What do these two topics have in common? More than you might think.

The obvious is that neither has arrived yet.
There is no proof of existence of either, you have to take it on faith.
Neither will be here tomorrow… take my word for that.

A story at http://www.reuters.com/article/2011/05/23/uk-linkedin-security-idUSLNE74M02820110523 explains how dreadfully poor security practices at LinkedIn can allow someone to simply steal a cookie from your computer and they can log in as you, potentially for up to a year.

There are 2 aspects to the problem. First, LinkedIn set the cookies to expire in a year. That’s a very long time for a cookie to be active for log in purposes. The second problem is that the cookie is not encrypted and that means nobody in Linked In is paying attention to security at all.

The real irony is that you would figure the CEO, CTO, or CIO of LinkedIn would know how to network with at least a few of the numerous security experts that use the site, but alas that hasn’t happened.

In fact, you would think that somebody at LinkedIn would have learned from Firesheep, but no, after login, sessions are still using http, rather than https. According to the Reuters article, LinkedIn claims to take customer security seriously, however their actions speak louder than their words. LinkedIn also claims to be boosting security in the coming months, but July 2025 is a coming month too.

For the time being if you want to use LinkedIn safely then you need to be sure you delete the cookies when you close your browser and never, ever, ever use LinkedIn on an unsecured wireless network. Unsecured wireless networks include your home WIFI if you are not using WPA2 encryption at home.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America