Home » Archive

Articles in the Privacy & Security Category

Internet, Privacy & Security »

[ | 23 Mar 2011 | 6 Comments | ]
Comodo compromise demonstrates need for DNSSec migration

Comodo, a company you probably never heard of which holds one of the many master keys to the Internet’s SSL X.509 Public Key Infrastructure (PKI) system, admitted that their root certificate authorities have been compromised by attackers.  Those attackers issued themselves SSL certificates for seven companies including Google, Skype, and Yahoo so they can fully masquerade as one of the seven companies with legitimate looking SSL certificates.  Comodo responded by revoking those certificates, but that won’t offer full protection until every device on the planet replicates the revocations and we have …

Privacy & Security »

[ | 15 Mar 2011 | One Comment | ]
Twitter adds HTTPS mode, but no HTTPS sign-in

Twitter is responding to mounting pressure after some high profile account compromises by allowing customers to opt-in to always-on secure HTTPS SSL mode.  Unfortunately, I doubt most people will go to the trouble of opting in by going to the security settings.  Since HTTPS is virtually cost-free to operate continuously for websites that already support HTTPS, Twitter should just default to an always on HTTPS setting without the need for opt-in security.  Facebook recently adopted a similar opt-in security strategy and the criticism applies to them as well.
The other big problem that …

Privacy & Security »

[ | 3 Mar 2011 | 2 Comments | ]
Ashton Kutcher meets Firesheep, twitter hacked

It appears that Ashton Kutcher has become a high profile victim of Twitter’s negligence when someone at the TED conference hijacked Kutcher’s Twitter account using tools like Firesheep.  The Twitter PR account @TwitterGlobalPR twitted that Kutcher should have enabled SSL by typing HTTPS in front of twitter.com, but that deflects from the fact that it’s Twitter’s responsibility to keep their users safe.  I and other security experts have warned for years that online services need to enable HTTPS SSL security by default and without requiring the user to manually turn …

Digital Insight, Privacy & Security »

[ | 28 Feb 2011 | 5 Comments | ]
Someone in DC cares about online security

I’ve been hammering popular online services like Facebook and Twitter for months for utterly weak efforts to protect consumers so I was pleased to hear that Senator Chuck Schumer has joined the fight. Some of the worst online services in my online security report card were served letters by Senator Schumer asking them to turn SSL security on by default.

Privacy & Security »

[ | 4 Feb 2011 | 8 Comments | ]
Facebook HTTPS now works but forgot SSL authentication

Facebook’s new full SSL feature finally works three years after it became widely known that Facebook user accounts were easily hijacked. Unfortunately, their update still won’t fully protect Facebook users because Facebook forgot to deploy HTTPS authentication on the user login page.

Privacy & Security, Research »

[ | 3 Feb 2011 | One Comment | ]
Research: Do Not Track

Hillicon Valley reports that Rep. Jackie Speier (D-CA) will introduce legislation dealing with online privacy next week. The legislation will provide an “opt out” for individuals that do not want to allow advertisers to track them.

Privacy & Security, Research »

[ | 1 Feb 2011 | 3 Comments | ]
Three Concerns on Facebook’s Coming Comment System

Athima Chansanchai has an expanded report on CNET’s Caroline McCarthy’s story on Facebooks move to take over the Internets commenting systems.

Digital Insight, Privacy & Security »

[ | 26 Jan 2011 | 6 Comments | ]
Facebook finally adds HTTPS, but still broken

Facebook announced that they’ve finally added secure web browsing for Facebook 2 months after the release of the Firesheep tool that made it trivially easy to hack Facebook accounts.  That prompted me to give them an “F” in security which was widely cited in the media.  But there are some major problems with this update from Facebook.  First, the feature doesn’t work yet even though they’re saying it’s available as of today, and I can’t enable the always enable HTTPS whenever possible option under account settings.  Second, the feature should …

Privacy & Security »

[ | 21 Jan 2011 | One Comment | ]
Did Microsoft Offer PS3 Hacker Win7 Phone To Thwart Piracy?

Microsoft attempts to recruit iPhone and PS3 hacker George Hotz as a “developer”.

Privacy & Security, Research »

[ | 13 Sep 2010 | One Comment | ]
Research: I Can Stalk U

ICanStalkU.com website was created in 2010 by Jackson, Pesce, and Mayhemic Labs in order to convey to individuals information that they may be inadvertently be sharing online that they normally would not share because of privacy concerns.