can see the calendar on there, but he can’t use Google Chat.
How about FTP with in-band (‘explicit’) SSL or TLS? The mechanism is similar to STARTTLS in SMTP.
What do you refer to with “SMTP SSL/TLS”? The STARTTLS type or the SMTP-over-SSL type?
@Mike R
Mike, I’m surprised I forgot to test Paypal. I must have assumed that they’d be insane to be insecure.
I just tested them and they don’t leak authentication material and they default the whole site to SSL.
Google IG is only partially sidejackable even though it doesn’t have any https?
@lefid3
As I mentioned in the post, sidejacking occurs independently of full HTTPS browsing. You can have a full HTTPS site sidejackable, but an HTTP site not. That’s because it’s the javascript in the background that betrays you when it uses HTTP.
Thanks, for the reply. I am not very technical so I needed the clarification. I reread the partial sidejack info in the article. Still pretty scary in my opinion so I am holding off using any google service except gmail on public wifi.
On a sidenote, Forbes has a blog article, that says that facebook is reacting to the controversy. Hopefully the others follow suit.
http://blogs.forbes.com/kashmirhill/2010/11/03/facebook-responds-to-firesheep-wifi-security-controversy/?boxes=techchanneltopstories
[...] [...]
I applaud Google for making Gmail HTTPS only, but do not believe they are worthy of an A – perhaps a B+. They prefer weak SSL cipher-suites (RC4-SHA1), specifically they prefer suites which do not provide what is known as Perfect Forward Secrecy, a property obtained when using secure key exchange (actually, key agreement) that protects your data that is sent over the wire in the event that the servers private SSL key were compromised in the future.
They do support such cipher suites, but you have to hack on your browser to use them (Mozilla’s about:config lets you disable particular cipher suites), so most uses will not have this protection.
Due to the sensitive nature of email, I believe perfect forward secrecy should be a requirement when deploying SSL for webmail (as well as for secure IMAP, POP3, etc) – so I would not in good faith rate them as the best of the best given this.
The fact that SSL is used can not by itself constitute a good grade, SSL/TLS are very complicated protocols and they must be deployed securely.
Ian Gallagher
Firesheep co-author/co-presenter
Hi,
Thanks for doing this, your report has helped me avert a campus-wide panic.
I am however using the momentum this issue has generated to get a few timely changes in our remote working policy. There are a lot of folk here with no real requirement to understand any of this but a real responsibility for their own security. Something like this makes the issue so much easier to police.
I like to think of it as attitude patch.
@Ian ‘craSH’ Gallagher
Thanks for commenting Ian, you’re always welcome here.
Question: How practical is it to exploit RC4-SHA1? It may not be the purest, but is it that exploitable even by top crypto researchers?
The grading scale I used is more of a sanity check. The scale is easy enough that everyone should be doing as well as Gmail.
I’m trying to use Facebook and Twitter over https since reading about Firesheep and this post.
One thing I noted is that even tough the tab I opened are on HTTPS, in this very site I can be mislead to send my cookies without SSL. The “follow us on twitter” points to plain http and the tweet and Facebook share buttons open windows in plain http also.
Is there a way to prevent this from happening? Any recommended browser extensions/addons?
@Iraê
Until Facebook offers a fix, you might try using a forced no script option with HTTPS. That may break some functionality though.
@George Ou
Using forced SSL on Facebook cripples the site.
I’ve been redirected to the login page so many times that my account is now blocked!
I tryed using: https://www.eff.org/https-everywhere
Except for Facebook, everything seems to work fine.
[...] asked Microsoft for a response to their failing score on my “Online services security report card” for their Hotmail service and got the response that Hotmail customers were hoping to hear. [...]
[...] failing grades were given to the two sites in the “Online Services Security Report Card” created by Digital Society, a “digital think [...]
[...] failing grades were given to the two sites in the “Online Services Security Report Card” created by Digital Society, a “digital think [...]
[...] Random note for possible use by the readers. You may wonder how to protect yourself better against Internet snoopers like Google Street View, and even some more active forms of attack, and Digital Society has a decent-looking primer on the subject. [...]
[...] [...]
