About Thawte

News

Slow implementation of SSL security puts LinkedIn users at risk

Security researchers recently found that despite warnings about its data protection, social networking platform LinkedIn could still be putting users at risk.

According to CSO contributor Steve Ragan, one security firm contacted the company over a year ago to warn about the repercussions of their lax attitude toward safeguarding users' sensitive information. Despite six attempts in the last 12 months by the security company to encourage LinkedIn to bolster its protections, the organization would only share sparse details as to when and how it was planning to roll out its SSL security measures across the platform to address protection concerns.

Without proper SSL and encryption measures in place, the platform was potentially putting its users at risk of data hijacking through a hacking technique known as a man-in-the-middle attack, according to Computerworld contributor Jeremy Kirk. Since LinkedIn doesn't currently have full encryption protection in place to protect users' authentication credentials and other sensitive data, their entire session could be snooped upon by malicious third parties through this type of attack.

"When a person attempts a SSL encrypted connection, the attacker 'strips' out the HTTPS attempt, replacing it with an http connection, enabling the collection of the person's authentication credentials," Kirk wrote.

HTTPS by default
Although LinkedIn reported late last year that it was working to encrypt all user sessions, it still has a ways to go. However, all U.S. and Europe-based traffic is now carried out over HTTPS connections by default. Therefore, LinkedIn spokesperson Nicole Leverich noted that the data protection concerns raised by the security firm do "not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default."

On the other hand, the security firm pointed out that with a user's authentication credentials exposed, hackers could impersonate the individual, leading to a host of other problems like phishing attacks.

"Every single user we tested was vulnerable to this attack," the security company stated. "In addition, this vulnerability doesn't just exist when an attacker is on the same network as the target - if an attacker has already compromised a device, once that device enters a different network, the attacker can use the victim's device to attack other uses on the same network."

However, with proper encryption protection in place through the use of an SSL certificate, users' authentication and other sensitive information is rendered unreadable to any malicious third-party viewers.

Protect data in transit with an SSL certificate today.

corporate office

Thawte
The Gateway
Century Lane
Century City, 7441
Cape Town
South Africa

Postal Address:
P O Box 15986
Panorama 7500
Cape Town
South Africa

Call: +353 1 793 9141
Fax: +27 21 819 2950

We have updated our Privacy Policy which can be found here.

Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SAN /UC Certificates and Extended Validation SSL Certificates.

What is an SSL Certificate Which SSL Certificate is Right for Me? Why Choose Thawte?