Home » CurrentHeader, Digital Insight, Internet, Wireless

Online services security report card

By 1 November 2010 113 Comments

Update 2/4/2011 – Updated report card chart in Figure 1

Update 11/9/2010 – Microsoft ‘fixes’ Hotmail with an unusable fix.  That means I’m boosting Hotmail’s grade from a “D-” to a “D+” which is still a failure until they come out with a better fix.

Update 11/4/2010 – Microsoft promises fix to Hotmail security this month

A lot of website security awareness has been raised over the last week since the release of a simple-to-use website user account hijacking tool called FireSheep.  The tool gives attackers temporary full access to your web accounts like Facebook, Twitter, and Microsoft Hotmail.  Many sites have been offering incorrect advice to just use force the website to run SSL, but my testing shows that sidejacking is still possible even when the site runs SSL.  Some people have suggested tools that go as far as rewriting the website’s javascript but we’re getting into deep water on complexity and the user shouldn’t have to re-engineer the websites they visit to protect their own user accounts.  Permanent fixes from the likes of Facebook, Twitter, and Microsoft are long overdue.

Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years.  Now that the problem can no longer be ignored because anyone can use the attack to steal other people’s account, I’m going to create an online services report card that will be updated over time.  Look below Figure 1 to see basic definitions of the various types of security breaches.

Figure 1 – Online services security report card

Note that “WordPress” refers to all the independent implementations of WordPress, but the WordPress.com free hosting site does implement SSL.  The bottom portion of the table refers to generic protocols that are commonly used by computers and smartphones, the vast majority of which use the unsafe versions.

What are authentication cookies?

To save you the trouble of having to sign in with username and password every time you visit a website, websites use temporary (typically expires in days) authentication cookies that are automatically pulled from your cookie database and set to the server.  When the cookies expire, the user is prompted to type in their username and password which is often saved by the web browser.

SSL authentication

When you sign in with your username and password, the secure way to do this is when there is an “HTTPS” in front of the website and the certificate is verified by authorities like Verisign.  Your browser and operating system will keep a list of trusted Certificate Authorities (CA) and it will warn you when you visit a site that is signed by an untrusted CA.  Some sites still use SSL encryption to transmit authentication data but don’t bother to use HTTPS and they are of the false conception that this is safe, but that’s not good enough because the user has no way of knowing if they’re visiting the wrong site or not.

Many websites don’t bother doing this and it makes it easy for someone to steal your username and password by putting up a fake hotspot and fake website.  This type of attack is very dangerous to consumers but it requires the attacker to perform an active attack which carries some small risk of being caught if authorities triangulate their wireless signal.  But in reality, there aren’t many resources allocated to tracking down this kind of attack, and the attack can be launched from a self contained box which vastly reduces risk for the attacker.

I and many other security experts have been hammering the U.S. banking industry since 2006 for failure to use SSL authentication and they finally fixed the problem years later.  Unfortunately, websites like Twitter and Facebook still haven’t learned.

SSL browsing support

When you’re browsing a website without SSL (when the address bar reads HTTP and not HTTPS), anyone can see what you’re browsing.  If this is Yahoo mail for example, people can read the messages you have loaded on the screen but they can’t go in and read other messages you’re not reading and they can’t send mail as you.

A website that does not support SSL browsing will not necessarily leak user authentication cookies since that’s a function of how careful the website developers are about their javascripts.  Ebay is a good example of this where no cookies are leaked even though Ebay users browse without SSL.

Partial sidejacking

A partial sidejacking is where an attacker can get authentication cookies that allow them limited access to a user’s account.  For example, Google.com allows an attacker to browse the websites as the victim and attackers can see on Google maps saved addresses (including home address).  The same problem affects Yahoo but the attacker can’t access things like email.

Full sidejacking

A full sidejacking happens when the attacker can gain access to everything short of the username and password.  On Facebook, they can log in to Facebook as the victim and see all private data and even send or post messages on behalf of the victim.  The attacker usually can’t reset the password because sites like Facebook will ask for the old password to reset to a new password.