[...] failing grades were given to the two sites in the “Online Services Security Report Card” created by Digital Society, a “digital think [...]
[...] Digital Society, uma organização digital que criou o ranking de segurança dos serviços online, avaliou quais [...]
Could you please include LinkedIn ?
[...] Digital Society, uma organização digital que criou o ranking de segurança dos serviços online, avaliou quais [...]
@Carlos
Firesheep does not support Linkedin so I’ll have to test with Hamster.
When I type https//hotmail.com, it seems to work, also when reading and answering e-mails. The connection seems to be slower though.
I also found a screen under Options where you can choose between https and http. But when I choose to continue in https, it says that this function is not available for my accounttype (?).
Hope the javascipt will be fixed soon too. I’ll keep checking this interesting blog for news on this subject.
@George Ou
Breaking the symmetric cipher RC4 or the hashing algorithm SHA1 isn’t my direct concern (I’m not saying it’s unreasonable to consider), it’s that their preferred cipher suites in particular do not include Ephemeral Diffie-Hellman key exchange, which would provide perfect forward secrecy to a reasonably high degree.
Without perfect forward secrecy, compromise of their private RSA key (either by stealing it, or cracking it – people currently say 1024 bit RSA will be safe for anywhere between 0 (with $250m – $1billion USD) and 5-10 more years (Moore’s Law).. read more here: http://www.rsa.com/rsalabs/node.asp?id=2007 ) means that you will be able to decrypt any past traffic that was protected using that key. So an attacker could capture your encrypted Gmail traffic now, and in the future, decrypt it if the RSA key were compromised. This is something that most people don’t realize, and it’s important for truly sensitive data (which email oftentimes may be – think government contractors, intellectual property, etc)
I suspect we’ll discuss this in particular more in the future, it’s an interesting topic.
-Ian
What about Friendster?
@Caroline
That’s a great point! I tested it and got the same thing. It might be an indication that we’re not beta testers for this feature.
I also found it interesting that the following applications prevent you from permanently turning on HTTPS.
• Outlook Hotmail Connector
• Windows Live Mail
• The Windows Live application for Windows Mobile and Nokia
So it would seem that those applications are stuck using HTTP for at least the payload.
[...] [...]
[...] Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or [...]
[...] Technology: Online services security report card A think tank called Digital Society has shed important light on the lacking security of ever [...]
[...] Ou promised to create an online service report card that will be upated over time. For more details, see his full report. [...]
[...] Fonte: http://www.digitalsociety.org/2010/11/online-services-security-report-card/ [...]
Thanks George, I mentioned your security report card here:
http://www.boot-land.net/forums/index.php?showtopic=12880&st=0&gopid=113158&#entry113158
[...] Online services security report card – digitalsociety.org Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years. [...]
[...] sitio Digital Society desarrolló un gráfico que es una especie de tarjeta de reportes, en donde calificó a varios [...]
[...] som Facebook og Twitter er pivåbne for mørke kræfter ude efter brugerdata. Det fortæller en ny undersøgelse foretaget af amerikanske Digital Society, der har kigget på en række af nettets mest populære [...]
[...] Flickr, and other popular websites.Riding off of the coattails of the FireSheep Firefox exploit, Digital Society has studied the basic security functions of 11 popular websites and given them grades. The results [...]
[...] Van Camp posted a condensed version of my Online Services Security Report Card (which has been cited by many in the mainstream tech press) and somehow it managed to make it to [...]
[...] That’s all well and good, but Facebook’s got my back, right? You’d think Facebook, Twitter, Amazon and Flickr would be ahead of these shenanigans. They’re not. [...]
[...] [...]
What about Myspace.com? What grade does it get?
@Cliff C
I’ll check Myspace, but does anybody even use that anymore?
[...] Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or [...]
[...] [...]
[...] kreierte, hat Digital Society die (Un)Sicherheit der beliebtesten Web-Anwendungen untersucht. Das niederschmetternde Ergebnis: Zwei der beliebtesten Internetservices, Facebook und Twitter, schneiden am schlechtesten [...]
[...] stellar grades from Digital Society, a “digital think tank,” which created an “Online Services Security Report Card” indicating the (in)ability of those and other sites to protect user [...]
