Further to my previous entry “It’s A Question Of Trust”, and comments thereon, I have done a little further research into the blatant disregard for security that is the world of Web2.0 SoftwareStartups.  I appreciate a lot of these sites are cash-strapped, resource-poor, and in many cases still in Beta, but if they want people to use their services – which I’m sure they do – they’ve got to take security more seriously.  At the very least, be more open and honest about what’s happening.

To recap the last post:

Firstly I suggested that people are too trusting of websites which have no security information (e.g. no browser Padlock icon). There is a false sense of security, and a propagation of a sense of trust amongst online communities, and in many cases the trust is undeserved.  Undeserved, not because the websites are run by villains and rogues (they’re not, hopefully), but because they are not doing enough to protect your online credentials.
Secondly, I described how a couple of sites in particular were asking me to trust them with my twitter credentials, but were allowing them to be transmitted across the internet in plain text.

I received one interesting comment that stated that it’s simply too costly [for startups] to provide secure logins on their site. I can’t disagree with this, simply because although I know a fair amount about the technicalities of how this stuff works, I’ve always worked in environments where the cost of basic security is considered irrelevant compared to the cost of not having security.  Simply, I don’t know if it’s a true statement or not.

One thing that is easier to figure out is to what extent this problem exists. I visited the excellent Go2Web20.net directory, and checked out a number of the twitter-related services that it lists on that site.  It was after visiting the first five or so that I started losing faith; most of these services required me to provide my twitter credentials to them at some point, and of those that I tested, none had any encryption on the relevant pages or parts thereof.  Furthermore, it was hard if not impossible to find any further info on the individual sites about what they do with these credentials – do they store them? do they use ssl when using my credentials to access twitter?   One of the sites even claimed to be aimed at corporate users. Imagine, a service for corporate users that has no security!  I think even Roy, Moss & Jen wouldn’t let that slip through the corporate IT policy net.

Regardless of the cost involved I don’t think it’s a legitimate justification for these sites to be so blasé about security.  They should, at the very least, have something somewhere on their sites that tells me how secure they are (or aren’t), preferably on their login page.  These sites expect us to trust them; they are asking us to share our twitter credentials with them; and they should be honest about how much they are doing to protect those credentials.  After all, these are secrets that we are telling them; you wouldn’t confide in someone who’s going to repeat every word you say out loud, and that’s exactly what they are doing.  And, if they really can’t afford to pay for a secure server, maybe they should weigh up the true cost of losing the trust of their users.

Until then, I for one will be avoiding these things like the plague. And, of course, ensuring that I change my twitter password on a very regular basis.

Comments are welcome, especially from anyone involved in Web2.0 Startups.

[Note. Slightly edited the above, and the title.  It's not just Startups that are week in this area as my experiment with Digg.com has shown.]

Digg This

I’m not one of those people who’s particularly over-cautious about using the web, at least I don’t think I am.  Like many Mac users, I’m not too concerned about anti-virus software, and even on my Windows machines I have the minimum and most unobtrusive settings that I can get away with.  I don’t worry too much because my software firewalls are always running, and because I’m careful about what websites I visit, what software I download, and what or whose attachments I choose to open.

When it comes to protecting my identity online I take a similar approach; not so over-cautious that I have some really complex and unique password for every service I use, but also sensible enough to use new, one-off passwords with services that I don’t yet trust.  Perhaps most importantly I always check whether the sites into which I’m entering passwords and other data, are secure.  I always look for the padlock in my browser.

However, all too frequently these days I’m landing on login-screens that have no padlock.  The big question is, does this mean they are not secure?

The first time I encountered this on a site that claimed to be secure I was pretty worried, and contacted the site to report the problem and ask for an explanation.  It turned out that although the page itself was not secure, the login area was embedded inside a frame and was itself secured using an ssl connection.  The site in question was the now-defunct Monday Lottery.   Since then I usually go to slightly longer lengths to determine a site’s security for myself, rather than immediately firing off an email.  It makes sense to check one’s facts first, even though this practice of not securing the whole page is far from helpful in encouraging users to look out for and take notice of the padlock and other indicators.

Most of the online-services I use not only claim that ‘We Take Your Privacy Seriously’; they also seem to live up to their word.  I’m not talking specifically about the fine and complicated details about what they choose to do with my personal details, but about how well they appear to protect my details at the point of entry; i.e. when I’m entering them into the browser.  Some example sites are Facebook, Twitter, and Friendfeed; they all have un-encrypted main pages, but they are secure because the login details get posted using an ssl connection to an https url.  Similarly, such sites tend to use secure connections on any pages that contain personal details.  It’s not easy to tell this just by looking at the page in your browser; you have to delve deeper by viewing the page’s source, and to be totally sure the only way is to either to contact the site by email, or to sniff the network packets using a tool such as Wireshark.