On Microsoft Hotmail, the attacker can see every email received and sent and send messages on behalf of the victim.  This potentially allows the attacker to reset other user accounts that are registered to a hotmail account.  Full sidejacking on an email account is very dangerous and it is surprising that Microsoft hasn’t fixed this yet.  Even if they only encrypted the authentication cookies using javascript and didn’t support full SSL mode, that would vastly improve security.  Google dragged their feet on Gmail for a year after sidejacking was widely reported in 2007 but they deserve credit for being one of the first to fix this problem and they’ve recently defaulted everyone to full SSL for Gmail.

Full hijacking

This is where an attacker gains access to the user’s username and password.  At this point, the attacker can do anything they want with the user’s data and account.  It is notable that attacking non-SSL protected protocols like POP3, SMTP, IMAP, and FTP are even easier because they can be done passively which is completely undetectable.  The attack is so simple that security conferences like DEFCON has an annual “Wall of Sheep“.  Attacking websites that fail to employ SSL authentication requires an active attack where the attacker has to set up a fake but realistic looking login page.


  • Jack Moves said:

    SFTP isn’t FTP-over-TLS/SSL. It’s a component of SSH2:


  • George Ou (author) said:

    You’re right Jack, that was a typo on my part. I actually use SFTP here. I initially tried to use FTP over SSL which is FTPS, but the firewall port management issue was a nightmare so I gave up FTPS and switched to SFTP.

  • Larry Seltzer said:

    I’m surprised there was any trouble with FTPS, there should be a single port which you specify, no?

    The SSL option on Facebook is really a joke. It seems to me there is plenty on the site which can’t handle it. There is no chat, for example.

    But the real surprise of this to me is that anyone thinks there is security in an open wifi connection. The news on that is even older than 2007.

  • Larry Seltzer said:

    BTW, if my ISP (Verizon, but whoever) offered a simple VPN service, probably an SSL VPN would be great, and priced it reasonably, I would buy it. There are plenty of anonymous surfing sites that encrypt, but I’d prefer something from a company with whom I had a relationship.

  • Christopher J. Pilkington said:

    Google supports SSL search today (https://www.google.com), although it is manual. Any reason why “(soon)” is listed?

  • Patrick Ewing said:

    This isn’t completely accurate- Twitter uses SSL authentication, although SSL browsing must still be done manually.

  • Danny O Brien said:

    Both Twitter and Facebook point to SSL form processing pages on their default login. Are you doing something extra to force a non-SSL login for them?

  • teleston said:

    There is a Firefox extension offered free by the EFF. It encrypts your communications with a number of major websites.
    See here: https://www.eff.org/https-everywhere

  • John T said:

    What about Wikipedia? The stuff I read on there is more private and personal than any of those other sites listed except for Facebook.

  • John said:

    No SSL authentication for Facebook? what?

  • George Ou (author) said:

    Larry, FTP over TLS/SSL or FTP is horrible about ports. The payload port is dynamic and the NAT router or Firewall has to look inside one of initial signaling packets to determine the port number on the payload. If that signaling packet is encrypted, the firewall cannot determine the port. The way around this is to open up a range of a few hundred ports but that’s horrible.

  • George Ou (author) said:

    @Patrick Ewing

    I’m not talking about SSL encryption on the authentication session; I’m talking about SSL authentication. Just because the javascript in the background sends credentials in encrypted by SSL doesn’t mean that the user knows they’re on Twitter. The user has no way to know if they’re on Twitter if the authentication page they’re visiting is HTTP. That’s the secure authentication (where the site identifies to the user) that is missing. Reading the banking post I linked to for more.

  • George Ou (author) said:

    @Christopher J. Pilkington

    I’ll update that, thanks. For some strange reason when I tried https://www.google.com, it automatically redirected to HTTP. It works today though.

  • George Ou (author) said:


    I’m talking about the default action John which is what is relevant to 99% of the population. Facebook defaults to HTTP for the login page and that is extremely dangerous. We cannot expect the user to manually use the SSL authentication page or install some kind of plugin.