[...] un anuncio llevado a cabo por Digital Society en el que se analizaban diversos aspectos relacionados con la seguridad de diversos servicios de [...]
[...] stellar grades from Digital Society, a “digital think tank,” which created an “Online Services Security Report Card” indicating the (in)ability of those and other sites to protect user [...]
[...] misused, Facebook users have no shortage of things to worry about. Digital Society, a think tank, released study results that indicate that Facebook failed a basic security test miserably, because data is largely [...]
[...] IP addresses of FireSheep users who are most likely amateur hackers trying to sidejack (see definitions of sidejacking here) their schoolmates’ Facebook and Twitter account at a college campus somewhere. The tool [...]
[...] kreierte, hat Digital Society die (Un)Sicherheit der beliebtesten Web-Anwendungen untersucht. Das niederschmetternde Ergebnis: Zwei der beliebtesten Internetservices, Facebook und Twitter, schneiden am schlechtesten [...]
[...] discutiendo acerca de la seguridad que nos brindan los servicios a través de la web. El sitio Digital Society realizó un estudio hace algunos días, donde pone de manifiesto las brechas de privacidad en la [...]
[...] stellar grades from Digital Society, a “digital think tank,” which created an “Online Services Security Report Card” indicating the (in)ability of those and other sites to protect user [...]
[...] you’re interested in the full technical explanation of the scores, we recommend you read the original article at [...]
Great report card here. Two things:
1) Do we have any idea how EBay does authentication/sessions without leaking cookies over HTTP? This seems… not obviously possible to me. Most of the other schemes I’ve heard of (linking to a particular IP address, for example) seem so bug prone as to destroy usability, and aren’t necessarily secure at the same time.
2) It’s a little funny that the https:// for this page in Chrome is crossed out. Double-clicking on it shows that the problem is that while the page is correctly served over https, some of the resources on the page are not over https (presumably the Twitter feed). But this means that the page as a whole can’t be trusted, since the resource that’s not over https could be a MITM-ed cookiejacking JavaScript. Sigh.
Sasha.
@Sasha Aickin
The JavaScript is either using SSL (even if the page isn’t using SSL) or some other scrambling scheme. Robert Graham of ErrataSec said that in the past, he’s been able to harvest the cookie by massaging it manually and then feeding it to Hamster, but he hasn’t tried recently.
Browsers shouldn’t necessarily give an alert for partial SSL in my opinion. That’s because for bulk images and advertisements containing non-personal data (especially when it’s coming from an Ad or CDN server), it doesn’t need SSL. When browsers give too many alerts, it becomes excessive false alarm syndrome which leads to apathy.
The problem is that even when everything on the page is SSL (and you get no browser warning), the javascript code can make calls to HTTP which leaks authentication material. So the browser SSL warning system is effectively broken since it alerts you when it doesn’t need to and doesn’t alert you when it needs to.
[...] [...]
Then why isn’t your website https?
@Alida Antonia Cornelius
Digital Society does indeed support HTTPS, but it’s not enabled for our readers since we store none of your personal data and we don’t even know who you are. We do use SSL for our editors and authors to log in so we don’t leak our authentication cookies or credentials. Your nitpicking is irrelevant to the issues.
[...] [...]
[...] [...]
[...] [...]
Hotmail supports “SSL browsing” for a few days ago.
This it’s posible changing Http://www.hotmail.comfor https://www.hotmail.com manually.
When we authenticate will ask if you want to be permanent.
[...] de Alcalá… Para mayor información pueden ver este sitio que constulto constantemente que es Digital Society. Por ello tengan mucho cuidado en Facebook y twitter. En mi próximo artículo les podré algunos [...]
[...] what appears to be a response to the increased awareness from FireSheep, Microsoft has added a full SSL option for Microsoft Hotmail. Unfortunate, it is not a [...]
[...] [...]
[...] [...]
[...] [...]
[...] vernichtende Kritik an den Sicherheitsstandards des Nachrichtendienstes Twitter und des Netzwerks Facebook übt die [...]
[...] email address be enough to entice Gmail users? While we're considering that, it's worth noting that a recent report from Digital Society gave Facebook a failing grade of "F" for security while it gave Gmail an [...]
