09/09/09 - Are US social sites
up to the task of spreading freedom?
Seattle, Wash. — Sept 9, 2009 — We have entered a new phase of dependence on the internet. We have moved beyond consumer oriented shopping sites, addicting puzzle places, and social networking platforms. The internet has become the default platform to rally support for political candidates, voice dissent with the status quo, expose governmental misdeeds, spread news from citizen to citizen, and, if necessary, plan civil disobedience. These are the very underpinnings of civil society and governance. Sure it is nice to search Amazon for a new movie to buy, but that pales in comparison when you can participate in the debate and election of a new president.
In the United States we take for granted the protections of the 1st Amendment, and have designed our web sites accordingly, with little to no privacy protections built in. Everything has been designed to protect your credit card digits, not the expression of your communications.
This does nothing, for example, to help protect protesters in Iran who rely on U.S. social sites to spread news about their contested election. The only thing encrypted with SSL protection is their password when they log in to a site. After that every post they write, every friend they make, and every gathering they plan can be recorded and accessed weeks or months later if the authorities feel like rounding up "social agitators." The log in page of all the sites they poured their hopes and dreams into have a pretty lock icon on it, suggesting privacy and security, but in reality their activities were neither.
This is the world we live in. No major social, blog, or email site uses encryption for all their communications. On most sites it isn't even an option, and when it is, the setting is often located in a hard to find location. This might have been good enough when the web was a novelty and your activities of little consequence if monitored. Unfortunately, those days have been gone for a while and just now the consequences are starting to sink in... at least in Iran, or even more recently China.
The old arguments against doing nothing hold no weight. Yes, SSL encryption takes additional computer processor resources, but CPU power has become a cheap commodity and dedicated SSL accelerator costs are in the hundreds of dollars. User's computers and browsers have become faster eliminating almost any lag associated with the initial setup of SSL protection. It can no longer be claimed that it is too expensive an option.
I call on all major social sites, email providers, blog spots, photo hosting services, and chat platforms to enable SSL security as the default behavior for all communications. You already use this technology to protect your user's passwords. You openly encourage your users to share personal details, pictures and stories about themselves and their families. Because of this you have a social responsibility to expand the use of SSL to protect both the privacy and political freedom of your users in a simple and seamless fashion. Just like the expectation of having airbags in cars is the norm, it is now time to make privacy and security the default, not the exception.
Founder of DEF CON and Black Hat
The BlackPage is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us to learn more about submission rules.
Black Hat USA 2009
Las Vegas, NV
Training July 25-28
Briefings July 29-30
Black Hat USA Briefings Main page is online now.
Find out about our 2009 venue, Caesars Palace.
Black Hat Webcasts
On the third Thursday of every month, Black Hat does a free infosec webcast. Meet security thought leaders and get your questions answered.
Can't make it to our live webcast events? Subscribe to the Black Hat Webcast RSS feed and take the webcasts with you in podcast form.
Black Hat Social
LinkedIn members can join our Black Hat Group and post news articles of interest to the community, make connections and discuss security topics.
We have a Facebook fan page now. Please check us out there - share your ideas, your photos, and your videos with us.
Check out our Black Hat photostream. Comment. Contribute. Got great pix? Share with the community.
Find out what's going on with Black Hat in real time by following us on Twitter. Meet other Black Hat speakers and attendees, share what matters to you.
When something in the news catches our eye at Black Hat HQ, we post the link on Delicious.