Editor’s Note: Since we issued this post, Bishop Fox has extensively tested LinkedIn Intro and clarified a few of their earlier assumptions. You can see Bishop Fox’s post here.
This blog post is intended to provide more information and address inaccurate assertions that have been made as a result of a product we launched on Wednesday called LinkedIn Intro. Many things have been said about the product implementation that are not correct or are purely speculative, so this post is intended to clear up these inaccuracies and misperceptions.
When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios. Here are some of the actions we took in advance of the launch:
- We isolated Intro in a separate network segment and implemented a tight security perimeter across trust boundaries.
- We performed hardening of the externally and internally-facing services and reduced exposure to third-party monitoring services and tracking.
- We also had iSEC Partners, a well-respected security consultancy, perform a line-by-line code review of the credential handling and mail parsing/insertion code.
- Our internal team of experienced testers also penetration-tested the final implementation, and we worked closely with the Intro team to make sure identified vulnerabilities were addressed.
- We made sure we have the right monitoring in place to detect any potential attacks, react quickly, and immediately minimize exposure.
- All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.
- We worked to help ensure that the impact of the iOS profile is not obtrusive to the member. It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device. We do not change the device’s security profile in the manner described in a blog post that was authored by security firm Bishop Fox on Thursday.
After having been a member of the security community for more than 15 years, I understand that healthy skepticism and speculation towards worst-case scenarios are an important part of the security discipline; however, we felt, in this case, it was necessary to correct the misperceptions. We welcome and encourage an open dialogue about the risks that are present in all Internet-based services that handle electronic mail and other sensitive data.