Privacy is really important, yet most popular websites still use HTTP over HTTPS, the main reason why they are still using this protocol is probably a question of money or they are just plain stupid. Back in October 2010, Eric Butler released Firesheep, this little tool serve the purpose to demonstrate just how EASY it is to Hijack an HTTP session, you could take over an entire facebook account in a matter of minutes. Today facebook finally announced that they will now offer a full secure data transmission via SSL for all its pages and not only during log-in.
This is a good news for the web but what we really need is full end-to-end encryption, this is the only way to avoid capturing cookies. In a world where everyone shares their stories and pictures on the web on all kind of social networks, the last thing we want is a "hacker" (no need to be a hacker to hijack an http session nowaday...) to intercept our cookies and then do all kind of stuff to our account or even worst impersonating you on the web. SSL is very important for the future of Web 2.0 and if the security can't follow the hackers scene, then we are in big trouble.
In september 2010, Samy Kamkar created a new type of cookies name "evercookie" which also use HTML5 storage methods. Here's the description of this new type of cookies ;
"evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal
is to identify a client even after they've removed standard
cookies, Flash cookies (Local Shared Objects or LSOs), and
others.
evercookie accomplishes this by storing the cookie data in
several types of storage mechanisms that are available on
the local browser. Additionally, if evercookie has found the
user has removed any of the types of cookies in question, it
recreates them using each mechanism available."
This is really interesting on so many levels because it means that any sites could use this "evercookie" and always know who you are even if you took the time to delete your cookies. Of course some users may know how to delete this type of cookie, but for most users they have no clue how to do it. This is a real concern for users privacy but we have yet to see any popular websites using this new methods of data storage.
If the Web 2.0 can't protect their users with SSL well I guess we will have to work in the background and release tools which can help in the protection of users privacy!
That is all for today, I might blog again in a couple days...months? years?!
