Facebook insecure by design

Hi Tim, How long have you been on that position? IT Security Manager

are you self-employed or running your own limited company?

what areas of knowledge are you mostly interested in? where about are you based? what do you think the role of an IT Security Manager is about?

Going back to the initial security problem identified by Williams, I also
experienced something today. I guess he is right about that. I am behind a
proxy and I just disabled the proxy for "Secure Web" which means HTTPS.
Now guess what I was still able to access facebook while I was not able to
access google. That clearly means there is something wrong. What do you guys
think?
Ghulam

Just about everything on Google pages is https these days, even search if
you enable it.

If anybody on this thread uses gmail com a you really ought to take a look
at google plus. Compare the way user privacy is the primary objective,
versus the share everything by default of facebook.

I cannot think of anything that could do something like this in the Gmail or
Plus products.

[hmmm this subject is not really ops now is it...]

Just about everything on Google pages is https these days, even search if
you enable it.

(or just use https://encrypted.google.com which is available for quite
some time already)

If anybody on this thread uses gmail com a you really ought to take a look
at google plus. Compare the way user privacy is the primary objective,
versus the share everything by default of facebook.

Since when is encrypting a transport (in this case using TLS/SSL) 'user
privacy' ?

The only thing it is protecting is intermediate networks sniffing or
even modifying the traffic and more importantly for the company who gets
all your private information: their revenue stream when they sell that data.

And really, giving all your private emails to a company that explicitly
reads them (even if it is 'automated') to advertise to you and then
mentioning 'user privacy' is just ridiculous :wink:

Greets,
Jeroen

Note that Lauren Weinstein has just put out a Privacy Digest posting noting
that the referer behavior differs between https://encrypted.google.com and
https://www.google.com in a way that implies that, again, someone at Google
may not have gotten the Don't Be Evil memo...

  http://lauren.vortex.com/archive/000906.html

Cheers,
-- jra

I follow Lauren on plus, and also on buzz, and we have discussed privacy
stuff a lot.

The way I look at it, unless you want to host everything yourself, you have
to choose "someone" to be your Unix like home directory in the cloud.

Of all the internet entities out there, Google has had the best track record
of protecting your data. You can even download it all and erase yourself if
you want out.

Apps accounts and pseudonym accounts are coming soon. It was announced by
Vic himself at web 2.0.

I need to send that post by Lauren to the gmail account. He always finds
good issues. It could be that I am off base.

That was a most excellent example Jay. I see what the issue is now.

This could be related to work Google did to plus shortly after launch. Buzz
and now Google+ are https only. Google cooked up a URL processer that took
clicks to external content like article links, and massaged the referrer be
readable as http to show where the visitor came from. Sanitized of any
personal data I assume.

The problem they were trying to fix was no one knew any users were coming
from Buzz clicks. They fixed that in +. I am thinking something of the same
might fix the search issues. It could also be that a Googler saw Lauren's
post and the debate has already started.

-steve

Date: Sun, 23 Oct 2011 21:45:33 -0700
Subject: Re: Facebook insecure by design
Cc: nanog@nanog.org

The way I look at it, unless you want to host everything yourself, you have
to choose "someone" to be your Unix like home directory in the cloud.

Correct. Either it's 'local', or it's "somewhere else" -- by definition. :slight_smile:

Of all the internet entities out there, Google has had the best track record
of protecting your data.

As far as we know, that is.

Remember the old saying about 'undiscovered bugs'. <wry grin>

                         You can even download it all and erase yourself if
you want out.

Don't count on it. You may 'disappear' from public view, but that does
not necessarily mean the data is truely 'gone'. Specific example -- if you
request a USENET posting to be removed, all they do is make it 'invisible'
to the world. It is _not_ removed from the databases, or from inernal
access/use.

The real question is why the referrer field was not under user control
in the first place. Having to never click on a link, but rather to
cut and paste it into the address bar is not a satisfactory work-around.

Still, why has it not been put under user control, now that we have a better
appreciation of the hazards of that information leakage?

> You can even download it all and erase yourself

if

> you want out.

Don't count on it. You may 'disappear' from public view, but that does
not necessarily mean the data is truely 'gone'. Specific example -- if

you

request a USENET posting to be removed, all they do is make it 'invisible'
to the world. It is _not_ removed from the databases, or from inernal
access/use.

That is a very good point, and one of the things that is being tested now
that Buzz is going into archive mode. Users are given the option of backing
up their posts on Buzz, and then deleting their Buzz content. Many like
myself will just leave it there. It is a year+ of history, and what I posted
publicly can stay public.

It is supposed to remove all your Buzz content from the service and I
believe it includes the content shared only with certain individuals. It
does not completely erase it, because I believe email copies of the posts
and comments that people had sent to their Gmail accounts will remain with
those users.

Deleting a product like your Picasa web albums is permanent as far as I
know, but I will definitely ask some people on the Picasa team. Deleting
your search history and other Dashboard items is supposed to be permanent,
but as you pointed out, we are taking Google's word for it.

--steve