HR wants your password? Be careful…

There have been a number of articles recently covering the practice of prospective employers requesting access to social media sites, personal email accounts, or other deeply personal stores of information.

Despite this being an egregious violation of privacy, it is a growing practice, and one that requires clear guidance and regulation or legislation to protect users. The good news is that the tech industry doesn’t need to wait; most of the major players have clearly defined policies which forbid this practice.

Facebook asks its users to commit not to share their passwords or accounts as part of their “rights and responsibilities” which stands in place of the terms of service. LinkedIn has a similar requirement in theirs. I am not going to do an exhaustive survey, but it is highly likely that these terms are included in most others as well.

These service providers should clearly and publicly respond to this usage pattern and inform businesses that if they continue this unethical (and potentially illegal) activity, they will be blocked from accessing the services.

There is not much of a motivation for them to do so, but Social Media sites should also take technical measures to detect and actively warn users that are granting access to 3rd parties that they may be violating the terms of service.

A few strategic short-term bans on users who grant this type of access would create a a world of hurt for recruiters and compel users to refuse to participate in this behavior.

Securing Browserid

This post is cross-posted from the Mozilla Web Application Security blog.

One of the important projects that Mozilla has been building in 2011 is BrowserID, a user-centric identity protocol and authentication service. Significant work has gone into building out and testing the infrastructure and protocol to make sure that it is a robust, open, and simple to adopt authentication scheme. If you want to learn more about BrowserID, here is a quick 12 minute video that explains what it is, and why we are doing this.

BrowserID continues to evolve as we build support for it across Mozilla properties and encourage adoption from 3rd parties. To date there almost 1000 different websites that rely on BrowserID, but we still have a long way to go to see large scale adoption!

Much of the effort we have put into reviewing the protocol and implementation of BrowserID is discussed in a recent presentation, a recording of which can be found below:

[Slides: html | html(zip) | pdf] (if the video doesn’t appear, click here!)

In addition to ongoing application and infrastructure security work in the next year, we are aiming for two significant milestones in 2012. First we will engage two third party security reviews of the Browserid.org site, and the cryptography used in BrowserID (including the protocol, the algorithms used, and the libraries we are relying on). Our objective in doing the third party review is to remain as transparent as possible in the development and review of the security aspects of BrowserID. This commitment to transparency includes:

  • opening up currently closed security bugs as the issues are resolved
  • publishing the results of the 3rd party review once high risk issues are addressed

As we proceed with this effort we will publish additional information on this blog, and we will work to keep the community up to date at each stage of progress.

Second, once we have completed the 3rd party review, resolved the issues identified, and published the results, BrowserID.org will become one of the properties fully covered by the Bug Bounty program (as always, exception bugs reported for none covered sites will be considered for bounty nomination).