Indeed, Gmail made end-to-end encryption its default mode in January 2010. Facebook began to offer the same protection as an opt-in security feature last month, though it is so far available only to a small percentage of users and has limitations. For example, it doesn’t work with many third-party applications.
“It’s worth noting that Facebook took this step, but it’s too early to congratulate them,” said Mr. Butler, who is frustrated that “https” is not the site’s default setting. “Most people aren’t going to know about it or won’t think it’s important or won’t want to use it when they find out that it disables major applications.”
Joe Sullivan, chief security officer at Facebook, said the company was engaged in a “deliberative rollout process,” to access and address any unforeseen difficulties. “We hope to have it available for all users in the next several weeks,” he said, adding that the company was also working to address problems with third-party applications and to make “https” the default setting.
Many Web sites offer some support for encryption via “https,” but they make it difficult to use. To address these problems, the Electronic Frontier Foundation in collaboration with the Tor Project, another group concerned with Internet privacy, released in June an add-on to the browser Firefox, called Https Everywhere. The extension, which can be downloaded at eff.org/https-everywhere, makes “https” the stubbornly unchangeable default on all sites that support it.
許多網(wǎng)站通過“https”提供加密服務(wù),但這用起來并不方便。為解決這個問題,電子前哨基金會聯(lián)合Tor項目組(另一個互聯(lián)網(wǎng)隱私相關(guān)組織)于去年六月發(fā)布了一款名為Https Everywhere(Https無處不在)的火狐瀏覽器插件。該插件(可由eff.org/https-everywhere下載)強制通過https方式訪問所有支持該訪問服務(wù)的網(wǎng)站。
Since not all Web sites have “https” capability, Bill Pennington, chief strategy officer with the Web site risk management firm WhiteHat Security in Santa Clara, Calif., said: “I tell people that if you’re doing things with sensitive data, don’t do it at a Wi-Fi hot spot. Do it at home.”
But home wireless networks may not be all that safe either, because of free and widely available Wi-Fi cracking programs like Gerix WiFi Cracker, Aircrack-ng and Wifite. The programs work by faking legitimate user activity to collect a series of so-called weak keys or clues to the password. The process is wholly automated, said Mr. Kitchen at Hak5, allowing even techno-ignoramuses to recover a wireless router’s password in a matter of seconds. “I’ve yet to find a WEP-protected network not susceptible to this kind of attack,” Mr. Kitchen said.
但家里的無線網(wǎng)絡(luò)也并不一定能確保安全,因為Gerix WiFi Cracker、Aircrack-ng 和Wifite之類的自由Wi-Fi黑客程序正被廣泛使用著。此類軟件仿冒合法用戶的活動以竊取一系列所謂弱密匙或者可能透露戶密碼的蛛絲馬跡。這個過程完全是自動的,凱臣在Hak5上說,這使得哪怕是一個技術(shù)白癡都能在幾秒鐘內(nèi)獲得一個無線路由器的密碼。他還說:“我還沒有發(fā)現(xiàn)哪個采用WEP保護的網(wǎng)絡(luò)能夠?qū)@種攻擊免疫。”
A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so, hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.
Using such programs along with high-powered Wi-Fi antennas that cost less than $90, hackers can pull in signals from home networks two to three miles away. There are also some computerized cracking devices with built-in antennas on the market, like WifiRobin ($156). But experts said they were not as fast or effective as the latest free cracking programs, because the devices worked only on WEP-protected networks.