  • lefid3 said:

    Thanks for the report, I been searching the net to see which sites were vulnerable. Another question though, is igoogle or http://www.google.com/ig vulnerable? If so, how much because I use Igoogle a lot and despairing at the thought of not being able to use it. Thanks

  • Online services security report card posted | Technology for Mortals said:

    […] Online services security report card Now that the problem of user account “sidejacking” can no longer be ignored, I’ve created an online services report card that highlights which websites protect your account and which don’t. […]

  • Hotmail security still sucks » K4 Media Web Design, Phnom Penh, Cambodia said:

    […] Graham of Errata Security takes a look at the recent “Web 2.0″ report card compiled by Digital Society, and remarks: Of the major webmail providers in the U.S., only Gmail is […]

  • Mike R said:


    Paypal is personally what’s important to me – that’s where (some of) my money is…

    Also, a couple of years ago Paypal supported the FOB (the 6 digit rolling code you must enter with your password)

  • ps said:

    The biggest source of this whole matter of sidejacking is the insistence of web developers on re-inventing the wheel every time authentication is a requirement.

    So, they twist session variables and cookies into some semblance of a answer.

    The answer is in http authentication, and in particular digest authentication. It has a few very minor problems, but it is a http standard, supported by every web server, lightweight, and far superior to what some developer grafting on a quick fix onto a site as an afterthought will accomplish in 4 hours of whiz bangery at the keyboard.

  • George Ou (author) said:


    Google IG is partially sidejackable. Attacker can see the calendar on there, but he can’t use Google Chat.

  • John said:

    How about FTP with in-band (‘explicit’) SSL or TLS? The mechanism is similar to STARTTLS in SMTP.

    What do you refer to with “SMTP SSL/TLS”? The STARTTLS type or the SMTP-over-SSL type?

  • George Ou (author) said:

    @Mike R

    Mike, I’m surprised I forgot to test Paypal. I must have assumed that they’d be insane to be insecure.

    I just tested them and they don’t leak authentication material and they default the whole site to SSL.

  • lefid3 said:

    Google IG is only partially sidejackable even though it doesn’t have any https?

  • George Ou (author) said:


    As I mentioned in the post, sidejacking occurs independently of full HTTPS browsing. You can have a full HTTPS site sidejackable, but an HTTP site not. That’s because it’s the javascript in the background that betrays you when it uses HTTP.

  • lefie said:

    Thanks, for the reply. I am not very technical so I needed the clarification. I reread the partial sidejack info in the article. Still pretty scary in my opinion so I am holding off using any google service except gmail on public wifi.

    On a sidenote, Forbes has a blog article, that says that facebook is reacting to the controversy. Hopefully the others follow suit.


  • Ian 'craSH' Gallagher said:

    I applaud Google for making Gmail HTTPS only, but do not believe they are worthy of an A – perhaps a B+. They prefer weak SSL cipher-suites (RC4-SHA1), specifically they prefer suites which do not provide what is known as Perfect Forward Secrecy, a property obtained when using secure key exchange (actually, key agreement) that protects your data that is sent over the wire in the event that the servers private SSL key were compromised in the future.

    They do support such cipher suites, but you have to hack on your browser to use them (Mozilla’s about:config lets you disable particular cipher suites), so most uses will not have this protection.

    Due to the sensitive nature of email, I believe perfect forward secrecy should be a requirement when deploying SSL for webmail (as well as for secure IMAP, POP3, etc) – so I would not in good faith rate them as the best of the best given this.

    The fact that SSL is used can not by itself constitute a good grade, SSL/TLS are very complicated protocols and they must be deployed securely.

    Ian Gallagher
    Firesheep co-author/co-presenter

  • Steve WJ said:


    Thanks for doing this, your report has helped me avert a campus-wide panic.

    I am however using the momentum this issue has generated to get a few timely changes in our remote working policy. There are a lot of folk here with no real requirement to understand any of this but a real responsibility for their own security. Something like this makes the issue so much easier to police.

    I like to think of it as attitude patch.

  • George Ou (author) said:

    @Ian ‘craSH’ Gallagher

    Thanks for commenting Ian, you’re always welcome here.

    Question: How practical is it to exploit RC4-SHA1? It may not be the purest, but is it that exploitable even by top crypto researchers?

    The grading scale I used is more of a sanity check. The scale is easy enough that everyone should be doing as well as Gmail.

