Wednesday, October 13, 2010

Google's flawed security checklist -- and the right fix from Facebook

I've not seen any official Google admission that account hacking is out of control, but I'm betting my experience is not atypical.

The good news is that Google is doing a (slow) roll-out of two factor authentication; texting a texted pass-token. The bad news is that Google's recent security checklist recommends ...
5. "Use a secure connection to sign in. In your Gmail settings, select 'Always use HTTPS.' This setting protects your information from being stolen when you're signing in to Gmail on a public wireless network, like at a cafe or hotel."
I hope it hurt to write that; I hope the author isn't completely numb to corporate evil. Clearly they knew they were dissembling, because they carefully wrote ... on a public wireless network. 

It is true, https blocks most wifi hacking - but that's not what geeks need to fear. Google doesn't tell us (but I do) that ...
  1. The primary threat from untrusted machines is not wifi interception, it's keystroke logging.
  2. Any machine running XP, including a corporate machine running current antiviral software, is an untrusted machine.
It's obvious why Google is waffling, which is why they've bumped their evil score. (BTW, they do warn against browser plugins that request Google credentials. That's interesting.)

Ironically, Facebook is seriously evil, but this time they're being the good guy. Maybe that's because keystroke loggers are very common on the XP machines of Facebook's heaviest users. Whatever the reason, Facebook is rolling out a keystroke logger fix using a texted "temporary password" -- ahead of Google.

Facebook has the right fix now and Google has an inferior solution that's weeks away. Facebook is frank about their keystroke logger problem, Google dissembles. 

Mirror  world!

No comments: