] Defenses lacking at social network sites ] ] Sites like LiveJournal and Tribe are poised to be the ] next big thing on the Web in 2004, but their security and ] privacy practices are more like 1997. I'm not sure SSL is really all that useful. It would prevent people from stealing your password over the wire, but I don't think most of these attacks are sniffing related. It would also allow you to authenticate that you are entering your password on my site, but I think most people who would fall for a phoney login would still fall for it. I'll bet if you offered it for a small fee few would buy. People get into your account because they guess your password, or because you leave yourself logged in and then your friends come over and use your computer, or because you use the same password all over the place. There isn't much that I can do about these attacks as a site manager. I need YOU to use client certificates to login to my site, and you need to keep your certificate on a smart card or ibutton that stays on your person. Is anyone using technology like this? Would you want to use it to access MemeStreams if it was available? What do you think? SecurityFocus HOME News: Defenses lacking at social network sites |