  • Iraê said:

    I’m trying to use Facebook and Twitter over https since reading about Firesheep and this post.

    One thing I noted is that even tough the tab I opened are on HTTPS, in this very site I can be mislead to send my cookies without SSL. The “follow us on twitter” points to plain http and the tweet and Facebook share buttons open windows in plain http also.

    Is there a way to prevent this from happening? Any recommended browser extensions/addons?

  • George Ou (author) said:


    Until Facebook offers a fix, you might try using a forced no script option with HTTPS. That may break some functionality though.

  • Iraê said:

    @George Ou

    Using forced SSL on Facebook cripples the site.
    I’ve been redirected to the login page so many times that my account is now blocked!

    I tryed using: https://www.eff.org/https-everywhere

    Except for Facebook, everything seems to work fine.

  • SiliconANGLE — Blog — Microsoft promises fix to Hotmail security this month said:

    […] asked Microsoft for a response to their failing score on my “Online services security report card” for their Hotmail service and got the response that Hotmail customers were hoping to hear.  […]

  • Facebook, Twitter Get ‘F’ for Online Security said:

    […] failing grades were given to the two sites in the “Online Services Security Report Card” created by Digital Society, a “digital think […]

  • Social Media Marketing HQ | Learn Social Media From the Industry's Brightest Minds » Facebook, Twitter Get ‘F’ for Online Security said:

    […] failing grades were given to the two sites in the “Online Services Security Report Card” created by Digital Society, a “digital think […]

  • Tech at Night: Post-Election Edition said:

    […] Random note for possible use by the readers. You may wonder how to protect yourself better against Internet snoopers like Google Street View, and even some more active forms of attack, and Digital Society has a decent-looking primer on the subject. […]

  • Facebook, Twitter Get ‘F’ for Online Security | Custom Facebook Fan Page Layouts said:

    […] failing grades were given to the two sites in the “Online Services Security Report Card” created by Digital Society, a “digital think […]

  • Facebook ganha nota zero em segurança « Junior Galvão – MVP – SQL Server said:

    […] Digital Society, uma organização digital que criou o ranking de segurança dos serviços online, avaliou quais […]

  • Carlos said:

    Could you please include LinkedIn ?

  • Facebook ganha nota zero em segurança « Info 54 said:

    […] Digital Society, uma organização digital que criou o ranking de segurança dos serviços online, avaliou quais […]

  • George Ou (author) said:


    Firesheep does not support Linkedin so I’ll have to test with Hamster.

  • Caroline said:

    When I type https//hotmail.com, it seems to work, also when reading and answering e-mails. The connection seems to be slower though.
    I also found a screen under Options where you can choose between https and http. But when I choose to continue in https, it says that this function is not available for my accounttype (?).
    Hope the javascipt will be fixed soon too. I’ll keep checking this interesting blog for news on this subject.

  • Ian 'craSH' Gallagher said:

    @George Ou

    Breaking the symmetric cipher RC4 or the hashing algorithm SHA1 isn’t my direct concern (I’m not saying it’s unreasonable to consider), it’s that their preferred cipher suites in particular do not include Ephemeral Diffie-Hellman key exchange, which would provide perfect forward secrecy to a reasonably high degree.

    Without perfect forward secrecy, compromise of their private RSA key (either by stealing it, or cracking it – people currently say 1024 bit RSA will be safe for anywhere between 0 (with $250m – $1billion USD) and 5-10 more years (Moore’s Law).. read more here: http://www.rsa.com/rsalabs/node.asp?id=2007 ) means that you will be able to decrypt any past traffic that was protected using that key. So an attacker could capture your encrypted Gmail traffic now, and in the future, decrypt it if the RSA key were compromised. This is something that most people don’t realize, and it’s important for truly sensitive data (which email oftentimes may be – think government contractors, intellectual property, etc)

    I suspect we’ll discuss this in particular more in the future, it’s an interesting topic.


  • gibbs said:

    What about Friendster?

  • George Ou (author) said:


    That’s a great point! I tested it and got the same thing. It might be an indication that we’re not beta testers for this feature.

    I also found it interesting that the following applications prevent you from permanently turning on HTTPS.