It’s unfortunate that these ever-more complex sites seem to want to ignore the padlock convention.  I guess they have their reasons; maybe it’s just the Web 2.0 way.  But, apart from the fact that it makes it harder to tell whether sites are secure, this failure to adopt a standard approach is harmful to the Padlock convention as a whole. It’s a bit like the ‘Herd-Immunity’ argument that accompanies most discussions of the MMR Vaccine;  If it is not adopted universally then the disease will prevail.  In the case of the visibility of a site’s security the failure works like this.   I’m an avid facebook user, and I can’t live without Twitter.  Many of the top twitterers that I follow use both these tools, as well as Friendfeed, Huddle, Fav.or.it, various blogging sites, and so on.  We all trust these sites, and often rightly so as they are secure, but mainly we trust them because other people we trust also trust them. No-one is complaining about facebook security, or twitter (well, not much!), or friendfeed, and I think we take it for granted that sites that are used and recommended by others in our online-communities are similarly trustworthy.  My friends trust facebook, twitter, friendfeed, and others even though they have no padlock.  If it’s good enough for them, then it’s good enough for me!

Recently this propagation of trust has led many twitterers to sign up for the twitorfit website.  Tweets have been going out left right and center from people suggesting that their followers give them a rating.  It’s just a bit of fun, and it’s backed by two well known and well trusted web companies; Huddle.net and fav.or.it.  But, in the midst of a recent bout of security-doubt, I decided to take a look at their login screen.  Unlike most of the sites mentioned above, Twitorfit doesn’t have it’s own user database; It’s specifically designed for the twitter community, and as such uses the Twitter API and Twitter username/password to identify users.   Because of this fact, because their webpage was asking me for my twitter details, and in the light of recent security breaches at twitter, and the general consensus that twitter security as a whole has a few holes, I was slightly dubious about the lack of the padlock.  Looking further at the page source I found that it submits my twitter credentials using an unsecured connection.  And sniffing the network packets with Wireshark showed my username and password in plain text.  This is not a good thing, and as a Software Architect who thinks about security most days of the week, I found it pretty unbelievable.

Now, twitorfit is just a bit of fun, and if they had their own username/password I wouldn’t be quite so concerned. But in this case I am entrusting them with my Twitter details, and they are making a bold (and true) claim that they will not store them, but in my opinion they are not taking enough care to protect these details at the point of entry.  Ok, so it’s only my twitter username and password, and it’s not like this is going to end up with anyone getting into my banking site, or credit card site, or my amazon account, or whatever other online services I use, right. Because just like absolutely every other person on the planet I made sure my passwords on all these sites are totally and absolutely unrelated, and not guessable given even the slightest piece of knowledge…. yeah,right!

Following up on this, and knowing that twitorfit is actually built by the teams at Huddle.net and fav.or.it, I decided to put these sites to the test.  Huddle.net appears ok, using https on it’s main page.  But where things get really nasty is on fav.or.it.  They support many different ways of logging in; I can use credentials from a dozen-or-so other sites, and use them to identify my self to fav.or.it.  Quite astonishingly, if I sniff the packets when using this page I can see my details in plain text.  The excerpt below is the trace of the packets sent when I log in using a (fake, of course) wordpress account. You can clearly see the username and password that I entered (‘myUsername/myPassword’) in the last line:

POST /auth/login HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://my.fav.or.it/auth/login
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; InfoPath.2)
Host: my.fav.or.it
Content-Length: 45
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: favorit_anon=23f0a583606687330f1f34c680c71960g23620a; __utma=170299703.3468827689299247000.1231713511.1231713511.1231713511.1; __utmb=170299703.1.10.1231713511; __utmc=170299703; __utmz=170299703.1231713511.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); favorit_session=v2dptt26fua094kns753u3e073; __utma=75863689.3438752490060657000.1231713576.1231713576.1231713576.1; __utmb=75863689.4.10.1231713576; __utmc=75863689; __utmz=75863689.1231713576.1.1.utmcsr=fav.or.it|utmccn=(referral)|utmcmd=referral|utmcct=/

user=myUsername&pass=myPassword&type=wordpress

Quite simply put, this is outrageous and to my mind totally unacceptable.  I’m trusting this site with my details and they are falling at the first hurdle.

So, for what it’s worth, here’s my advice.

If you use fav.or.it, be very careful which credentials you use to log in.
If you use twitter, choose a unique password for your account and change it regularly…
And in general, don’t take anything at face value; sites without a padlock might or might not be secure, and sites that are trustworthy might not be as robustly secure as they ought to be.

One autumn’s day, way back when I was a child, my mother told me “Catch a leaf, and you can make a wish”.  In my innocence I believed that catching the leaf would guarantee that the wish would come true.  You could say, I was taken in by the promise of something for nothing.  And you’d think I’d have learned better by now.

