Establishing Digital Trust: Don't Sacrifice Security for Convenience
The whipped cream is out of the can. Now what can we do about it?
Like so many millions of others, Ive found Facebook and Twitter in the last few months, in addition to the more traditional professional networking sites Ive used for years, like LinkedIn. But what started as idle curiosity soon grew into addiction.
Yes, my name is Ken and Im addicted tohttps://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i But gosh darn it, theyre fun! Ive re-connected with many old friends, and I like knowing what theyve done with their lives. OK, were not likely to become best friends again, but I still value that connection weve made again.
So, how secure are these sites?
Ive experienced several classic Web security issues in each of the sites I frequent, and without a doubt there remain many vulnerabilities to be discovered. But that hasnt stopped me from using them.
Like any decision involving risk, Ive studied the issues, minimized my own exposure, and Im getting on with what I care to do.
Lets start by looking at the issues briefly.
Web apps:Well, for starters, they are Web applications, and as such theyre potentially vulnerable to a plethora of issues, from the OWASP Top-10 and beyond and yes, there are far more than 10.
And dont think for a moment that all web application vulnerabilities solely place the application at risk. Many also put the apps users at risk: cross-site scripting (XSS), cross-site request forgery (CSRF), and others can be used to attack the users quite easily.
As a user of a social networking site, youre placing your (and your employers) data at risk.
Active content:Long-time readers of this column (hi Mom!) have heard me talk about the dangers of active content many times.
The bottom line: by allowing active content into your browser, you are trusting someone elses code to run on your computer safely. Well, whats the big deal? We do that all the time. Well, now the code is dynamic and maintained somewhere else, and youre trusting it every time. Gulp!
But your browser isnt so discerning. Some of the stuff that comes into it while youre on Facebook might be provided by someone else: another Facebook user; an attacker; a third party application on Facebook. If your browser trusts Facebook, chances are its also going to trust that code. This extends the active content exposure pretty substantially.
User-supplied content:Users put all sorts of content into their own profiles. URLs pointing to cool sites, photos, etc. If they link to something dangerousperhaps inadvertentlyand you click on it Well, you get the drift.
Third party applications:Most of the popular social networking sites have a third-party application interface for companies to generate their own content. Most of it is pretty innocuous and in the spirit of good clean fun, like a little app that lets you throw a virtual snowball at someone else. But, again, it extends that trust boundary in ways you might not want.
All of these things come with levels of risk. The double whammy that I see is the active content combined with the expanded domain of trust. Theres a cross-site scripting launch pad in that combination if ever there were one.
When Ive written about browser security (as in this comparison of IE vs. Safari vs. Firefox), Ive advocated browser plug-ins like NoScript to give the user a level of control over active content. The problem is that it only provides a partial solution on social networking sites.
NoScript either trusts a domain or it doesnt. Clearly, its not granular enough for all issues.
So, what can we do to protect ourselves? Here are a few tips to consider:
Continue to run NoScript and those other browser security steps:
Theyre far from obsolete!
Be a bit choosy about your friends:
Easier said than done, but at a minimum, I suggest only accepting friend connections from people you directly know. Of course, theyll come with varying levels of technology cluelessness, but its still not a good idea to be friends with anyone who figures out how to send a request to you.
Be more than a bit choosy about your apps:
If you have the ability to decide what apps you run and allow within your social networks site, be choosy. Do you really need every cutesy app that comes along?
Wait for a couple days to see what people (and the media) say about an app before deciding to dive in. If the app has problems, often its the early adopters who will find them.
Turn up the privacy controls: Pretty much all the social networking sites allow you to tune your own privacy controls. Turn those up to high. Only allow people in your ring of accepted friends to view your information.
Dont click on links willy nilly:
When friends send you links to sites, apps, etc., dont just click on them. Hover your mouse over the link, look at it in its entirety, see what data is going to be passed to it, and then decide. You might even cut-and-paste the URL into another browser and go there separately.
Log out of other apps and sites:
To the extent possible and feasible, dont run other Web apps while youre on your social networking site. Shut down your browser completely, re-start it, do your social networking for the day, and then log out. Theres good and valid reasons for this that Ill cover in a future column, but for now, trust me on this.
So that should arm you with a few tips to consider. Theres still risk involved with using these sites, and there always will be. You need to decide for yourself if the risks are worth whatever value you perceive in using the sites.
As for me, I sure wouldnt give up my Facebook account without a fight.