    • Outlook Hotmail Connector
    • Windows Live Mail
    • The Windows Live application for Windows Mobile and Nokia

    So it would seem that those applications are stuck using HTTP for at least the payload.

  • Facebook and Twitter Flunk Security Report Card | Find Password said:

    […] Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or […]

  • Attention Grabbers for 11/6/2010 » Gozamos said:

    […] Technology: Online services security report card A think tank called Digital Society has shed important light on the lacking security of ever […]

  • Facebook, Twitter, WordPress Fail Security Report Card - Donna's SecurityFlash said:

    […] Ou promised to create an online service report card that will be upated over time. For more details, see his full report. […]

  • jamal said:

    Thanks George, I mentioned your security report card here:

  • Week 44 in Review – 2010 | Infosec Events said:

    […] Online services security report card – digitalsociety.org Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years. […]

  • Facebook y Twitter obtienen una F en seguridad | GeeksRoom said:

    […] sitio Digital Society desarrolló un gráfico que es una especie de tarjeta de reportes, en donde calificó a varios […]

  • » Nyhedsrullen: Madmagasin, Wikileaks og Facebooks fejl - Tech tjek - teknologi til folket said:

    […] som Facebook og Twitter er pivåbne for mørke kræfter ude efter brugerdata. Det fortæller en ny undersøgelse foretaget af amerikanske Digital Society, der har kigget på en række af nettets mest populære […]

  • Facebook and Twitter fail basic security test said:

    […] Flickr, and other popular websites.Riding off of the coattails of the FireSheep Firefox exploit, Digital Society has studied the basic security functions of 11 popular websites and given them grades. The results […]

  • Digital Society » Blog Archive » When aggregators bypass the source said:

    […] Van Camp posted a condensed version of my Online Services Security Report Card (which has been cited by many in the mainstream tech press) and somehow it managed to make it to […]

  • Just Learned about Firesheep | David Thayer said:

    […] That’s all well and good, but Facebook’s got my back, right? You’d think Facebook, Twitter, Amazon and Flickr would be ahead of these shenanigans. They’re not. […]

  • Cliff C said:

    What about Myspace.com? What grade does it get?

  • George Ou (author) said:

    @Cliff C

    I’ll check Myspace, but does anybody even use that anymore?

  • Facebook and Twitter Flunk Security Report Card | IT Security Standard said:

    […] Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or […]

  • Netzwelt-Ticker: Facebook und Twitter versagen bei Sicherheitsprüfung | Flash News said:

    […] kreierte, hat Digital Society die (Un)Sicherheit der beliebtesten Web-Anwendungen untersucht. Das niederschmetternde Ergebnis: Zwei der beliebtesten Internetservices, Facebook und Twitter, schneiden am schlechtesten […]

  • Pedro L. Rodriguez: Internet Privacy: It’s Between You, the Advertiser and the Platform | The Bull Report said:

    […] stellar grades from Digital Society, a “digital think tank,” which created an “Online Services Security Report Card” indicating the (in)ability of those and other sites to protect user […]

  • Escasa seguridad Facebook y Twitter | Redes Sociales said:

    […] un anuncio llevado a cabo por Digital Society en el que se analizaban diversos aspectos relacionados con la seguridad de diversos servicios de […]

  • Pedro L. Rodriguez: Internet Privacy: It’s Between You, the Advertiser and the Platform | KING.NET said:

    […] stellar grades from Digital Society, a “digital think tank,” which created an “Online Services Security Report Card” indicating the (in)ability of those and other sites to protect user […]

  • Internet Evolution - Editor's Blog - Fed Up With Facebook Flaws said:

    […] misused, Facebook users have no shortage of things to worry about. Digital Society, a think tank, released study results that indicate that Facebook failed a basic security test miserably, because data is largely […]

  • SiliconANGLE — Blog — BlackSheep detects IP address of amateur sidejackers said:

    […] IP addresses of FireSheep users who are most likely amateur hackers trying to sidejack (see definitions of sidejacking here) their schoolmates’ Facebook and Twitter account at a college campus somewhere.  The tool […]

