Do large companies follow encryption best practices?
Posted on 25 November 2013.
Following last month’s revelations of the existence of the MUSCULAR program, in which the NSA and the British GCHQ have collaborated in tapping the overseas fiber-optic cables used by Google and Yahoo to exchange data stored in their many data centers in the US and abroad, the Electronic Frontier Foundation has urged Internet companies to implement additional security measures to help restore users’ trust.

The measures include: encrypting traffic between their datacenters, enabling HTTPS by default, enabling the StartTLS e-mail encryption protocol (for Web mail companies), implementing forward secrecy, fighting surveillance in court and Congress.

“By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process,” noted the EFF. “While Lavabit’s travails have shown how difficult that can be for service providers, at least there was the opportunity to fight back in court.”

Last week, the organization has released its “Encrypt the Web” report to reflect the recently made changes by a number of companies in that regard, and the results are as follows (click on the screenshot to enlarge it):


“We’re pleased to see that four companies—Dropbox, Google, SpiderOak and Sonic.net—are implementing five out of five of our best practices for encryption,” says the EFF. “In addition, we appreciate that Yahoo! just announced several measures it plans to take to increase encryption, including the very critical encryption of data center links, and that Twitter has confirmed that it has encryption of data center links in progress.”

Others, like Facebook and Twitter are very close to checking all the boxes. Unfortunately, some of the companies haven’t responded to the survey, and the EFF couldn’t independently discover and confirm whether they are doing something about it.









Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //