{"id":97,"date":"2008-02-03T20:15:42","date_gmt":"2008-02-04T04:15:42","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/02\/03\/search-with-a-little-help-from-your-friends-on-social-networks\/"},"modified":"2008-02-03T20:15:42","modified_gmt":"2008-02-04T04:15:42","slug":"search-with-a-little-help-from-your-friends-on-social-networks","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/02\/03\/search-with-a-little-help-from-your-friends-on-social-networks\/","title":{"rendered":"Search with a little help from your friends (on social networks)"},"content":{"rendered":"<p><a href=\"http:\/\/www.technologyreview.com\/Infotech\/20138\/\">Article<\/a><\/p>\n<p>As most of you know, social networks are rapidly becoming ubiquitous, with hundreds of millions of users between Facebook (62 million), Myspace (&gt;100 million), and Linkedin (&gt;17 million).\u00a0 Naturally, many companies are trying to take advantage of this fact by letting users leverage their social networks, and now we&#8217;re starting to see search engines join the mix.\u00a0 Delver is one of these.<br \/>\n<!--more--><br \/>\nThe title of the referred article sums up the issues nicely, so I&#8217;ll just quote it here: &#8220;A new website will offer personalized search results based on the user&#8217;s social network&#8221;.\u00a0 To clarify, you tell Delver what your name is, and then Delver crawls publicly available information about you (the article gives &#8220;public LinkedIn profile&#8221; as an example).\u00a0 Of course, the amount of public information may be limited, and as such you can actually give Delver login information for these social networking sites so it can login as you and crawl as much information about your friends as it can find to help make your search queries more convenient.\u00a0 How convenient remains to be seen, and more details about this can be found in the article<\/p>\n<p>A service like this is inherently a security hazard.\u00a0 No matter what precautions are taken, the user will still be giving his username and password to a third-party site.\u00a0 This is problematic because with a regular site, an adversary who wants to get login information has three points of attack: the client machine (trojan), the connection (man-in-the-middle), or the server machine (..SQL injection?\/hacking).\u00a0 If you give your information to a third-party site, there are two additional points of attack: the third-party server and the connection between the third-party server and the social networking site.\u00a0 Only the weakest link needs to be vulnerable, and by adding in a third party the number of links is almost doubled.<\/p>\n<p>At first thought this system really didn&#8217;t have a reasonably secure solution, but then I thought of one possibility: a single central service like OpenID.\u00a0 So how is this different from the previous problem?\u00a0 Well, instead of giving your login and username to random-possibly-insecure-cool-gimick-website-A to log in to random-social-network-website-B, you can keep all your login information on one single server that the community trusts to keep under lock and key (and firewall).<\/p>\n<p>There aren&#8217;t any obvious ethical issues here, but there are some possible societal impacts here.\u00a0 Would people care if your friends discovered your posted content not through Facebook&#8217;s search engine, but through the search engine of some other site?\u00a0 Who&#8217;s to say that Delver wouldn&#8217;t cache information from Facebook on their servers to &#8220;enhance&#8221; your experience?\u00a0 What happens if the user&#8217;s friend then chooses to remove a picture from Facebook &#8212; can we trust that Delver will detect this and remove the picture from their cache as well?<\/p>\n<p>Lastly, what will people think?\u00a0 It&#8217;s hard to say.\u00a0 One possibility is that people won&#8217;t care.\u00a0 The odds that this company will become popular enough to become a household name in a tech-savvy house hold is extremely low, just because many specialty search engines do.\u00a0 People might also be angered by the possibility that content that they uploaded to a social networking site for viewing only by their friends may end up in other places as well without their permission.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Article As most of you know, social networks are rapidly becoming ubiquitous, with hundreds of millions of users between Facebook (62 million), Myspace (&gt;100 million), and Linkedin (&gt;17 million).\u00a0 Naturally, many companies are trying to take advantage of this fact &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/02\/03\/search-with-a-little-help-from-your-friends-on-social-networks\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":35,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,9],"tags":[],"class_list":["post-97","post","type-post","status-publish","format-standard","hentry","category-current-events","category-privacy"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=97"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/97\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}