  • Netzwelt-Ticker: Facebook und Twitter versagen bei Sicherheitsprüfung | Flyer Poster Werbung News said:

    […] kreierte, hat Digital Society die (Un)Sicherheit der beliebtesten Web-Anwendungen untersucht. Das niederschmetternde Ergebnis: Zwei der beliebtesten Internetservices, Facebook und Twitter, schneiden am schlechtesten […]

  • Facebook y Twitter fallan en las pruebas básicas de seguridad said:

    […] discutiendo acerca de la seguridad que nos brindan los servicios a través de la web. El sitio Digital Society realizó un estudio hace algunos días, donde pone de manifiesto las brechas de privacidad en la […]

  • Pedro L. Rodriguez: Internet Privacy: It’s Between You, the Advertiser and the Platform | Outreach Foundation Charity News said:

    […] stellar grades from Digital Society, a “digital think tank,” which created an “Online Services Security Report Card” indicating the (in)ability of those and other sites to protect user […]

  • Digital Society online services security report card | Stop Wordpress Hackers said:

    […] you’re interested in the full technical explanation of the scores, we recommend you read the original article at […]

  • Sasha Aickin said:

    Great report card here. Two things:

    1) Do we have any idea how EBay does authentication/sessions without leaking cookies over HTTP? This seems… not obviously possible to me. Most of the other schemes I’ve heard of (linking to a particular IP address, for example) seem so bug prone as to destroy usability, and aren’t necessarily secure at the same time.

    2) It’s a little funny that the https:// for this page in Chrome is crossed out. Double-clicking on it shows that the problem is that while the page is correctly served over https, some of the resources on the page are not over https (presumably the Twitter feed). But this means that the page as a whole can’t be trusted, since the resource that’s not over https could be a MITM-ed cookiejacking JavaScript. Sigh.


  • George Ou (author) said:

    @Sasha Aickin

    The JavaScript is either using SSL (even if the page isn’t using SSL) or some other scrambling scheme. Robert Graham of ErrataSec said that in the past, he’s been able to harvest the cookie by massaging it manually and then feeding it to Hamster, but he hasn’t tried recently.

    Browsers shouldn’t necessarily give an alert for partial SSL in my opinion. That’s because for bulk images and advertisements containing non-personal data (especially when it’s coming from an Ad or CDN server), it doesn’t need SSL. When browsers give too many alerts, it becomes excessive false alarm syndrome which leads to apathy.

    The problem is that even when everything on the page is SSL (and you get no browser warning), the javascript code can make calls to HTTP which leaks authentication material. So the browser SSL warning system is effectively broken since it alerts you when it doesn’t need to and doesn’t alert you when it needs to.

  • Alida Antonia Cornelius said:

    Then why isn’t your website https?

  • George Ou (author) said:

    @Alida Antonia Cornelius

    Digital Society does indeed support HTTPS, but it’s not enabled for our readers since we store none of your personal data and we don’t even know who you are. We do use SSL for our editors and authors to log in so we don’t leak our authentication cookies or credentials. Your nitpicking is irrelevant to the issues.

  • SSD said:

    Hotmail supports “SSL browsing” for a few days ago.

    This it’s posible changing http://www.hotmail.comfor https://www.hotmail.com manually.
    When we authenticate will ask if you want to be permanent.

  • muchas noticias de tecnología.. « Joe90KZ Si no lo se, lo busco… said:

    […] de Alcalá… Para mayor información pueden ver este sitio que constulto constantemente que es Digital Society. Por ello tengan mucho cuidado en Facebook y twitter. En mi próximo artículo les podré algunos […]

  • SiliconANGLE — Blog — Microsoft ‘fixes’ Hotmail with an unusable fix said:

    […] what appears to be a response to the increased awareness from FireSheep, Microsoft has added a full SSL option for Microsoft Hotmail.  Unfortunate, it is not a […]

  • Schlechte Noten für Twitter und Facebook | Das Social Media Blog said:

    […] vernichtende Kritik an den Sicherheitsstandards des Nachrichtendienstes Twitter und des Netzwerks Facebook übt die […]

  • Internet Evolution - Editor's Blog - Facebook vs. Google vs. Facebook Heats Up said:

    […] email address be enough to entice Gmail users? While we're considering that, it's worth noting that a recent report from Digital Society gave Facebook a failing grade of "F" for security while it gave Gmail an […]

  • the emily said:

    I’m not a computer person, but this was passed on to me by somebody who was after I got hijacked in my msn, hotmail, and facebook. So my question is, what do I do about it? I’ve changed my passwords, now what? How do I prevent it from happening again?

  • prowse! said:

    I totally get why facebook AND twitter are a NO regarding SSL Authentication: Initially, if one were to click on the link provided by a google search, without first checking that link, or by just merely entering “facebook.com” or “twitter.com” in your browser’s adress bar – both facebook and twitter send you to their DEFAULT non-SSL pages for login.

    That is just a fact.

    The sites that are GREEN take you to their SSL login pages with NO WAY to get to a non-SSL page – at the very least, although some are using re-direct in case you try to go to http, many sites are just eliminating their http pages altogether and replacing them with https pages – most Web hosts have control panels that can change all your pages en masse; in IIS7+ you can search and replace or send a script out to find/replace all of your http to https.

    Really a no-brainer.

  • Grupo especializado em segurança dá nota ‘F’ ao Facebook e ao Twitter said:

    […] que a Digital Society, um grupo de especialistas que se auto-intitula “think tank”, baixou as notas de segurança dos sites Facebook e Twitter. Os dois serviços são vulneráveis a ataques que podem dar a alguém […]

  • Twitter y Facebook los malos alumnos de la seguridad de la información said:

    […] la clase en seguridad. 20/11/2010 By blaunia TweetGeorges Ou, de Digital Society, ha hecho pasar un test de seguridad a algunos de los más populares servicios de la web 2.0. Desde Flicker a Yahoo, pasando por eBay, […]

  • Facebook i Twitter nie podstawowy test bezpieczeństwa | a said:

    […] off coattails z FireSheep Firefox wykorzystać , Digital Society studiował podstawowe funkcje bezpieczeństwa 11 popularnych stron internetowych i dał im klas. […]

  • Firesheep lights a blaze under Facebook and Twitter « Is public the new private? said:

    […] who are failing to protect their users by not encrypting their sites. And shame it did. A recent Digital Society security report shows just how bad the situation is, with Facebook, Twitter and Flickr amongst those sites where […]

  • Facebook und Twitter mit Note „ungenügend“ bewertet | Verlage der Zukunft said:

    […] „Wie sicher sind meine Daten?“. Eine Antwort auf diese Frage liefert nun eine Studie der „Digital Society“. Diese bewertet sowohl den Nachrichtendienst Twitter als auch das Netzwerk Facebook mit der […]

  • FireSheep | SecurityGuy.org said:

    […] of the more interesting analysis pages I’ve seen was one which had a scorecard. At first blush it’s fairly obvious but one thing stuck out at me regarding the last part of […]

  • FireSheep i Session Hijacking - kad ti ovce spale farmu | Not A Blog said:

    […] U ovom tekstu koristio sam termin hijacking, mada u konkretnom kontekstu bi sidejacking bilo korekntije. Za objašenjenje razlike između ova dva termina, ali i pregled izloženosti nekih često korištenih Internet usluga pogledajte Online services security report card. […]

  • Digital Society » Blog Archive » Facebook HTTPS now works but forgot SSL authentication said:

    […] Online services security report card – Updated 2/4/2011 […]

  • steve caturan said:

    hey George,

    I’m assuming you’re already familiar with https://www.ssllabs.com/ssldb/ ? great tool, btw.

    best regards,

  • Digital Society » Blog Archive » Gmail’s new two-factor authentication improves security said:

    […] some background, Gmail did very well in my online security report card, but that likely had something to do with the fact that Google got most of the negative attention […]

  • Facebook and Twitter Flunk Security Report Card - A Geek to Go! » A Geek to Go! said:

    […] Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or […]

  • Online Services Security Report Card | The Barracuda Labs Internet Security Blog said:

    […] up the last post on Firesheep, George Ou over at digitalsociety.org put together an excellent report card for some of the most popular online service websites and some explanations about some of the attack […]