Justin du Coeur (jducoeur) wrote,
Justin du Coeur

Facebook not quite as secure as one might wish

Well, that’s ruefully amusing. When I went to sign into Facebook a bit ago, IE gave me a warning that the security certificate was from an untrusted signing authority. When I actually dig into the details, the cert has been signed by “cybervillains.com” – which doesn’t have much information, but which *claims* to be an imprint of iSEC Partners (www.isecpartners.com), a security firm.

So I *think* what’s happened here is that Facebook hired iSEC to test their security perimeter, and they found that it’s actually pretty weak – iSEC was able to break into the site and substitute their own cert in place of Facebook’s authentic one. Which makes me happy that Facebook is conducting this sort of security test, but less happy that they appear to publicly failed it…

[ETA: Having already gotten one friend request from posting this, I should note that I don't actually *use* Facebook except for work -- we're doing some sample apps in Facebook. So you're welcome to friend me, but don't expect anything interesting there...]

[ETA 2: I got a note from the fellow who actually wrote the tool in question, which *is* a security tool, but it's intended for interception and monitoring of SSL traffic. His take on it is that Zing is probably being attacked, fortunately by someone too stupid to hack the credentials on the program to something plausible-sounding -- the "Cybervillains" moniker was specifically to alert anyone who gets it that it's fake. So the moral of the story is, pay attention to certs that are presented to you, and if it sounds suspicious, refuse it...]
Tags: programming, security

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded