Google+ security attracts praise and criticism
Security researchers Shah Mahmood and Yvo Desmedt, at University College London (UCL), have subjected Google+ to a first IT security analysis, the main focus of which was on privacy. The currently preliminary results are ambivalent: on the one hand, the researchers have commended new functions which improve networking security among friends, but on the other hand they have also highlighted several potentially problematic details.
The new network has been a great success, having already attracted 40 million users. But Google's previous attempts at establishing a social network to compete with Facebook have caused privacy concerns. For example, the Google Buzz service, which was similar to Twitter and has now been discontinued, initially simply took a user's Gmail contacts and automatically added them to the user's friend list. In one case, this allowed a woman's violent ex-husband to re-establish contact. Consequently, data protection concerns were a major concern when Google+ was launched in June.
Among these concerns is the way in which Google+ currently handles images. Mahmood and Desmedt demonstrate that photos which are uploaded to the network retain their metadata. However, they say that the service doesn't inform users about this. Another problem area identified by the researchers is the Google+ "About" section. There, Google is apparently prompting users to list previous addresses, previous names, and their maiden name. The researchers said that this information could be particularly useful to identity thieves. For example, if a user's mother could be identified and the mother had entered their maiden name, then the user would have unwittingly disclosed the answer to a common security question.
Mahmood and Desmedt commended the fact that Google+ uses SSL encryption by default, for the entire Google+ network connection. Facebook only uses this encryption for its login page, unless a user explicitly enables the security feature. The researchers concluded that, therefore, Google+ sessions offer better protection against "Man-in-the-Middle" attacks.