I’m not a computer person, but this was passed on to me by somebody who was after I got hijacked in my msn, hotmail, and facebook. So my question is, what do I do about it? I’ve changed my passwords, now what? How do I prevent it from happening again?
I totally get why facebook AND twitter are a NO regarding SSL Authentication: Initially, if one were to click on the link provided by a google search, without first checking that link, or by just merely entering “facebook.com” or “twitter.com” in your browser’s adress bar – both facebook and twitter send you to their DEFAULT non-SSL pages for login.
That is just a fact.
The sites that are GREEN take you to their SSL login pages with NO WAY to get to a non-SSL page – at the very least, although some are using re-direct in case you try to go to http, many sites are just eliminating their http pages altogether and replacing them with https pages – most Web hosts have control panels that can change all your pages en masse; in IIS7+ you can search and replace or send a script out to find/replace all of your http to https.
Really a no-brainer.
[...] [...]
[...] que a Digital Society, um grupo de especialistas que se auto-intitula “think tank”, baixou as notas de segurança dos sites Facebook e Twitter. Os dois serviços são vulneráveis a ataques que podem dar a alguém [...]
[...] la clase en seguridad. 20/11/2010 By blaunia TweetGeorges Ou, de Digital Society, ha hecho pasar un test de seguridad a algunos de los más populares servicios de la web 2.0. Desde Flicker a Yahoo, pasando por eBay, [...]
[...] off coattails z FireSheep Firefox wykorzystać , Digital Society studiował podstawowe funkcje bezpieczeństwa 11 popularnych stron internetowych i dał im klas. [...]
[...] who are failing to protect their users by not encrypting their sites. And shame it did. A recent Digital Society security report shows just how bad the situation is, with Facebook, Twitter and Flickr amongst those sites where [...]
[...] „Wie sicher sind meine Daten?“. Eine Antwort auf diese Frage liefert nun eine Studie der „Digital Society“. Diese bewertet sowohl den Nachrichtendienst Twitter als auch das Netzwerk Facebook mit der [...]
[...] [...]
[...] of the more interesting analysis pages I’ve seen was one which had a scorecard. At first blush it’s fairly obvious but one thing stuck out at me regarding the last part of [...]
[...] U ovom tekstu koristio sam termin hijacking, mada u konkretnom kontekstu bi sidejacking bilo korekntije. Za objašenjenje razlike između ova dva termina, ali i pregled izloženosti nekih često korištenih Internet usluga pogledajte Online services security report card. [...]
[...] [...]
[...] [...]
[...] Online services security report card – Updated 2/4/2011 [...]
hey George,
I’m assuming you’re already familiar with https://www.ssllabs.com/ssldb/ ? great tool, btw.
best regards,
[...] some background, Gmail did very well in my online security report card, but that likely had something to do with the fact that Google got most of the negative attention [...]
[...] [...]
[...] [...]
[...] [...]
[...] Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or [...]
[...] [...]
[...] [...]
[...] [...]
[...] up the last post on Firesheep, George Ou over at digitalsociety.org put together an excellent report card for some of the most popular online service websites and some explanations about some of the attack [...]
Leave your response!
Twitter Feed
About Us
Digital Society is a digital think tank that believes culture and commerce are inseparable, that the digital economy flourishes when people are free and rights are secure, and that free markets free people.
Digital Society is an independent 501(c)3 non-profit organization, funded by donations from Jon Henke and from Arts+Labs. We advocate for a pro-culture, pro-commerce digital society through research, analysis and debate on emerging technology issues.
Reply Comments
Transparency and interactivity are trademarks of the Internet era, and we aim to foster them here at Digital Society. It is inevitable that some people will disagree with the technology policy positions we take. We want to have that constructive debate.
The Reply Comments feature gives our critics a chance to respond to our viewpoints and the Digital Society audience convenient access to competing arguments. Any time we directly challenge the views of an individual or a group on this site, the party in question may substantively respond in a guest post.
Please contact executive director Jon Henke by e-mail.
Subscribe
Recent Posts
Recent Posts
Most Commented
Most Viewed