Facebook, Twitter, and WordPress have failed a security exam conducted by "security think tank" Digital Society, highlighting old vulnerabilities most recently displayed by the spread of Firesheep.
Gmail and WordPress, which use an encryption and identification process known as SSL, received A’s. Google scored a C, Yahoo and Amazon received a C-, and Hotmail and Flickr received a D-.
The main reason Twitter and Facebook failed is because neither uses complete SSL authentication, according to the report. In other words, a user can’t know for sure if the authentication page they think they’re visiting is actually HTTP. WordPress without SSL, the free version commonly used by personal bloggers, also lacked SSL authentication for logins.
A Facebook spokesman said the company has "been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months."
The report, however, "fails to include many important security metrics that place Facebook as a leader in this industry and doesn’t even mention many of the unique security features we offer to make accounts more secure such as login notification, remote session management, one-time passwords and internal spam prevention systems," Facebook continued.
George Ou, a policy director at Digital Society and author of the report card, said "the vulnerability and easy exploitation [of] online services have been well known since 2007, [but] the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years."
In January, Google announced that it would encrypt Gmail at all times, not just during sign-on, and make the process an opt-out feature rather than opt-in, likely contributing to its A grade.
Microsoft, meanwhile, told Ou that it will default its Hotmail to SSL browsing this month.
Ou promised to create an online service report card that will be upated over time. For more details, see his full report.