But yet in a way I’m still looking out for leaves to catch; for opportunities that promise all I could wish for; for things that are so good that they are almost too good to be true.  And it’s this instinct that led me to almost get sucked in by the penny-auction website Swoopo.co.uk.  I’d seen it discussed in this news article and, being an excellent judge of character, decided that the guy who was talking was obviously being totally genuine, honest, and open, and that the negative comments about the site were probably a bit harsh.  Whilst swoopo has come under immense criticism for the way it operates, he suggested that in fact anyone can win an auction, and that people win very often by employing various clever tactics.  I had to try it for myself; being a clever guy it shouldn’t be beyond me to figure out what these tactics should be.  In actual fact, the way things turned out, it didn’t take me very long to realize that the promises of this site really are too good to be true.

The trouble with Swoopo, as discussed at length in The Register, is that it’s virtually impossible to bid on an auction with any degree of confidence that you’ll win.  Unlike ebay, where a bid in the last few seconds will give you a reasonable chance of winning, a bid in the last few seconds on Swoopo has the opposite effect; It causes the auction to be extended, allowing others to out bid you.  And this happens continually. For the novice user, that means any one-off bids you make are generally wasted.  And once you’ve figured out what’s going on, and started using the bid-butlers (automatic pickpockets that bid ‘on-your-behalf’) you realise that to win an auction you either have to be incredibly lucky, or you have to invest a lot of practice, a lot of effort, and a reasonable amount of cash.  The big problem is that the bid-butlers bid against each other, push the price up, and prolong the auction. Only when the other bidders have decided to give up are you likely to win;  And that’s where the luck comes in.  Unlike an ebay auction that has a set end time, and where you can have a reasonable guess at the final value and what is a reasonable bid, with the swoopo auction you have absolutely no idea. To win you need to bid when the auction is nearly ended, but the only way to do that is to guess, or to keep actively bidding in the auction.  And the real problem with this strategy is that the bids themselves cost you money – 40p each in fact.

It took me a tenner to prove to myself that Swoopo really is too good to be true.  Many people would describe it as a rip-off.  Perhaps the most devious thing about the whole set up is the promise of something for nothing, and the misleading information that pervades the whole site.  Whilst it may claim that you can get a £1000 imac for £35, it gives no indication of the true cost. If you think about how the bidding works, and how hard it is to win, and how much the bids cost, do the maths and it’s fairly clear that the winner of this £35 auction is likely to have spent considerably more than that on making dozens of bids at 40p a shot.

In future I shall steer well clear of sites like this  – I closed my account as soon as my bids were used up.  And before I try to catch any more falling leaves, I’ll think a bit more carefully about what they really have to offer…

My first encounter with the web, as for many of my peers, was way back in early 1993.  One of my fellow Imperial College students was sitting at a great big Sun Workstation monitor, using something that caught my eye.  It was the Mosaic browser.  Mark sat there, controlling it, exploring the all-new cyberspace, and discovering all kinds of new and wondrous things.  Around us were dozens youthful hackers, mostly still trying to grow their first beard (including some of the girls), hunched over unix command lines, probably mostly using archie, ftp, and various other beardy things that I didn’t really understand (And nor did I want too!)  The contrast was astonishing.  Yes, both groups were using the internet, but whereas the hackers were like stargazers reaching out to points far off in the galaxy,  Mark, with his Mosaic browser, was like the pilot of a spaceship. From another planet, showing me things that I’d never imagined!  Well, it was only hypertext, with the odd <img> thrown in. But it was great – you could point at things, and click on links, and before you knew it you’d gone down some wormhole of links and ended up somewhere else.  Truly amazing.

I tried it… And I hated it… none of my friends could understand why, but I think it was the feeling of agoraphobia. I was overwhelmed by the size of this space (obviously, the web was really tiny then, actually small enough to fit on this).  I felt distinctly uneasy about landing on a page in a way that is not dissimilar to waking up in an unknown village, in an unknown land, knowing nothing of its location, or of how I got there.  I had no mental-model of this ‘World Wide Web’, of it’s shape and form, or it’s boundaries; No concept of how things existed in it, and how they related to each other.  It wasn’t that I misunderstood the web (even now a lot of people don’t understand it), just that I wasn’t at ease with not knowing exactly what kind of a thing it was.  I couldn’t fit the whole structure of cyberspace-and-time in my head, so I’d just have to figure out the bits I needed.

It took me until 1994 to feel entirely happy about this, and in fact, until then there wasn’t really anything useful on the web anyway!  Since then I’ve stayed pretty much your typical web-user; I’ve visited far-off lands, brought back treasures from overseas, and even landed on new worlds – all from the comfort of my armchair. But at least now I’m happy about how I got there and where exactly ‘there’ is.

So comfortable am I with this 15 year-old technology that I’ve finally decided to create a blog. And here it is. Welcome to Dom’s World (ah, thats been taken. How about ‘Sparkology‘, no it’s not that either!). Dum-di-dum…. Ah well, anyway, this is my blog, and you’re welcome to it. For what it’s worth…