Security requirements in social networks
An interesting post about an exploit in some forum software causing medical harm to epileptics. That got me thinking about social networks generally as a security domain. As with voting, you have understand the security environment before you can determine the security requirements. Users of new social networks have a wild array of choices, from reasonably well authenticated and community policed sites like LinkedIn to much more pseudonymous arenas such as IRC and ICQ.
The Off the Record tool from http://www.cypherpunks.ca/otr/ is a recommended example of a security utility for social network users It enables a private conversation with another party, enforced by cryptographic means. From their site, the utility offers:
- Encryption
- No one else can read your instant messages.
- Authentication
- You are assured the correspondent is who you think it is.
- Deniability
- The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
- Perfect forward secrecy
- If you lose control of your private keys, no previous conversation is compromised.
Finally, it’s licensed under the LGPL so it is free for use.