Menu
LinkedIn called out on slow implementation of default SSL

LinkedIn called out on slow implementation of default SSL

Zimperium said some users are at risk, but LinkedIn claims the issue doesn't affect the majority of users

LinkedIn said it is making progress implementing default encryption of data exchanged with its users after a security company alleged some users are still at risk of account takeovers.

San Francisco-based Zimperium, a mobile security company, wrote on its blog on Wednesday that it is still possible to hijack some LinkedIn users' account networks using a technique called SSL stripping.

The technique involves a man-in-the-middle attack where a hacker is watching a victim's Internet traffic, which is possible in public places such as a coffee shop where the victim is connected to a Wi-Fi hotspot.

When a person attempts a SSL (Secure Sockets Layer) encrypted connection, the attacker "strips" out the https attempt, replacing it with an http connection, enabling the collection of the person's authentication credentials.

The attack is possible against LinkedIn because it doesn't fully encrypt an entire user's session over SSL. LinkedIn always initiates an SSL connection when a person submits their login credentials, but in some regions of the world, flips the connection to an unencrypted one over http.

LinkedIn said in December it was in the process of making all user sessions fully encrypted. That work isn't quite done yet, although last week it said all traffic served to U.S. and European users is now served by default over https. Since 2012, LinkedIn users have had the option of changing their security settings to full https, but many might not have known about the setting.

Moving to full https is no easy task, and LinkedIn described some of the challenges it was facing in a blog post in December. Among those issues were increased latency, support by various content delivery networks for https and scaling issues.

LinkedIn's upgrade is one many other services have made. Google offered full https connections as an option for Gmail in 2008, but two years later made it the default. Facebook moved its service to https by default in January 2011.

LinkedIn spokeswoman Nicole Leverich wrote via email that the issue described by Zimperium "does not impact the vast majority of LinkedIn members given our ongoing global release of https by default."

In the meantime, users should turn on full-site https by going into their settings, clicking on the "account" tab, then going to "manage security settings" and checking the appropriate box.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags internetLinkedInInternet-based applications and servicesZimperium

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments